Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Google Redirect virus


  • This topic is locked This topic is locked
55 replies to this topic

#1 FallenPhoenix1986

FallenPhoenix1986

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 20 August 2011 - 03:29 PM

A few days ago I discovered a series of trojans on my system, I thought I had managed to remove them fairly easily however the next day I found my browser being redirected whenever I opened a google search result. I attempted further scans: (Adaware, Avira AVG, Malwarebytes, Win Defender, Microsoft Malicious software removal tool) and on two occasions I have found the redirects to cease however on rebooting my machine the symptoms return.

I am aware that you would have prefered I wait until being asked to run Combofix however I downloaded and ran this program shortly before I discovered this site. I have therefor posted the results of this scan after the DDS log.

I do not know if it is signifficant but I find that searching from google directly rather than a toolbar search gives more reliable results.

DDS as follows:

DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Craig at 20:33:47 on 2011-08-20
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4087.2432 [GMT 1:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: AVG Anti-Virus 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG10\avgchsva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AVG\AVG10\avgam.exe
C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
C:\Program Files (x86)\AVG\AVG10\avgemca.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~2\AVG\AVG10\avgrsa.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sky.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{406AA35C-E8CF-4674-9945-3BBA4FD75623} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BACDDFFB-2F4C-4E1B-A93A-81B5C2B0E8CA} : DhcpNameServer = 8.8.8.8 8.8.4.4
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
IE-X64: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-8-18 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-8-18 269480]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 athrusb;Belkin Wireless LAN USB device driver;C:\Windows\system32\DRIVERS\athrxusb.sys --> C:\Windows\system32\DRIVERS\athrxusb.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-7-21 2151640]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-08-20 18:33:25 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-20 17:37:39 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{284A1BF6-0361-4722-B69D-4FD3B6881DD3}\mpengine.dll
2011-08-20 16:33:58 98816 ----a-w- C:\Windows\sed.exe
2011-08-20 16:33:58 518144 ----a-w- C:\Windows\SWREG.exe
2011-08-20 16:33:58 256000 ----a-w- C:\Windows\PEV.exe
2011-08-20 16:33:58 208896 ----a-w- C:\Windows\MBR.exe
2011-08-20 16:32:51 -------- d-----w- C:\ComboFix
2011-08-20 13:17:30 601424 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9BF4E714-F009-436C-A19D-2A69274B6E29}\gapaengine.dll
2011-08-18 13:59:14 -------- d-----w- C:\Users\Craig\AppData\Roaming\AVG10
2011-08-18 13:57:43 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2011-08-18 13:56:53 -------- d-----w- C:\Windows\System32\drivers\AVG
2011-08-18 13:52:43 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-08-18 13:49:52 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-08-18 13:45:54 88288 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2011-08-18 13:39:58 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-08-18 13:38:41 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-08-18 13:38:41 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-08-18 13:38:40 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-08-17 20:39:48 -------- d-----w- C:\Users\Craig\AppData\Roaming\Avira
2011-08-17 20:24:49 -------- d-----w- C:\ProgramData\Avira
2011-08-17 20:24:49 -------- d-----w- C:\Program Files (x86)\Avira
2011-08-17 17:58:51 -------- d-----w- C:\$AVG
2011-08-17 17:27:32 -------- d--h--w- C:\ProgramData\Common Files
2011-08-17 17:26:54 -------- d-----w- C:\ProgramData\AVG10
2011-08-17 17:26:25 -------- d-----w- C:\Program Files (x86)\AVG
2011-08-17 16:58:23 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-08-16 21:08:11 -------- d-----w- C:\Users\Craig\AppData\Roaming\Malwarebytes
2011-08-16 21:07:44 -------- d-----w- C:\ProgramData\Malwarebytes
2011-08-16 21:07:40 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-08-09 23:04:33 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-08-09 23:04:21 8578896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-07-23 05:04:07 -------- d-----w- C:\Program Files (x86)\AMD APP
2011-07-23 05:00:48 -------- d-----w- C:\AMD
2011-07-23 04:48:56 -------- d-----w- C:\ProgramData\PC Drivers HeadQuarters
