Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Problem - Logs Included


  • This topic is locked This topic is locked
16 replies to this topic

#1 allsmooth

allsmooth

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 03 September 2010 - 09:32 AM

This topic is the continuation of a thread that started in another forum. Here is the link to the original: http://www.bleepingcomputer.com/forums/topic344812.html

My problem is the dreaded google redirecting behavior. I have 3 machines, two of which are connected to my router wirelessly and one that is hardwired. I'm only having the redirect problem on one machine.

The problem machine is running Windows 7 (64 bit). I have installed and ran mbam and the scan comes up clean, but I still get the redirects. I cannot do an automatic upgrade of mbam's database as the virus prevents it. However, I did do a manual upgrade of the mbam database. Even after the upgrade, the scan still comes back clean and I still cannot do an automatic update and the redirects continue to happen.

Here are the logs that I was asked to post here:

DDS.txt Log follows



DDS (Ver_10-03-17.01) - NTFSX64
Run by Terence at 9:00:09.27 on Fri 09/03/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6143.4039 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUserAgent.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Golden Egg\GoldenEggWinService.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLSERVER2K8\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSAS10.SQLSERVER2K8\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSRS10.SQLSERVER2K8\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLSERVER2K8\MSSQL\Binn\SQLAGENT.EXE
C:\Windows\system32\conhost.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLSERVER2K8\MSSQL\Binn\fdlauncher.exe
C:\Windows\system32\WUDFHost.exe
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLSERVER2K8\MSSQL\Binn\fdhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Users\Terence\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Stardock\ObjectDockPlus2\Dock64.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Users\Terence\appdata\local\google\chrome\application\chrome.exe
C:\Users\Terence\appdata\local\google\chrome\application\chrome.exe
C:\Users\Terence\appdata\local\google\chrome\application\chrome.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Windows\system32\mstsc.exe
C:\Users\Terence\appdata\local\google\chrome\application\chrome.exe
C:\Users\Terence\appdata\local\google\chrome\application\chrome.exe
C:\Users\Terence\appdata\local\google\chrome\application\chrome.exe
C:\Users\Terence\appdata\local\google\chrome\application\chrome.exe
C:\Users\Terence\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Users\Terence\appdata\local\google\chrome\application\chrome.exe
C:\Windows\system32\SndVol.exe
C:\Users\Terence\appdata\local\google\chrome\application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Terence\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
mLocal Page = c:\windows\syswow64\blank.htm
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~2\micros~1\office12\GR469A~1.DLL
uRun: [Google Update] "c:\users\terence\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [googletalk] c:\users\terence\appdata\roaming\google\google talk\googletalk.exe /autostart
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\users\terence\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files (x86)\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\users\terence\appdata\roaming\micros~1\windows\startm~1\programs\startup\stardo~1.lnk - c:\program files (x86)\stardock\objectdockplus2\ObjectDock.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
TCP: {1537216C-0FC2-4E6F-8A20-4B1CE8D1A93D} = 213.109.65.40,213.109.75.90
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~2\micros~1\office12\GRA32A~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~2\micros~1\office12\GR469A~1.DLL
mRun-x64: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
STS-X64: ObjectDockShlExt Class: {1984D045-52CF-49cd-DB77-08F378FEA4DB} - c:\program files (x86)\stardock\objectdockplus2\ODMenu64.dll
Hosts: 192.168.1.2 gargamel
============= SERVICES / DRIVERS ===============

R0 dlkmdldr;dlkmdldr;c:\windows\system32\drivers\dlkmdldr.sys [2010-7-22 13936]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-7-22 202752]
R2 DisplayLinkService;DisplayLinkManager;c:\program files\displaylink core software\DisplayLinkManager.exe [2010-1-27 8610664]
R2 GoldenEggServiceTestONETWOTHREE;GoldenEggServiceTestONETWOTHREE;c:\program files (x86)\golden egg\GoldenEggWinService.exe [2010-8-30 7680]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\microsoft sql server\100\dts\binn\MsDtsSrvr.exe [2008-7-10 214040]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);c:\program files\microsoft sql server\msrs10.sqlserver2k8\reporting services\reportserver\bin\ReportingServicesService.exe [2009-3-30 2075480]
R3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\ae1000w7.sys [2010-7-22 1101600]
R3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort_5.2.23219.0.sys [2010-1-27 17408]
R3 dlkmd;dlkmd;c:\windows\system32\drivers\dlkmd.sys [2010-7-22 185968]
R3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);c:\program files\microsoft sql server\mssql10.sqlserver2k8\mssql\binn\fdlauncher.exe [2008-7-10 34840]
S2 !SASCORE;SAS Core Service;"c:\program files\superantispyware\sascore64.exe" --> c:\program files\superantispyware\SASCORE64.EXE [?]
S3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2009-7-13 10752]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 61976]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 311656]

=============== Created Last 30 ================

2010-08-31 00:04:32 1462 ----a-w- C:\InstallUtil.InstallLog
2010-08-31 00:00:27 0 d-----w- c:\program files (x86)\Golden Egg
2010-08-24 17:45:33 0 d-----w- c:\programdata\Blizzard Entertainment
2010-08-24 17:45:32 0 d-----w- c:\program files (x86)\StarCraft II
2010-08-24 17:45:32 0 d-----w- c:\program files (x86)\common files\Blizzard Entertainment
2010-08-24 13:59:18 0 d-----w- c:\users\terence\Games
2010-08-10 19:22:30 0 d-----w- c:\users\terence\appdata\roaming\Foxit Software
2010-08-10 19:22:17 0 d-----w- c:\program files (x86)\Foxit Software

==================== Find3M ====================

2010-07-23 21:03:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-07-22 18:08:24 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_point64k_01009.Wdf
2010-07-22 01:39:52 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 9:00:32.74 ===============

GMER Log follows

When I ran the GMR tool, I got the following error message



You may also notice that many of the options were grayed out and could not be activated. I performed the scan anyway and got the following results. There was not an option to save a log file. Only the following message.




I really appreciate any help. Thank you.

Attached Files


Edited by allsmooth, 03 September 2010 - 09:53 AM.


BC AdBot (Login to Remove)

 


#2 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:13 AM

Posted 11 September 2010 - 04:06 PM

Hi allsmooth!!.. smile.gif

Download OTL.exe by OldTimer to your Desktop.
  • Close all windows and double click OTL.exe.
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.
  • You may need to use two posts to get it all.

c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#3 allsmooth

allsmooth
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 12 September 2010 - 08:18 AM

Contets of OTL.txt as follows:


OTL logfile created on: 9/12/2010 8:13:12 AM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\Terence\Downloads
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

6.00 Gb Total Physical Memory | 4.00 Gb Available Physical Memory | 69.00% Memory free
12.00 Gb Paging File | 10.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 921.86 Gb Total Space | 840.39 Gb Free Space | 91.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 9.61 Gb Total Space | 4.13 Gb Free Space | 43.00% Space Free | Partition Type: NTFS
Drive K: | 7.45 Gb Total Space | 7.23 Gb Free Space | 97.05% Space Free | Partition Type: FAT32

Computer Name: VADER
Current User Name: Terence
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/09/12 08:12:16 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Terence\Downloads\OTL.exe
PRC - [2010/09/02 19:58:56 | 000,975,928 | ---- | M] (Google Inc.) -- C:\Users\Terence\AppData\Local\Google\Chrome\Application\chrome.exe
PRC - [2010/08/31 11:39:14 | 000,083,440 | ---- | M] (Google) -- C:\Users\Terence\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
PRC - [2010/03/24 17:32:33 | 004,069,232 | ---- | M] (Stardock) -- C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe
PRC - [2007/01/01 16:22:02 | 003,739,648 | ---- | M] (Google) -- C:\Users\Terence\AppData\Roaming\Google\Google Talk\googletalk.exe


========== Modules (SafeList) ==========

MOD - [2010/09/12 08:12:16 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Terence\Downloads\OTL.exe
MOD - [2009/07/13 20:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 20:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [Auto | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (!SASCORE)
SRV:64bit: - [2010/01/27 11:15:56 | 008,610,664 | ---- | M] (DisplayLink Corp.) [Auto | Running] -- C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe -- (DisplayLinkService)
SRV:64bit: - [2009/12/10 16:15:04 | 000,202,752 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/07/13 20:41:56 | 000,195,072 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)
SRV:64bit: - [2009/07/13 20:41:53 | 001,361,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\PeerDistSvc.dll -- (PeerDistSvc)
SRV:64bit: - [2009/07/13 20:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/13 20:41:08 | 000,451,072 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\inetsrv\iisw3adm.dll -- (WAS)
SRV:64bit: - [2009/07/13 20:41:08 | 000,451,072 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\iisw3adm.dll -- (W3SVC)
SRV:64bit: - [2009/07/13 20:40:24 | 000,689,152 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)
SRV:64bit: - [2009/07/13 20:40:01 | 000,193,536 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - [2009/07/13 20:40:01 | 000,065,536 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV:64bit: - [2009/07/13 20:39:56 | 000,010,752 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\inetsrv\WMSvc.exe -- (WMSVC)
SRV:64bit: - [2009/07/13 20:39:13 | 000,015,360 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\inetsrv\inetinfo.exe -- (IISADMIN)
SRV:64bit: - [2009/03/30 06:02:56 | 057,617,752 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL10.SQLSERVER2K8\MSSQL\Binn\sqlservr.exe -- (MSSQLSERVER)
SRV:64bit: - [2009/03/30 06:01:06 | 000,427,880 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL10.SQLSERVER2K8\MSSQL\Binn\SQLAGENT.EXE -- (SQLSERVERAGENT)
SRV:64bit: - [2009/03/30 05:17:24 | 002,075,480 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSRS10.SQLSERVER2K8\Reporting Services\ReportServer\bin\ReportingServicesService.exe -- (ReportServer)
SRV:64bit: - [2009/03/30 05:01:02 | 043,735,400 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\MSAS10.SQLSERVER2K8\OLAP\bin\msmdsrv.exe -- (MSSQLServerOLAPService)
SRV:64bit: - [2008/07/29 15:20:28 | 004,737,024 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x64\msvsmon.exe -- (msvsmon90)
SRV:64bit: - [2008/07/10 07:31:00 | 000,061,976 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE -- (MSSQLServerADHelper100)
SRV:64bit: - [2008/07/10 06:40:50 | 000,214,040 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe -- (MsDtsServer100)
SRV:64bit: - [2008/07/10 06:39:08 | 000,034,840 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Program Files\Microsoft SQL Server\MSSQL10.SQLSERVER2K8\MSSQL\Binn\fdlauncher.exe -- (MSSQLFDLauncher)
SRV - [2010/08/30 19:10:38 | 000,007,680 | ---- | M] (Microsoft) [Auto | Running] -- C:\Program Files (x86)\Golden Egg\GoldenEggWinService.exe -- (GoldenEggServiceTestONETWOTHREE)
SRV - [2009/07/13 20:15:31 | 000,396,288 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (WAS)
SRV - [2009/07/13 20:15:31 | 000,396,288 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\iisw3adm.dll -- (W3SVC)
SRV - [2009/07/13 20:14:53 | 000,061,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysWOW64\inetsrv\apphostsvc.dll -- (AppHostSvc)
SRV - [2009/06/10 15:39:44 | 000,042,840 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2006/10/27 02:47:54 | 000,065,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/01/27 18:14:52 | 000,017,408 | ---- | M] (http://libusb-win32.sourceforge.net) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\DisplayLinkUsbPort_5.2.23219.0.sys -- (DisplayLinkUsbPort)
DRV:64bit: - [2010/01/27 11:16:26 | 000,185,968 | ---- | M] (DisplayLink Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dlkmd.sys -- (dlkmd)
DRV:64bit: - [2010/01/27 11:16:26 | 000,013,936 | ---- | M] (DisplayLink Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\dlkmdldr.sys -- (dlkmdldr)
DRV:64bit: - [2010/01/19 13:50:23 | 001,101,600 | ---- | M] (Ralink Technology Corp.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ae1000w7.sys -- (AE1000)
DRV:64bit: - [2009/12/10 18:40:28 | 006,179,328 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/11/11 19:44:26 | 000,034,160 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\point64k.sys -- (Point64)
DRV:64bit: - [2009/11/11 19:44:24 | 000,027,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (USB)
DRV:64bit: - [2009/10/01 00:34:00 | 000,121,872 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV:64bit: - [2009/07/13 20:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 20:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 20:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 20:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 20:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 20:45:55 | 000,200,272 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vmbus.sys -- (vmbus)
DRV:64bit: - [2009/07/13 20:45:55 | 000,046,672 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\vmstorfl.sys -- (storflt)
DRV:64bit: - [2009/07/13 20:45:55 | 000,034,896 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\storvsc.sys -- (storvsc)
DRV:64bit: - [2009/07/13 20:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 18:42:58 | 000,006,656 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\vms3cap.sys -- (s3cap)
DRV:64bit: - [2009/07/13 18:42:44 | 000,021,760 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\VMBusHID.sys -- (VMBusHID)
DRV:64bit: - [2009/07/13 18:24:27 | 000,514,048 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)
DRV:64bit: - [2009/06/10 15:38:56 | 000,000,308 | ---- | M] () [File_System | On_Demand | Running] -- C:\Windows\SysNative\wbem\ntfs.mof -- (Ntfs)
DRV:64bit: - [2009/06/10 15:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 15:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 15:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 15:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/03/30 05:53:56 | 000,311,656 | ---- | M] (Microsoft Corporation) [File_System | Disabled | Stopped] -- C:\Windows\SysNative\drivers\RsFx0103.sys -- (RsFx0103)

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = BF C7 46 89 81 29 CB 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/08/01 22:53:44 | 000,000,844 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 192.168.1.2 gargamel
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O4:64bit: - HKLM..\Run: [IntelliPoint] C:\Program Files\Microsoft IntelliPoint\ipoint.exe (Microsoft Corporation)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [StartCCC] C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [googletalk] C:\Users\Terence\AppData\Roaming\Google\Google Talk\googletalk.exe (Google)
O4 - Startup: C:\Users\Terence\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Users\Terence\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stardock ObjectDock.lnk = C:\Program Files (x86)\Stardock\ObjectDockPlus2\ObjectDock.exe (Stardock)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - Reg Error: Key error. File not found
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O22:64bit: - SharedTaskScheduler: {1984D045-52CF-49cd-DB77-08F378FEA4DB} - ObjectDockShellExt - C:\Program Files (x86)\Stardock\ObjectDockPlus2\ODMenu64.dll (Stardock)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs:64bit: AppMgmt - C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2010/09/11 20:50:00 | 000,000,000 | ---D | C] -- C:\Users\Terence\AppData\Roaming\Mozilla
[2010/09/06 15:41:28 | 000,000,000 | ---D | C] -- C:\PFiles
[2010/09/05 11:01:46 | 000,000,000 | ---D | C] -- C:\Users\Terence\AppData\Local\Apple Computer
[2010/09/05 11:01:13 | 000,000,000 | ---D | C] -- C:\Users\Terence\AppData\Roaming\Apple Computer
[2010/09/05 10:56:53 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime
[2010/09/05 10:56:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2010/09/05 10:56:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Apple
[2010/09/05 10:56:10 | 000,000,000 | ---D | C] -- C:\Users\Terence\AppData\Local\Apple
[2010/09/05 10:56:09 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Apple Software Update
[2010/09/05 10:56:09 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple
[2010/09/03 09:01:57 | 000,000,000 | ---D | C] -- C:\Users\Terence\Documents\Anti Virus
[2010/08/30 19:00:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Golden Egg
[2010/08/24 12:45:33 | 000,000,000 | ---D | C] -- C:\Users\Terence\Documents\StarCraft II
[2010/08/24 12:45:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Blizzard Entertainment
[2010/08/24 12:45:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\StarCraft II
[2010/08/24 12:45:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Blizzard Entertainment
[2010/08/24 08:59:18 | 000,000,000 | ---D | C] -- C:\Users\Terence\Games

========== Files - Modified Within 30 Days ==========

[2010/09/12 08:13:35 | 001,835,008 | -HS- | M] () -- C:\Users\Terence\NTUSER.DAT
[2010/09/12 07:49:00 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1611733031-3466333122-1878911206-1000UA.job
[2010/09/12 02:49:00 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1611733031-3466333122-1878911206-1000Core.job
[2010/09/11 16:29:50 | 000,014,592 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/09/11 16:29:50 | 000,014,592 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/09/11 16:27:14 | 000,993,912 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/09/11 16:27:14 | 000,812,274 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/09/11 16:27:14 | 000,178,366 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/09/11 16:22:27 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/09/11 16:22:21 | 000,424,680 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/09/11 16:22:19 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/09/11 16:22:07 | 536,317,951 | -HS- | M] () -- C:\hiberfil.sys
[2010/09/11 16:21:05 | 001,012,938 | -H-- | M] () -- C:\Users\Terence\AppData\Local\IconCache.db
[2010/09/11 16:19:45 | 000,112,200 | ---- | M] () -- C:\Users\Terence\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/09/11 16:14:54 | 000,002,082 | -H-- | M] () -- C:\Users\Terence\Documents\Default.rdp
[2010/08/30 19:12:31 | 000,001,462 | ---- | M] () -- C:\InstallUtil.InstallLog