.
==================== Find3M ====================
.
2011-08-20 19:12:54 270776 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-08-20 19:12:54 270776 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-08-20 19:12:01 111928 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-07-22 05:22:26 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 04:54:18 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-06 18:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-27 20:30:40 9883136 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-06-27 20:16:32 23385600 ----a-w- C:\Windows\System32\atio6axx.dll
2011-06-27 19:52:04 17940992 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-06-27 19:50:06 151552 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-06-27 19:49:52 689152 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-06-27 19:48:26 814080 ----a-w- C:\Windows\System32\aticfx64.dll
2011-06-27 19:45:38 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-06-27 19:45:22 485376 ----a-w- C:\Windows\System32\atieclxx.exe
2011-06-27 19:44:46 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-06-27 19:43:32 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-06-27 19:43:12 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-06-27 19:43:06 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-06-27 19:42:54 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-06-27 19:42:48 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2011-06-27 19:42:44 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-06-27 19:42:38 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-06-27 19:39:32 4275712 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-06-27 19:29:34 5072896 ----a-w- C:\Windows\System32\atidxx64.dll
2011-06-27 19:27:22 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-06-27 19:26:48 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-06-27 19:26:36 3847680 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-06-27 19:19:42 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-06-27 19:19:40 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-06-27 19:19:30 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-06-27 19:19:28 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-06-27 19:19:16 8134656 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-06-27 19:17:54 4367360 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-06-27 19:17:14 4039680 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-06-27 19:15:48 6739968 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-06-27 19:11:04 5540352 ----a-w- C:\Windows\System32\atiumd64.dll
2011-06-27 19:10:36 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-06-27 19:03:16 375808 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-06-27 19:03:08 266240 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-06-27 19:02:56 15360 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-06-27 19:02:52 13312 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-06-27 19:02:52 13312 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-06-27 19:02:48 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-06-27 19:02:40 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-06-27 19:02:32 307712 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-06-27 19:01:44 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-06-27 19:01:38 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-06-27 19:01:30 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-06-27 19:01:24 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-06-27 19:00:46 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-06-27 19:00:38 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-06-27 19:00:38 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-06-27 19:00:32 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-06-27 19:00:32 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-06-27 15:23:22 60416 ----a-w- C:\Windows\System32\OVDecode64.dll
2011-06-27 15:23:20 53760 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2011-06-27 15:23:06 51200 ----a-w- C:\Windows\System32\OpenCL.dll
2011-06-27 15:23:02 43520 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2011-06-27 15:22:52 16906752 ----a-w- C:\Windows\System32\amdocl64.dll
2011-06-27 15:22:40 13904896 ----a-w- C:\Windows\SysWow64\amdocl.dll
2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-24 05:25:49 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-21 06:20:53 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-06-21 05:28:33 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-14 18:28:19 61 --sh--w- C:\Windows\cnerolf.bin
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
.
============= FINISH: 20:43:26.08 ===============