========== Files Created - No Company Name ==========

[2010/08/30 19:04:32 | 000,001,462 | ---- | C] () -- C:\InstallUtil.InstallLog
[2010/07/22 18:15:35 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\dlumd9.dll
[2010/07/22 18:15:35 | 000,000,000 | ---- | C] () -- C:\Windows\SysWow64\dlumd10.dll
[2010/07/22 17:17:01 | 001,009,676 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2010/07/22 05:44:17 | 000,000,172 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/07/13 18:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 16:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/09/12 08:15:19 | 031,759,166 | ---- | M] () -- C:\a.txt
[2010/06/02 14:50:16 | 000,004,169 | RH-- | M] () -- C:\dell.sdr
[2010/09/11 16:22:07 | 536,317,951 | -HS- | M] () -- C:\hiberfil.sys
[2010/08/30 19:12:31 | 000,001,462 | ---- | M] () -- C:\InstallUtil.InstallLog
[2010/09/11 16:22:08 | 2146,746,367 | -HS- | M] () -- C:\pagefile.sys
[2010/09/02 10:43:23 | 000,059,934 | ---- | M] () -- C:\TDSSKiller.2.4.1.4_02.09.2010_10.43.07_log.txt
[2010/09/02 11:23:13 | 000,059,934 | ---- | M] () -- C:\TDSSKiller.2.4.1.4_02.09.2010_11.22.55_log.txt
[2010/09/02 16:51:10 | 000,059,934 | ---- | M] () -- C:\TDSSKiller.2.4.1.4_02.09.2010_16.50.17_log.txt

< %systemroot%\*. /mp /s >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
< End of report >


Contents of Extras.txt as follows:


OTL Extras logfile created on: 9/12/2010 8:13:12 AM - Run 1
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\Terence\Downloads
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

6.00 Gb Total Physical Memory | 4.00 Gb Available Physical Memory | 69.00% Memory free
12.00 Gb Paging File | 10.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 921.86 Gb Total Space | 840.39 Gb Free Space | 91.16% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 9.61 Gb Total Space | 4.13 Gb Free Space | 43.00% Space Free | Partition Type: NTFS
Drive K: | 7.45 Gb Total Space | 7.23 Gb Free Space | 97.05% Space Free | Partition Type: FAT32

Computer Name: VADER
Current User Name: Terence
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- C:\Users\Terence\AppData\Local\Google\Chrome\Application\chrome.exe (Google Inc.)
.txt [@ = txtfile] -- C:\Program Files (x86)\JGsoft\EditPadPro6\editpadpro.exe (Just Great Software)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

========== Firewall Settings ==========
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04C8E4DB-C344-BABE-7636-102B3E30C4EA}" = ATI Catalyst Install Manager
"{0826F9E4-787E-481D-83E0-BC6A57B056D5}" = Microsoft SQL Server VSS Writer
"{0C270C59-8706-42B8-A2AD-6E5EE18BC90B}" = Microsoft SQL Server 2008 Reporting Services
"{0C6C4C8A-3B96-4681-90BA-0E15CDE96298}" = Microsoft SQL Server 2008 Management Studio
"{108C8C1D-DA02-4A6C-94CD-5603F6A6FC72}" = Microsoft SQL Server 2008 Management Studio
"{2453DBC8-ACC4-4711-BD03-0C15353AA3D8}" = Microsoft SQL Server 2008 Reporting Services
"{29C93182-34F6-3275-A18D-59326851CD57}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools - enu
"{2BFA9B05-7418-4EDE-A6FC-620427BAAAA3}" = Crystal Reports Basic Runtime for Visual Studio 2008 (x64)
"{2F14965D-567B-4E59-ADEB-0A2CC1E3ADDF}" = Sql Server Customer Experience Improvement Program
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{5340A3B5-3853-4745-BED2-DD9FF5371331}" = Microsoft SQL Server 2008 Common Files
"{53D7A054-4598-4947-A159-E8FCC77720AB}" = Microsoft Sync Framework Runtime v1.0 (x64)
"{572A2390-754A-4BE8-B629-CA0C5ED79208}" = DisplayLink Core Software
"{59D3F691-179D-4E52-832C-D22B81541AC5}" = Microsoft SQL Server 2008 Setup Support Files
"{5DE154DF-A55E-4FA5-BE59-32E78FCACF3E}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{5EBE0F1F-45DF-4298-AC6B-E8E54EAEC834}" = Microsoft IntelliPoint 7.1
"{62EED300-E841-4083-A1D6-60B906271804}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Tools
"{64D5BBC6-5270-3711-AA39-31C1087AF4E6}" = Microsoft Visual Studio 2008 Remote Debugger - ENU
"{67C816AF-93F0-4C11-A355-AABC5FC00083}" = Microsoft SQL Server 2008 BI Development Studio
"{6E2EE862-FEF9-408A-90BB-F5B4EC129C8E}" = Microsoft SQL Server 2008 Analysis Services
"{7ACE202B-1B01-4B43-B6AE-03D66D621CDE}" = Microsoft SQL Server 2008 RsFx Driver
"{80C196C7-E517-BB73-7919-BDC4F76872AB}" = ATI AVIVO64 Codecs
"{817BCC2B-76A8-4C8B-8B55-FD916C6969CC}" = Microsoft Sync Services for ADO.NET v2.0 (x64)
"{893F27E6-D6BE-4B9F-80E6-0ADA694A31A8}" = Microsoft SQL Server 2008 Common Files
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{910A147A-75D7-4ECD-A00D-727AAC0FD0E7}" = Microsoft SQL Server 2008 Client Tools
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9aa5f39c-a8de-46b0-919a-0248f8bc8490}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
"{9DFA5914-C275-42E0-810E-C88E46A7F9EA}" = Microsoft SQL Server 2008 Full text search
"{A992BBAA-723D-4574-A07F-983BF8FAA3E1}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Win32 Tools
"{AE479CE0-753F-49C0-B8E6-79A37403999F}" = Microsoft SQL Server 2008 BI Development Studio
"{B702C53B-D809-4DD3-8C77-23EC0C948959}" = Microsoft SQL Server 2008 Integration Services
"{BAACB61F-43E0-4E70-BDC9-F81CC3B22970}" = Microsoft SQL Server 2008 Client Tools
"{BBDE8A3D-64A2-43A6-95F3-C27B87DF7AC1}" = Microsoft SQL Server 2008 Native Client
"{BFE972A5-DC62-03F9-F03E-8AC751DFE770}" = ccc-utility64
"{CC8BA866-16A7-4667-BA0C-C494A1E7B2BF}" = Microsoft SQL Server 2008 Database Engine Shared
"{D3E39E77-0EB4-36FB-B97A-8C8AB21B9A45}" = Visual Studio .NET Prerequisites - English
"{DF167CE3-60E7-44EA-99EC-2507C51F37AE}" = Microsoft SQL Server 2008 Database Engine Shared
"{ED321628-843E-4319-8C6D-CB3C919323AC}" = MysticThumbs
"{EF8B1A2E-9CCB-3AB2-91E3-4EEDAB1294E1}" = Microsoft Device Emulator (64 bit) version 3.0 - ENU
"{F01EC9B9-21B4-441E-958A-1E01098B03BE}" = Microsoft SQL Server 2008 Analysis Services
"{F4264106-F90E-4076-98CF-1B878DB14513}" = SQL Server System CLR Types
"{f45b48a7-f616-4211-b927-17cab6a96613}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{F5FEEB7E-F647-4D18-85BA-096750A15547}" = Microsoft SQL Server 2008 Integration Services
"{FA7394B8-CE65-4F9E-AC99-F372AD365424}" = Microsoft SQL Server 2008 Database Engine Services
"{FBD367D1-642F-47CF-B79B-9BE48FB34007}" = Microsoft SQL Server 2008 Database Engine Services
"{FF426C13-3D2B-4FA3-A8ED-64F0597CBDE5}" = DisplayLink Graphics
"Microsoft SQL Server 10" = Microsoft SQL Server 2008 (64-bit)
"Microsoft SQL Server 10 Release" = Microsoft SQL Server 2008 (64-bit)
"Microsoft Visual Studio 2008 Remote Debugger - ENU" = Microsoft Visual Studio 2008 Remote Debugger - ENU
"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01C5A10F-AD9B-405B-853A-6659841A1242}" = Microsoft SQL Server 2008 Policies
"{03CEC5A3-648C-3E00-7CDB-C049B47A5EDC}" = CCC Help Spanish
"{051EF664-EB85-8320-1184-35136C6B0BEF}" = CCC Help Portuguese
"{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}" = Microsoft Visual C++ 2005 Redistributable
"{0566E404-1FCB-16C4-C265-9415012650D5}" = CCC Help Korean
"{07BB25C3-55B6-303C-1E7C-2C528555014D}" = CCC Help Dutch
"{0C19D563-5F25-4621-BF10-01F741BD283F}" = Microsoft SQL Server Compact 3.5 SP1 Design Tools English
"{0DF3AE91-E533-3960-8516-B23737F8B7A2}" = Visual C++ 2008 x64 Runtime - (v9.0.30729)
"{0DF3AE91-E533-3960-8516-B23737F8B7A2}.vc_x64runtime_30729_01" = Visual C++ 2008 x64 Runtime - v9.0.30729.01
"{1583FB9E-D1D7-A29B-F3D3-7D6B74D75128}" = Catalyst Control Center Graphics Previews Vista
"{1EE6959C-49F2-5D45-A007-776A7A053043}" = CCC Help English
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{21F0EF99-BDE9-4722-8058-0AF0F9E0E95F}" = Golden Egg
"{222E1C7F-5892-0015-BF94-914B7EBEB564}" = CCC Help Finnish
"{22E23C71-C27A-3F30-8849-BB6129E50679}" = Visual C++ 2008 IA64 Runtime - (v9.0.30729)
"{22E23C71-C27A-3F30-8849-BB6129E50679}.vc_i64runtime_30729_01" = Visual C++ 2008 IA64 Runtime - v9.0.30729.01
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{241F2BF7-69EB-42A4-9156-96B2426C7504}" = Microsoft SQL Server Compact 3.5 for Devices ENU
"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{3431A7A3-6287-46B0-8AF1-BE2452A1FE62}" = Microsoft SQL Server 2008 Books Online (English)
"{34A350D1-64FB-36D8-9D0C-1CD8E392DBA5}" = Google Talk Plugin
"{38001EBD-D270-2BBC-CEAE-B88BDE197E16}" = CCC Help Russian
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3A762A82-618D-3CAA-B847-D074ABFA0B2E}" = MSDN Library for Visual Studio 2008 - ENU
"{42E0794B-B4A6-CDB6-308F-04A5CA54B81E}" = CCC Help French
"{599EAA99-BBA8-C8FF-C2EA-04D0C8FA6D89}" = Catalyst Control Center InstallProxy
"{5DFB9027-0099-5816-8428-CF25B64B46C9}" = CCC Help Czech
"{634CE363-2BB8-FF85-83C3-734699DFC570}" = CCC Help German
"{64CDE8F2-3791-46F5-BAD2-72FFF5252FAB}" = Microsoft SQL Server Compact 3.5 SP1 Query Tools English
"{6545416A-A60A-8DE4-3590-15F0662461DF}" = CCC Help Polish
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC
"{774A70C8-29CA-565A-FB84-01B408F119B2}" = CCC Help Chinese Standard
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A9DE8C3-5B21-34EC-DE5D-BAFAB8D8C9D9}" = CCC Help Greek
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A4-0409-0000-0000000FF1CE}" = Microsoft Office 2003 Web Components
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
"{91D1580F-35C5-8D29-144C-605E3568B3A5}" = Catalyst Control Center Graphics Full Existing
"{940FF6ED-A622-43E8-AACE-347160A7DF42}" = SourceGear Fortress Client
"{958FD5FD-1F71-493B-CC6C-4922F3EA2356}" = CCC Help Danish
"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.3
"{9FDFB9AE-B7A9-3481-E85C-08E7FA6D620B}" = Catalyst Control Center Graphics Full New
"{A0AD3E2F-427D-09F9-85FB-450E35A03046}" = CCC Help Hungarian
"{A1D31E2C-C7E1-2E6E-EAE9-0C3BAFB5B1F9}" = CCC Help Thai
"{A69D7B32-2BE9-42BF-B576-69B5E0FF7394}" = Catalyst Control Center - Branding
"{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}" = Apple Application Support
"{AA467959-A1D6-4F45-90CD-11DC57733F32}" = Crystal Reports Basic for Visual Studio 2008
"{AA4A4B2C-0465-3CF8-BA76-27A027D8ACAB}" = Microsoft Visual Studio Tools for Applications 2.0 - ENU
"{B2C07E85-76D6-DC01-48A9-7577AD95CD70}" = CCC Help Swedish
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{B91C2CFE-15D0-C863-963A-DFF09D2AE726}" = Catalyst Control Center Core Implementation
"{BA0C9AAF-1327-3F06-B49C-349B4BE8F740}" = Microsoft Visual Studio 2008 Shell (integrated mode) - ENU
"{BACF2A73-2F91-9657-F9B5-10723A9B1E5B}" = CCC Help Italian
"{C688457E-03FD-4941-923B-A27F4D42A7DD}" = Microsoft SQL Server 2008 Browser
"{CDF7810C-10AB-7E95-ABC5-0D60C5761876}" = Catalyst Control Center Graphics Light
"{D5D35107-8CFE-5FFB-2D64-1CE29202493B}" = Catalyst Control Center Graphics Previews Common
"{D7DAD1E4-45F4-3B2B-899A-EA728167EC4F}" = Microsoft Visual Studio 2008 Professional Edition - ENU
"{D8D98FAB-17E7-A123-D654-6574E6187EE2}" = CCC Help Chinese Traditional
"{DAC44207-C17F-DAFA-CE5D-010AB94A38AB}" = CCC Help Norwegian
"{E31C77D0-B0F0-318B-0A39-F57BF54D22AD}" = ccc-core-static
"{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}" = Microsoft SQL Server Compact 3.5 SP1 English
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EA3CD5E7-0C84-2479-6490-B6228F87B174}" = CCC Help Japanese
"{EA450D5D-95EA-4FD0-B8B0-6D8E68FBE2C7}" = Impulse
"{EB900AF8-CC61-4E15-871B-98D1EA3E8025}" = QuickTime
"{ECEB9207-85FE-3004-CD20-5DAEE0F1D1E0}" = CCC Help Turkish
"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{F68AFC71-77CD-0B22-4C4F-C09097E058E9}" = Catalyst Control Center Localization All
"{FF29527A-44CD-3422-945E-981A13584000}" = VC Runtimes MSI
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"Core FTP LE 2.1" = Core FTP LE 2.1
"EditPad Pro 6" = Just Great Software EditPad Pro 6 DEMO 6.6.4
"Foxit Reader" = Foxit Reader
"ImageMaster_is1" = Image Master 1.0.3.7
"Impulse" = Impulse
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Visual Studio 2005 Tools for Office Second Edition Runtime
"Microsoft Visual Studio 2008 Professional Edition - ENU" = Microsoft Visual Studio 2008 Professional Edition - ENU
"MSDN Library for Visual Studio 2008 - ENU" = MSDN Library for Visual Studio 2008 - ENU
"ObjectDock Plus 2" = ObjectDock Plus 2
"StarCraft II" = StarCraft II
"ULTIMATER" = Microsoft Office Ultimate 2007
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/2/2010 11:49:19 AM | Computer Name = Vader | Source = Google Update | ID = 20
Description =

Error - 9/4/2010 5:42:43 PM | Computer Name = Vader | Source = Report Server Windows Service (MSSQLSERVER) | ID = 107
Description = Report Server Windows Service (MSSQLSERVER) cannot connect to the
report server database.

Error - 9/4/2010 5:42:44 PM | Computer Name = Vader | Source = Report Server Windows Service (MSSQLSERVER) | ID = 107
Description = Report Server Windows Service (MSSQLSERVER) cannot connect to the
report server database.