ComboFix 11-08-19.02 - Craig 20/08/2011 17:41:28.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4087.2498 [GMT 1:00]
Running from: c:\users\Craig\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: AVG Anti-Virus 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: AVG Anti-Virus 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Craig\AppData\Roaming\Adobe\plugs
c:\users\Craig\AppData\Roaming\Adobe\shed
.
.
((((((((((((((((((((((((( Files Created from 2011-07-20 to 2011-08-20 )))))))))))))))))))))))))))))))
.
.
2011-08-20 17:08 . 2011-08-20 17:08 -------- d-----w- c:\users\Kayleigh\AppData\Local\temp
2011-08-20 17:08 . 2011-08-20 17:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-20 13:17 . 2011-03-16 16:26 601424 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BF4E714-F009-436C-A19D-2A69274B6E29}\gapaengine.dll
2011-08-20 13:17 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{63FA4D6C-3559-4BFD-85D1-B5D90C527388}\mpengine.dll
2011-08-18 13:59 . 2011-08-18 13:59 -------- d-----w- c:\users\Craig\AppData\Roaming\AVG10
2011-08-18 13:57 . 2011-08-18 13:57 -------- d-----w- c:\windows\SysWow64\drivers\AVG
2011-08-18 13:56 . 2011-08-20 13:10 -------- d-----w- c:\windows\system32\drivers\AVG
2011-08-18 13:52 . 2011-08-18 13:52 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-18 13:49 . 2011-08-18 13:49 -------- dc----w- c:\windows\system32\DRVSTORE
2011-08-18 13:49 . 2011-07-21 13:59 69376 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-18 13:45 . 2011-08-20 13:11 88288 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-18 13:45 . 2011-08-20 13:11 123784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-18 13:39 . 2011-07-09 02:46 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-18 13:38 . 2011-06-23 05:43 5561216 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-18 13:38 . 2011-06-23 04:33 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-08-18 13:38 . 2011-06-23 04:33 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-08-17 20:39 . 2011-08-17 20:39 -------- d-----w- c:\users\Craig\AppData\Roaming\Avira
2011-08-17 20:24 . 2011-08-17 20:24 -------- d-----w- c:\programdata\Avira
2011-08-17 20:24 . 2011-08-17 20:24 -------- d-----w- c:\program files (x86)\Avira
2011-08-17 17:58 . 2011-08-17 17:58 -------- d-----w- C:\$AVG
2011-08-17 17:27 . 2011-08-17 17:27 -------- d--h--w- c:\programdata\Common Files
2011-08-17 17:26 . 2011-08-18 13:56 -------- d-----w- c:\programdata\AVG10
2011-08-17 17:26 . 2011-08-17 17:26 -------- d-----w- c:\program files (x86)\AVG
2011-08-17 16:58 . 2011-08-17 16:58 -------- d-----w- c:\programdata\Lavasoft
2011-08-17 16:58 . 2011-08-17 16:58 -------- d-----w- c:\program files (x86)\Lavasoft
2011-08-16 21:08 . 2011-08-16 21:08 -------- d-----w- c:\users\Craig\AppData\Roaming\Malwarebytes
2011-08-16 21:07 . 2011-08-16 21:07 -------- d-----w- c:\programdata\Malwarebytes
2011-08-16 21:07 . 2011-08-18 13:39 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-08-09 23:04 . 2011-08-18 13:22 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-08-09 23:04 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-07-23 05:04 . 2011-07-23 05:04 -------- d-----w- c:\programdata\ATI
2011-07-23 05:04 . 2011-08-18 13:21 -------- d-----w- c:\program files (x86)\AMD APP
2011-07-23 05:00 . 2011-08-18 13:21 -------- d-----w- C:\AMD
2011-07-23 04:48 . 2011-08-18 13:22 -------- d-----w- c:\programdata\PC Drivers HeadQuarters
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-18 15:56 . 2011-01-12 16:34 270776 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-08-18 15:56 . 2011-01-05 00:15 270776 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-08-18 15:56 . 2011-01-05 00:15 111928 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-07-16 04:26 . 2011-08-18 13:39 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-07-13 04:53 . 2011-03-16 16:26 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-06-27 20:30 . 2011-06-27 20:30 9883136 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-06-27 20:16 . 2011-06-27 20:16 23385600 ----a-w- c:\windows\system32\atio6axx.dll
2011-06-27 19:52 . 2011-06-27 19:52 17940992 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-06-27 19:50 . 2011-06-27 19:50 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-06-27 19:49 . 2011-06-27 19:49 689152 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-06-27 19:48 . 2010-09-29 01:54 814080 ----a-w- c:\windows\system32\aticfx64.dll
2011-06-27 19:45 . 2011-06-27 19:45 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-06-27 19:45 . 2011-06-27 19:45 485376 ----a-w- c:\windows\system32\atieclxx.exe
2011-06-27 19:44 . 2011-06-27 19:44 204288 ----a-w- c:\windows\system32\atiesrxx.exe
2011-06-27 19:43 . 2011-06-27 19:43 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-06-27 19:43 . 2011-06-27 19:43 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-06-27 19:43 . 2011-06-27 19:43 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-06-27 19:42 . 2011-06-27 19:42 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-06-27 19:42 . 2011-06-27 19:42 16384 ----a-w- c:\windows\system32\atimuixx.dll
2011-06-27 19:42 . 2011-06-27 19:42 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-06-27 19:42 . 2011-06-27 19:42 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-06-27 19:39 . 2011-06-27 19:39 4275712 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-06-27 19:29 . 2010-09-29 01:37 5072896 ----a-w- c:\windows\system32\atidxx64.dll