Error - 9/7/2010 2:27:51 PM | Computer Name = Vader | Source = Application Error | ID = 1000
Description = Faulting application name: wmiprvse.exe, version: 6.1.7600.16385,
time stamp: 0x4a5bc794 Faulting module name: ole32.dll, version: 6.1.7600.16385,
time stamp: 0x4a5be01a Exception code: 0xc0000005 Fault offset: 0x0000000000039389
Faulting
process id: 0xa94 Faulting application start time: 0x01cb4e007b617382 Faulting application
path: C:\Windows\system32\wbem\wmiprvse.exe Faulting module path: C:\Windows\system32\ole32.dll
Report
Id: 9f545f20-baad-11df-b28a-877ee6c90a5c

Error - 9/8/2010 1:11:34 PM | Computer Name = Vader | Source = Application Error | ID = 1000
Description = Faulting application name: wmiprvse.exe, version: 6.1.7600.16385,
time stamp: 0x4a5bc794 Faulting module name: ole32.dll, version: 6.1.7600.16385,
time stamp: 0x4a5be01a Exception code: 0xc0000005 Fault offset: 0x0000000000039389
Faulting
process id: 0x850 Faulting application start time: 0x01cb4eba6888466e Faulting application
path: C:\Windows\system32\wbem\wmiprvse.exe Faulting module path: C:\Windows\system32\ole32.dll
Report
Id: 214001cb-bb6c-11df-b28a-877ee6c90a5c

Error - 9/9/2010 11:37:06 AM | Computer Name = Vader | Source = Application Error | ID = 1000
Description = Faulting application name: wmiprvse.exe, version: 6.1.7600.16385,
time stamp: 0x4a5bc794 Faulting module name: ole32.dll, version: 6.1.7600.16385,
time stamp: 0x4a5be01a Exception code: 0xc0000005 Fault offset: 0x0000000000039389
Faulting
process id: 0x1830 Faulting application start time: 0x01cb4f78e9ad88f1 Faulting application
path: C:\Windows\system32\wbem\wmiprvse.exe Faulting module path: C:\Windows\system32\ole32.dll
Report
Id: 19484793-bc28-11df-b28a-877ee6c90a5c

Error - 9/10/2010 10:38:58 AM | Computer Name = Vader | Source = Application Error | ID = 1000
Description = Faulting application name: wmiprvse.exe, version: 6.1.7600.16385,
time stamp: 0x4a5bc794 Faulting module name: ole32.dll, version: 6.1.7600.16385,
time stamp: 0x4a5be01a Exception code: 0xc0000005 Fault offset: 0x0000000000039389
Faulting
process id: 0x1658 Faulting application start time: 0x01cb5034e1a9727b Faulting application
path: C:\Windows\system32\wbem\wmiprvse.exe Faulting module path: C:\Windows\system32\ole32.dll
Report
Id: 24e70eab-bce9-11df-b28a-877ee6c90a5c

Error - 9/11/2010 10:06:49 AM | Computer Name = Vader | Source = Application Error | ID = 1000
Description = Faulting application name: wmiprvse.exe, version: 6.1.7600.16385,
time stamp: 0x4a5bc794 Faulting module name: ole32.dll, version: 6.1.7600.16385,
time stamp: 0x4a5be01a Exception code: 0xc0000005 Fault offset: 0x0000000000039389
Faulting
process id: 0x4ac Faulting application start time: 0x01cb50f5ed5001e0 Faulting application
path: C:\Windows\system32\wbem\wmiprvse.exe Faulting module path: C:\Windows\system32\ole32.dll
Report
Id: d1b0121f-bdad-11df-b28a-877ee6c90a5c

Error - 9/11/2010 5:22:46 PM | Computer Name = Vader | Source = Report Server Windows Service (MSSQLSERVER) | ID = 107
Description = Report Server Windows Service (MSSQLSERVER) cannot connect to the
report server database.

Error - 9/11/2010 5:22:47 PM | Computer Name = Vader | Source = Report Server Windows Service (MSSQLSERVER) | ID = 107
Description = Report Server Windows Service (MSSQLSERVER) cannot connect to the
report server database.

[ OSession Events ]
Error - 7/22/2010 6:51:47 PM | Computer Name = Vader | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1066. This session lasted 11
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 8/2/2010 2:47:53 PM | Computer Name = Vader | Source = DCOM | ID = 10009
Description =

Error - 8/11/2010 9:56:35 PM | Computer Name = Vader | Source = Disk | ID = 262155
Description = The driver detected a controller error on \Device\Harddisk1\DR9.

Error - 8/30/2010 8:11:10 PM | Computer Name = Vader | Source = Service Control Manager | ID = 7034
Description = The GoldenEggServiceTestONETWOTHREE service terminated unexpectedly.
It has done this 1 time(s).

Error - 8/30/2010 8:11:18 PM | Computer Name = Vader | Source = Service Control Manager | ID = 7000
Description = The GoldenEggServiceTestONETWOTHREE service failed to start due to
the following error: %%2

Error - 8/30/2010 8:14:19 PM | Computer Name = Vader | Source = Service Control Manager | ID = 7034
Description = The GoldenEggServiceTestONETWOTHREE service terminated unexpectedly.
It has done this 2 time(s).

Error - 9/2/2010 11:41:21 AM | Computer Name = Vader | Source = Service Control Manager | ID = 7000
Description = The SAS Core Service service failed to start due to the following
error: %%2

Error - 9/2/2010 11:42:36 AM | Computer Name = Vader | Source = DCOM | ID = 10010
Description =

Error - 9/2/2010 11:47:49 AM | Computer Name = Vader | Source = Service Control Manager | ID = 7000
Description = The SAS Core Service service failed to start due to the following
error: %%2

Error - 9/4/2010 5:42:22 PM | Computer Name = Vader | Source = Service Control Manager | ID = 7000
Description = The SAS Core Service service failed to start due to the following
error: %%2

Error - 9/11/2010 5:22:27 PM | Computer Name = Vader | Source = Service Control Manager | ID = 7000
Description = The SAS Core Service service failed to start due to the following
error: %%2


< End of report >

#4 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:13 AM

Posted 12 September 2010 - 10:33 AM

Hi again allsmooth!!.. smile.gif

I do not see an antivirus program running on your computer... Without an AV, you have no protection and risk being quickly re-infected... Please install an antivirus program of your choice, run a full system scan with it, and post a log (if possible)... You may want to install one of the antivirus applications I recommend on my site: link

This is the only thing that stands out to me in the logs you've posted:

SRV - [2010/08/30 19:10:38 | 000,007,680 | ---- | M] (Microsoft) [Auto | Running] -- C:\Program Files (x86)\Golden Egg\GoldenEggWinService.exe -- (GoldenEggServiceTestONETWOTHREE)

It looks suspicious to me... Do you recognise that Golden Egg application??.. Do you have any idea what it might be??..

If not, please do the following:

Firstly,
Please go to http://www.virustotal.com/ , click on Browse, and upload the following file for analysis:

C:\Program Files (x86)\Golden Egg\GoldenEggWinService.exe

Then click Send File. Allow the file to be uploaded and scanned. Then, please post a link to the results page for me to see.

Secondly,
Please run OTL.exe.
  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    SRV - [2010/08/30 19:10:38 | 000,007,680 | ---- | M] (Microsoft) [Auto | Running] -- C:\Program Files (x86)\Golden Egg\GoldenEggWinService.exe -- (GoldenEggServiceTestONETWOTHREE)
    [2010/08/30 19:00:27 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Golden Egg
    :Commands
    [EmptyTemp]
    [EMPTYFLASH]

  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Also, could you check the contents of that folder: C:\Users\Terence\Documents\Anti Virus ??..
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#5 allsmooth

allsmooth
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 12 September 2010 - 11:37 AM

Hello snemelk. Thank you for all of your help.
  1. C:\Program Files (x86)\Golden Egg\GoldenEggWinService.exe is my own personal app that I'm developing. It doesn't actually do anything.
  2. I took your advice and downloaded the Microsoft Security Essentials virus protection package. I ran it and it did not discover any problems.
  3. I ran OTL.exe with the commands that you instructed. Here are the results of that scan/fix

    All processes killed
    Error: Unable to interpret <[EmptyTemp]> in the current context!
    Error: Unable to interpret <[EMPTYFLASH]> in the current context!

    OTL by OldTimer - Version 3.2.12.0 log created on 09122010_110658

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
  4. The directory "C:\Users\Terence\Documents\Anti Virus" is a location that I created to store all of the log files that I create during this process in one location.

Having done all that you've asked so far, I still have the redirect problem and mbam updates are still being blocked. However, an additional symptom has showed up. Now, every time I access a web page (via a link or directly typing in the URL), I get a message that reads "resolving host." Sometimes it continues on to the expected page, other times it redirects, and the third thing it does is time out without loading or redirecting.

Thank you again for investigating this for me.

#6 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:13 AM

Posted 12 September 2010 - 02:21 PM

Hi again allsmooth!!.. smile.gif

QUOTE(allsmooth @ Sep 12 2010, 06:37 PM) View Post
C:\Program Files (x86)\Golden Egg\GoldenEggWinService.exe is my own personal app that I'm developing. It doesn't actually do anything.

I see... smile.gif

QUOTE
Having done all that you've asked so far, I still have the redirect problem and mbam updates are still being blocked. However, an additional symptom has showed up. Now, every time I access a web page (via a link or directly typing in the URL), I get a message that reads "resolving host." Sometimes it continues on to the expected page, other times it redirects, and the third thing it does is time out without loading or redirecting.

This is interesting... I see you've used TDSSKiller before - but an old version...

The current version is: 2.4.2.1

Please delete your current copy of TDSSKiller, download (to your Desktop) an executable version from this site: How to remove malware belonging to the family Rootkit.Win32.TDSS
Run the file, Make sure the both objects are about to be scanned... Click Start scan - if it finds an infection - let the tool fix it... If it finds suspicious entries only, skip them, and just post the log here...
Show me the report...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#7 allsmooth

allsmooth
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 12 September 2010 - 03:58 PM

Hello there. smile.gif

I downloaded and ran the latest version of TDSSKiller as requested and it did not find anything. Here is the log report:

TDSSKiller log report

2010/09/12 15:56:19.0727 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/12 15:56:19.0727 ================================================================================
2010/09/12 15:56:19.0727 SystemInfo:
2010/09/12 15:56:19.0727
2010/09/12 15:56:19.0727 OS Version: 6.1.7600 ServicePack: 0.0
2010/09/12 15:56:19.0727 Product type: Workstation
2010/09/12 15:56:19.0727 ComputerName: VADER
2010/09/12 15:56:19.0727 UserName: Terence
2010/09/12 15:56:19.0727 Windows directory: C:\Windows
2010/09/12 15:56:19.0727 System windows directory: C:\Windows
2010/09/12 15:56:19.0727 Running under WOW64
2010/09/12 15:56:19.0727 Processor architecture: Intel x64
2010/09/12 15:56:19.0727 Number of processors: 6
2010/09/12 15:56:19.0727 Page size: 0x1000
2010/09/12 15:56:19.0727 Boot type: Normal boot
2010/09/12 15:56:19.0728 ================================================================================
2010/09/12 15:56:19.0728 Utility is running under WOW64
2010/09/12 15:56:19.0916 Initialize success
2010/09/12 15:56:28.0162 ================================================================================
2010/09/12 15:56:28.0162 Scan started
2010/09/12 15:56:28.0162 Mode: Manual;
2010/09/12 15:56:28.0162 ================================================================================
2010/09/12 15:56:28.0856 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2010/09/12 15:56:28.0887 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2010/09/12 15:56:28.0920 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2010/09/12 15:56:28.0962 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2010/09/12 15:56:28.0979 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2010/09/12 15:56:28.0994 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2010/09/12 15:56:29.0047 AE1000 (e005682ae8f8ec4eb05f2a70a16ea1c5) C:\Windows\system32\DRIVERS\ae1000w7.sys
2010/09/12 15:56:29.0078 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2010/09/12 15:56:29.0103 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2010/09/12 15:56:29.0127 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2010/09/12 15:56:29.0141 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2010/09/12 15:56:29.0167 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2010/09/12 15:56:29.0194 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2010/09/12 15:56:29.0221 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
2010/09/12 15:56:29.0244 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2010/09/12 15:56:29.0259 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
2010/09/12 15:56:29.0290 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2010/09/12 15:56:29.0328 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2010/09/12 15:56:29.0350 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2010/09/12 15:56:29.0383 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/09/12 15:56:29.0420 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2010/09/12 15:56:29.0468 AtiHdmiService (fb7602c5c508be281368aae0b61b51c6) C:\Windows\system32\drivers\AtiHdmi.sys
2010/09/12 15:56:29.0594 atikmdag (37456be85384e4cc38dc899f07f88c45) C:\Windows\system32\DRIVERS\atikmdag.sys
2010/09/12 15:56:29.0698 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2010/09/12 15:56:29.0724 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2010/09/12 15:56:29.0744 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2010/09/12 15:56:29.0799 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2010/09/12 15:56:29.0914 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2010/09/12 15:56:29.0967 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2010/09/12 15:56:29.0986 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2010/09/12 15:56:30.0011 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2010/09/12 15:56:30.0036 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2010/09/12 15:56:30.0052 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2010/09/12 15:56:30.0071 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2010/09/12 15:56:30.0091 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/09/12 15:56:30.0128 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/09/12 15:56:30.0160 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2010/09/12 15:56:30.0183 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2010/09/12 15:56:30.0210 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2010/09/12 15:56:30.0230 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/09/12 15:56:30.0256 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2010/09/12 15:56:30.0282 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2010/09/12 15:56:30.0296 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2010/09/12 15:56:30.0327 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2010/09/12 15:56:30.0347 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2010/09/12 15:56:30.0392 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
2010/09/12 15:56:30.0443 dc3d (51c55da62cd9bcec3494a3a362ea793c) C:\Windows\system32\DRIVERS\dc3d.sys
2010/09/12 15:56:30.0475 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
2010/09/12 15:56:30.0497 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2010/09/12 15:56:30.0522 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2010/09/12 15:56:30.0584 DisplayLinkUsbPort (64ff7eaa324702e824affd24d4b33412) C:\Windows\system32\DRIVERS\DisplayLinkUsbPort_5.2.23219.0.sys
2010/09/12 15:56:30.0629 dlkmd (b77de8ece8c423cc2de0812feb13bf5e) C:\Windows\system32\drivers\dlkmd.sys
2010/09/12 15:56:30.0666 dlkmdldr (389fb1d69a1b0e2403327590bf50084b) C:\Windows\system32\drivers\dlkmdldr.sys
2010/09/12 15:56:30.0750 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2010/09/12 15:56:30.0795 DXGKrnl (7cb7d2b73813ce05c7bc0f5f95d27cec) C:\Windows\System32\drivers\dxgkrnl.sys
2010/09/12 15:56:30.0881 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2010/09/12 15:56:30.0958 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2010/09/12 15:56:30.0985 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2010/09/12 15:56:31.0023 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2010/09/12 15:56:31.0048 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2010/09/12 15:56:31.0078 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2010/09/12 15:56:31.0104 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2010/09/12 15:56:31.0118 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2010/09/12 15:56:31.0148 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/09/12 15:56:31.0167 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2010/09/12 15:56:31.0193 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2010/09/12 15:56:31.0217 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2010/09/12 15:56:31.0242 fvevol (b8b2a6e1558f8f5de5ce431c5b2c7b09) C:\Windows\system32\DRIVERS\fvevol.sys
2010/09/12 15:56:31.0266 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2010/09/12 15:56:31.0306 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2010/09/12 15:56:31.0326 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
2010/09/12 15:56:31.0379 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/09/12 15:56:31.0389 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2010/09/12 15:56:31.0410 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2010/09/12 15:56:31.0435 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2010/09/12 15:56:31.0461 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2010/09/12 15:56:31.0488 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2010/09/12 15:56:31.0513 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2010/09/12 15:56:31.0536 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2010/09/12 15:56:31.0554 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/09/12 15:56:31.0590 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
2010/09/12 15:56:31.0613 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2010/09/12 15:56:31.0646 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2010/09/12 15:56:31.0678 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2010/09/12 15:56:31.0702 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/09/12 15:56:31.0725 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2010/09/12 15:56:31.0750 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2010/09/12 15:56:31.0767 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2010/09/12 15:56:31.0783 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2010/09/12 15:56:31.0803 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/09/12 15:56:31.0831 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/09/12 15:56:31.0850 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/09/12 15:56:31.0883 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2010/09/12 15:56:31.0903 KSecPkg (bbe1bf6d9b661c354d4857d5fadb943b) C:\Windows\system32\Drivers\ksecpkg.sys
2010/09/12 15:56:31.0925 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2010/09/12 15:56:31.0967 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2010/09/12 15:56:32.0007 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2010/09/12 15:56:32.0030 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2010/09/12 15:56:32.0052 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2010/09/12 15:56:32.0065 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2010/09/12 15:56:32.0090 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2010/09/12 15:56:32.0118 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2010/09/12 15:56:32.0138 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2010/09/12 15:56:32.0177 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2010/09/12 15:56:32.0199 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2010/09/12 15:56:32.0215 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2010/09/12 15:56:32.0227 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2010/09/12 15:56:32.0245 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2010/09/12 15:56:32.0290 MpFilter (c4d8c3031c7cd5884ca856b15307e997) C:\Windows\system32\DRIVERS\MpFilter.sys
2010/09/12 15:56:32.0327 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2010/09/12 15:56:32.0344 MpNWMon (a768f58c55d3f303e686a7646348aec3) C:\Windows\system32\DRIVERS\MpNWMon.sys
2010/09/12 15:56:32.0363 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2010/09/12 15:56:32.0387 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2010/09/12 15:56:32.0406 mrxsmb (cfdcd8ca87c2a657debc150ac35b5e08) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/09/12 15:56:32.0432 mrxsmb10 (1bee517b220b7f024f411aec1571dd5a) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/09/12 15:56:32.0450 mrxsmb20 (6b2d5fef385828b6e485c1c90afb8195) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/09/12 15:56:32.0471 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2010/09/12 15:56:32.0482 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2010/09/12 15:56:32.0513 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2010/09/12 15:56:32.0533 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2010/09/12 15:56:32.0550 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2010/09/12 15:56:32.0588 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2010/09/12 15:56:32.0602 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/09/12 15:56:32.0616 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2010/09/12 15:56:32.0644 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2010/09/12 15:56:32.0679 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/09/12 15:56:32.0703 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2010/09/12 15:56:32.0726 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2010/09/12 15:56:32.0749 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2010/09/12 15:56:32.0797 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2010/09/12 15:56:32.0844 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2010/09/12 15:56:32.0876 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2010/09/12 15:56:32.0914 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/09/12 15:56:32.0937 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/09/12 15:56:32.0961 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/09/12 15:56:32.0981 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2010/09/12 15:56:33.0002 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2010/09/12 15:56:33.0023 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2010/09/12 15:56:33.0068 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2010/09/12 15:56:33.0088 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2010/09/12 15:56:33.0106 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2010/09/12 15:56:33.0146 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
2010/09/12 15:56:33.0175 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2010/09/12 15:56:33.0207 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
2010/09/12 15:56:33.0221 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
2010/09/12 15:56:33.0255 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2010/09/12 15:56:33.0282 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/09/12 15:56:33.0319 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2010/09/12 15:56:33.0336 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2010/09/12 15:56:33.0356 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2010/09/12 15:56:33.0378 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2010/09/12 15:56:33.0402 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/09/12 15:56:33.0421 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2010/09/12 15:56:33.0444 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2010/09/12 15:56:33.0517 Point64 (9abff71ff6f3b9492686d3403fa5dcdb) C:\Windows\system32\DRIVERS\point64k.sys
2010/09/12 15:56:33.0552 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2010/09/12 15:56:33.0572 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2010/09/12 15:56:33.0604 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2010/09/12 15:56:33.0640 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2010/09/12 15:56:33.0665 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2010/09/12 15:56:33.0690 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2010/09/12 15:56:33.0713 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2010/09/12 15:56:33.0746 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2010/09/12 15:56:33.0769 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/09/12 15:56:33.0788 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/09/12 15:56:33.0819 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2010/09/12 15:56:33.0843 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2010/09/12 15:56:33.0863 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2010/09/12 15:56:33.0895 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/09/12 15:56:33.0937 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
2010/09/12 15:56:33.0957 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2010/09/12 15:56:33.0972 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2010/09/12 15:56:33.0995 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2010/09/12 15:56:34.0026 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2010/09/12 15:56:34.0104 RsFx0103 (cd553b8633466a6d1c115812f2619f1f) C:\Windows\system32\DRIVERS\RsFx0103.sys
2010/09/12 15:56:34.0148 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2010/09/12 15:56:34.0185 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
2010/09/12 15:56:34.0215 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2010/09/12 15:56:34.0238 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2010/09/12 15:56:34.0268 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2010/09/12 15:56:34.0317 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2010/09/12 15:56:34.0329 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2010/09/12 15:56:34.0357 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2010/09/12 15:56:34.0390 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2010/09/12 15:56:34.0407 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2010/09/12 15:56:34.0426 sffp_sd (5588b8c6193eb1522490c122eb94dffa) C:\Windows\system32\DRIVERS\sffp_sd.sys
2010/09/12 15:56:34.0437 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2010/09/12 15:56:34.0464 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2010/09/12 15:56:34.0482 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2010/09/12 15:56:34.0499 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2010/09/12 15:56:34.0531 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2010/09/12 15:56:34.0576 srv (ec8f67289105bf270498095f14963464) C:\Windows\system32\DRIVERS\srv.sys
2010/09/12 15:56:34.0603 srv2 (f773d2ed090b7baa1c1a034f3ca476c8) C:\Windows\system32\DRIVERS\srv2.sys
2010/09/12 15:56:34.0626 srvnet (26e84d3649019c3244622e654dfcd75b) C:\Windows\system32\DRIVERS\srvnet.sys
2010/09/12 15:56:34.0686 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2010/09/12 15:56:34.0714 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
2010/09/12 15:56:34.0738 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
2010/09/12 15:56:34.0754 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2010/09/12 15:56:34.0820 Tcpip (912107716bab424c7870e8e6af5e07e1) C:\Windows\system32\drivers\tcpip.sys
2010/09/12 15:56:34.0875 TCPIP6 (912107716bab424c7870e8e6af5e07e1) C:\Windows\system32\DRIVERS\tcpip.sys
2010/09/12 15:56:34.0905 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2010/09/12 15:56:34.0941 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2010/09/12 15:56:34.0961 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2010/09/12 15:56:34.0978 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2010/09/12 15:56:35.0000 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2010/09/12 15:56:35.0039 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/09/12 15:56:35.0079 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2010/09/12 15:56:35.0116 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2010/09/12 15:56:35.0141 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2010/09/12 15:56:35.0181 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2010/09/12 15:56:35.0212 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2010/09/12 15:56:35.0229 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2010/09/12 15:56:35.0256 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/09/12 15:56:35.0279 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2010/09/12 15:56:35.0300 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
2010/09/12 15:56:35.0323 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
2010/09/12 15:56:35.0343 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2010/09/12 15:56:35.0354 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2010/09/12 15:56:35.0373 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/09/12 15:56:35.0401 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/09/12 15:56:35.0426 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2010/09/12 15:56:35.0452 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/09/12 15:56:35.0469 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2010/09/12 15:56:35.0488 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2010/09/12 15:56:35.0513 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2010/09/12 15:56:35.0534 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
2010/09/12 15:56:35.0563 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
2010/09/12 15:56:35.0587 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2010/09/12 15:56:35.0612 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2010/09/12 15:56:35.0631 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2010/09/12 15:56:35.0659 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2010/09/12 15:56:35.0685 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
2010/09/12 15:56:35.0717 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
2010/09/12 15:56:35.0754 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2010/09/12 15:56:35.0786 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2010/09/12 15:56:35.0795 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2010/09/12 15:56:35.0832 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2010/09/12 15:56:35.0854 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2010/09/12 15:56:35.0903 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2010/09/12 15:56:35.0915 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2010/09/12 15:56:35.0982 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
2010/09/12 15:56:36.0003 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/09/12 15:56:36.0042 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2010/09/12 15:56:36.0068 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2010/09/12 15:56:36.0097 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/09/12 15:56:36.0130 ================================================================================
2010/09/12 15:56:36.0130 Scan finished
2010/09/12 15:56:36.0130 ================================================================================