2011-06-27 19:27 . 2011-06-27 19:27 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
2011-06-27 19:26 . 2011-06-27 19:26 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-06-27 19:26 . 2011-06-27 19:26 3847680 ----a-w- c:\windows\system32\atiumd6a.dll
2011-06-27 19:19 . 2011-06-27 19:19 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-06-27 19:19 . 2011-06-27 19:19 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-06-27 19:19 . 2011-06-27 19:19 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-06-27 19:19 . 2011-06-27 19:19 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-06-27 19:19 . 2011-06-27 19:19 8134656 ----a-w- c:\windows\system32\aticaldd64.dll
2011-06-27 19:17 . 2011-06-27 19:17 4367360 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-06-27 19:17 . 2011-06-27 19:17 4039680 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-06-27 19:15 . 2011-06-27 19:15 6739968 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-06-27 19:11 . 2011-06-27 19:11 5540352 ----a-w- c:\windows\system32\atiumd64.dll
2011-06-27 19:10 . 2010-08-04 01:23 58880 ----a-w- c:\windows\system32\coinst.dll
2011-06-27 19:03 . 2011-06-27 19:03 375808 ----a-w- c:\windows\system32\atiadlxx.dll
2011-06-27 19:03 . 2011-06-27 19:03 266240 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-06-27 19:02 . 2011-06-27 19:02 15360 ----a-w- c:\windows\system32\atig6pxx.dll
2011-06-27 19:02 . 2011-06-27 19:02 13312 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-06-27 19:02 . 2011-06-27 19:02 13312 ----a-w- c:\windows\system32\atiglpxx.dll
2011-06-27 19:02 . 2011-06-27 19:02 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-06-27 19:02 . 2011-06-27 19:02 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-06-27 19:02 . 2011-06-27 19:02 307712 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-06-27 19:01 . 2010-08-04 01:15 40960 ----a-w- c:\windows\system32\atiuxp64.dll
2011-06-27 19:01 . 2011-06-27 19:01 31744 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-06-27 19:01 . 2011-06-27 19:01 38912 ----a-w- c:\windows\system32\atiu9p64.dll
2011-06-27 19:01 . 2011-06-27 19:01 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-06-27 19:00 . 2011-06-27 19:00 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-06-27 19:00 . 2011-06-27 19:00 53760 ----a-w- c:\windows\system32\atimpc64.dll
2011-06-27 19:00 . 2011-06-27 19:00 53760 ----a-w- c:\windows\system32\amdpcom64.dll
2011-06-27 19:00 . 2011-06-27 19:00 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-06-27 19:00 . 2011-06-27 19:00 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-06-27 15:23 . 2011-06-27 15:23 60416 ----a-w- c:\windows\system32\OVDecode64.dll
2011-06-27 15:23 . 2011-06-27 15:23 53760 ----a-w- c:\windows\SysWow64\OVDecode.dll
2011-06-27 15:23 . 2011-06-27 15:23 51200 ----a-w- c:\windows\system32\OpenCL.dll
2011-06-27 15:23 . 2011-06-27 15:23 43520 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-06-27 15:22 . 2011-06-27 15:22 16906752 ----a-w- c:\windows\system32\amdocl64.dll
2011-06-27 15:22 . 2011-06-27 15:22 13904896 ----a-w- c:\windows\SysWow64\amdocl.dll
2011-06-11 03:07 . 2011-07-15 17:07 3137536 ----a-w- c:\windows\system32\win32k.sys
2011-05-24 11:42 . 2011-06-29 21:28 404480 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-05-24 10:40 . 2011-06-29 21:28 64512 ----a-w- c:\windows\SysWow64\devobj.dll
2011-05-24 10:40 . 2011-06-29 21:28 44544 ----a-w- c:\windows\SysWow64\devrtl.dll
2011-05-24 10:39 . 2011-06-29 21:28 145920 ----a-w- c:\windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37 . 2011-06-29 21:28 252928 ----a-w- c:\windows\SysWow64\drvinst.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-01-22 106496]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-06-27 336384]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2010-11-30 281768]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG10\avgtray.exe" [2011-04-18 2334560]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG10\avgchsva.exe /sync\0c:\progra~2\AVG\AVG10\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 ALSysIO;ALSysIO;c:\users\Craig\AppData\Local\Temp\ALSysIO64.sys [x]
R3 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-04-18 7398752]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-07-21 2151640]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-08-20 136360]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 athrusb;Belkin Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrxusb.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-01-21 123400]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.sky.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-SunJavaUpdateSched - c:\program files (x86)\Java\jre6\bin\jusched.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
AddRemove-AlphaSim SH-2 Seasprite for FSX v1.00 - c:\users\Craig\Desktop\sprite\Uninstal_FSXSH2.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\AVG\AVG10\avgam.exe
c:\program files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
.
**************************************************************************
.
Completion time: 2011-08-20 18:34:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-08-20 17:34
.
Pre-Run: 353,159,426,048 bytes free
Post-Run: 354,685,181,952 bytes free
.
- - End Of File - - 658B9ACD440F3F5A922421525F983277