#8 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:13 AM

Posted 13 September 2010 - 03:58 PM

Hi again allsmooth!!.. smile.gif

QUOTE(allsmooth @ Sep 12 2010, 10:58 PM) View Post
I downloaded and ran the latest version of TDSSKiller as requested and it did not find anything.

Ok...

That got me thinking, to say the truth... I believe we may still deal with a DNS hijacker here... This line appeared in the DDS log (not in the OTL, though):

QUOTE(allsmooth @ Sep 3 2010, 04:32 PM) View Post
TCP: {1537216C-0FC2-4E6F-8A20-4B1CE8D1A93D} = 213.109.65.40,213.109.75.90


The DNS points to IP in Russia - it causes the redirect problem and a blockage of updates...

Firstly,
Clear the DNS cache as presented in the article (basically, run ipconfig /flushdns from an elevated command prompt)...

Then,
I'll need more info, please run the following batch:

Open Notepad and copy and paste next present in the quotebox:

QUOTE
@echo off
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1537216C-0FC2-4E6F-8A20-4B1CE8D1A93D}" /v DhcpNameServer >> C:\look.txt
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v NameServer >> C:\look.txt
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v DhcpNameServer >> C:\look.txt
echo. >> c:\look.txt
>> c:\look.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
notepad C:\look.txt
del C:\look.txt
del %0

Save this as look.bat , choose to save as *all files and place it on your Desktop.
It should look like this:
Right-click on it, and choose: "Run as administrator". A Notepad should open.
Copy and paste the contents of it in your next reply.
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#9 allsmooth

allsmooth
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 13 September 2010 - 06:03 PM

Wow. I think we're finally getting somewhere. Thank you so much for all of your help.

Look.txt log as follows:




HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
NameServer REG_SZ





Windows IP Configuration

Host Name . . . . . . . . . . . . : Vader
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys AE1000
Physical Address. . . . . . . . . : 00-25-9C-F0-43-69
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::1cae:d2fb:4696:6302%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 234890652
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-D9-C6-2F-00-25-9C-F0-43-69
DNS Servers . . . . . . . . . . . : 213.109.65.40
213.109.75.90
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{1537216C-0FC2-4E6F-8A20-4B1CE8D1A93D}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:4137:9e76:240b:1b85:9d21:cc31(Preferred)
Link-local IPv6 Address . . . . . : fe80::240b:1b85:9d21:cc31%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled
Server: UnKnown
Address: 213.109.65.40

Name: google.com
Address: 173.194.34.104

Server: UnKnown
Address: 213.109.65.40

Name: yahoo.com
Addresses: 72.30.2.43
69.147.125.65
209.191.122.70
67.195.160.76
98.137.149.56


Pinging google.com [173.194.34.104] with 32 bytes of data:
Reply from 173.194.34.104: bytes=32 time=59ms TTL=53
Reply from 173.194.34.104: bytes=32 time=71ms TTL=53

Ping statistics for 173.194.34.104:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 59ms, Maximum = 71ms, Average = 65ms

Pinging yahoo.com [98.137.149.56] with 32 bytes of data:
Reply from 98.137.149.56: bytes=32 time=118ms TTL=51
Reply from 98.137.149.56: bytes=32 time=87ms TTL=51

Ping statistics for 98.137.149.56:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 87ms, Maximum = 118ms, Average = 102ms
===========================================================================
Interface List
11...00 25 9c f0 43 69 ......Linksys AE1000
1...........................Software Loopback Interface 1
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.10 281
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.10 281
192.168.1.10 255.255.255.255 On-link 192.168.1.10 281
192.168.1.255 255.255.255.255 On-link 192.168.1.10 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.10 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.10 281
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.1.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:240b:1b85:9d21:cc31/128
On-link
11 281 fe80::/64 On-link
12 306 fe80::/64 On-link
11 281 fe80::1cae:d2fb:4696:6302/128
On-link
12 306 fe80::240b:1b85:9d21:cc31/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None


#10 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:13 AM

Posted 14 September 2010 - 11:15 AM

Hi again allsmooth!!.. smile.gif

QUOTE
Wow. I think we're finally getting somewhere. Thank you so much for all of your help.

No problem!.. ;)

I believe that your router is hijacked - the logfile clearly shows your computer connects to DNS servers in Russia... I'm not sure why other computers are not affected, though...

Firstly,
Run OTL.exe...
  • Close all windows and double click OTL.exe.
  • At the top bar, click: None
  • In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

    213.109.65.40 /rs

  • Click Run Scan and let the program run uninterrupted.
  • When the scan completes, it will open one Notepad window. OTL.Txt. Post the log in this thread.

Secondly,
Please read my article here: Routers - security, then (after disconnecting other machines from the router) reset it back to the factory default settings, and change the username/password on your router...

Thirdly,
Clear the DNS cache once again...

Let me know if problem persists...
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#11 allsmooth

allsmooth
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 14 September 2010 - 11:53 AM

I'm pretty sure that you're correct about the router being compromised. I've disconnected all machines from it and I'm about to reset it now. In the meantime, here are the results of the OTL.exe log that you requested. I'll immediately post back here, once I've (hard) reset the router and scanned each machine with mbam and the microsoft virus tools that you mention on your site (which will take a while).

OTL.exe log as follows:

OTL logfile created on: 9/14/2010 11:40:50 AM - Run 2
OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\Terence\Downloads
64bit- Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

6.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 51.00% Memory free
12.00 Gb Paging File | 8.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 921.86 Gb Total Space | 833.83 Gb Free Space | 90.45% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 7.46 Gb Total Space | 7.44 Gb Free Space | 99.70% Space Free | Partition Type: FAT32
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
Drive I: | 9.61 Gb Total Space | 4.13 Gb Free Space | 43.00% Space Free | Partition Type: NTFS

Computer Name: VADER
Current User Name: Terence
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Custom Scans ==========


< 213.109.65.40 /rs >
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1537216C-0FC2-4E6F-8A20-4B1CE8D1A93D}\\NameServer: 213.109.65.40,213.109.75.90
< End of report >




#12 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:13 AM

Posted 14 September 2010 - 02:22 PM

Hi again allsmooth!!.. smile.gif

Looks like it's a lesson for me as well... ;)

Good that you're resetting a router and scan other machines as well (make sure that only one antivirus program is installed on every machine)...

Looks like DNS settings are still stored in the Registry, let's fix it (preferably between the second and third step from my previous post):

Copy and paste this text IN BOLD into a text editor such as Notepad.

Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your Desktop.

QUOTE

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1537216C-0FC2-4E6F-8A20-4B1CE8D1A93D}]
"NameServer"=""


Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

Does a problem persist??..
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#13 allsmooth

allsmooth
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 15 September 2010 - 12:07 PM

Hello there snemelk, I have some interesting things to report!

First, I disconnected all machines from the router and did the hard reset (but I actually updated the firmware first from a clean machine). Then I used my laptop (clean machine) to set the router back up. I used a very strong password and the laptop continues to be clean and doesn't have the redirect problem.

Second, I did as you suggested with the fix.reg set of instructions. I got the message that the keys and values have been successfully merged into the registry. Then I ran look.bat again (your instructions from a previous post) and noticed that the same dns settings were there, even though I had made the registry changes. Then I wondered how it read any data at all from the router, seeing that it was disconnected. But I just ignored that and connected the infected machine to the router again anyway.

Now here's where it starts to get strange. Once I had connected to my router (wirelessly), I don't have Internet access. I can see other machines on the network, but I do not have Internet access. So I ran look.bat again, and the dns is exactly what it was before (for my adapter). When I connect my laptop to the router (wirelessly) it accesses the Internet just fine. When I connect my ipad to the router (wirelessly of course), it also can access the Internet just fine. It's only the infected machine that can't access the Internet since I did a hard reset on the router.

I've run mbam again with no results found and I also ran the microsoft virus tools and it didn't find anything either.

So... I'm using my laptop to write this response as I'm no longer able to access the Internet with the infected machine after hard-resetting the router. Therefore, I also cannot tell if the fix.reg set of instructions worked or if the problem persists.

Any ideas?

#14 snemelk

snemelk

    inżynier


  • Malware Response Team
  • 1,468 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:03:13 AM

Posted 15 September 2010 - 02:25 PM

Hi again allsmooth!!.. smile.gif

QUOTE(allsmooth @ Sep 15 2010, 07:07 PM) View Post
So... I'm using my laptop to write this response as I'm no longer able to access the Internet with the infected machine after hard-resetting the router. Therefore, I also cannot tell if the fix.reg set of instructions worked or if the problem persists.

Any ideas?

If other machines can connect wirelessly to the internet, I would lean toward the idea that that fix.reg caused this... huh.gif
Basically, that fix.reg Registry merge removed the malicious DNS settings and set it to: Obtain DNS server address automatically - I believed your computer should automatically detect DNS settings (which router uses) and access the internet without any problems... Point 6 here: Change TCP/IP settings (or a part of the article here: Changing DNS server settings on Microsoft Windows Vista) gives instructions on how to change the DNS settings on your Windows 7 system...

Personally, I'd do the following:

- try clearing the DNS cache first (Clear the DNS cache)
- when using your clean laptop, I'd check what DNS settings it uses, and if needed - place the same settings on the machine that was infected...
- if above doesn't help, use Google Public DNS temporarily...

If above doesn't help, please take a look at the settings on the router... If you use a filtering based on the MAC addresses of the computers, please check if that computer is given an access...
Also, could you take a look at the DNS settings on the router? What DNS servers does it use??.. (Checking the DNS Servers from a Linksys Router)

Let me know how it goes... smile.gif
c18903e63196580f.gif
snemelk.hekko.pl - my site with a few computer security tips...
Silesia - that's where I live!

"If I had some duct tape, I could fix that." - MacGyver


#15 allsmooth

allsmooth
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:13 PM

Posted 15 September 2010 - 03:46 PM

SUCCESS!! WOOHOO!!

Although, I have no idea what we did that actually solved the problem, I'm glad we fixed it! smile.gif

Also, I have no clue as to how I got into this situation in the first place, but I'm using the virus tool that you recommended and I can get regular mbam updates now so I'm hoping I can prevent this from happening again in the future!

Thank you so much!! This site and it's workers (and especially you) are AWESOME!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users