I appreciate any assistance anyone may be able to offer for as of this afternoon I'm officially out of ideas...


Craig

Edit: I feel I should also mention that I am accessing from an alternate machine as on the infected machine this site will cause explorer to crash should I try and view any simillar threads.

Edited by FallenPhoenix1986, 20 August 2011 - 03:31 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 25 August 2011 - 03:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415335 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 FallenPhoenix1986

FallenPhoenix1986
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 27 August 2011 - 10:50 AM

Still unresolved, original CD's available. Using Win 7 64 so no GMER logs

DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by Craig at 16:06:55 on 2011-08-27
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4087.2714 [GMT 1:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: AVG Anti-Virus 2011 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus 2011 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG10\avgchsva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\AVG\AVG10\avgam.exe
C:\Program Files (x86)\AVG\AVG10\avgnsa.exe
C:\Program Files (x86)\AVG\AVG10\avgemca.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\PROGRA~2\AVG\AVG10\avgrsa.exe
C:\Program Files (x86)\AVG\AVG10\avgcsrva.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.sky.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
mRun: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~3\Office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~3\Office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{406AA35C-E8CF-4674-9945-3BBA4FD75623} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BACDDFFB-2F4C-4E1B-A93A-81B5C2B0E8CA} : DhcpNameServer = 8.8.8.8 8.8.4.4
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG10\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [ATICustomerCare] "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRun-x64: [AVG_TRAY] C:\Program Files (x86)\AVG\AVG10\avgtray.exe
IE-X64: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R0 Lbd;Lbd;C:\Windows\system32\DRIVERS\Lbd.sys --> C:\Windows\system32\DRIVERS\Lbd.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2011-8-18 136360]
R2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2011-8-18 269480]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG10\avgwdsvc.exe [2011-2-8 269520]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 MBfilt;MBfilt;C:\Windows\system32\drivers\MBfilt64.sys --> C:\Windows\system32\drivers\MBfilt64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-7-21 2151640]
S3 athrusb;Belkin Wireless LAN USB device driver;C:\Windows\system32\DRIVERS\athrxusb.sys --> C:\Windows\system32\DRIVERS\athrxusb.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;C:\Program Files (x86)\Lavasoft\Ad-Aware\kernexplorer64.sys [2011-8-18 17152]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-08-26 21:25:03 8862544 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{92B3680E-14FE-4486-8161-C71A82F03C62}\mpengine.dll
2011-08-24 12:39:07 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-08-24 12:39:07 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-08-20 20:40:37 89804 ----a-w- C:\Program Files (x86)\Microsoft Games\Microsoft Flight Simulator X\Uninstal VEH_Foch-Clemenceau_V3-00.exe
2011-08-20 18:33:25 -------- d-sh--w- C:\$RECYCLE.BIN
2011-08-20 16:33:58 98816 ----a-w- C:\Windows\sed.exe
2011-08-20 16:33:58 518144 ----a-w- C:\Windows\SWREG.exe
2011-08-20 16:33:58 256000 ----a-w- C:\Windows\PEV.exe
2011-08-20 16:33:58 208896 ----a-w- C:\Windows\MBR.exe
2011-08-20 16:32:51 -------- d-----w- C:\ComboFix
2011-08-20 13:17:30 601424 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9BF4E714-F009-436C-A19D-2A69274B6E29}\gapaengine.dll
2011-08-18 13:59:14 -------- d-----w- C:\Users\Craig\AppData\Roaming\AVG10
2011-08-18 13:57:43 -------- d-----w- C:\Windows\SysWow64\drivers\AVG
2011-08-18 13:56:53 -------- d-----w- C:\Windows\System32\drivers\AVG
2011-08-18 13:52:43 55384 ----a-w- C:\Windows\System32\drivers\SBREDrv.sys
2011-08-18 13:49:52 69376 ----a-w- C:\Windows\System32\drivers\Lbd.sys
2011-08-18 13:45:54 88288 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2011-08-18 13:39:58 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-08-18 13:38:41 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-08-18 13:38:41 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-08-18 13:38:40 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-08-17 20:39:48 -------- d-----w- C:\Users\Craig\AppData\Roaming\Avira
2011-08-17 20:24:49 -------- d-----w- C:\ProgramData\Avira
2011-08-17 20:24:49 -------- d-----w- C:\Program Files (x86)\Avira
2011-08-17 17:58:51 -------- d-----w- C:\$AVG
2011-08-17 17:27:32 -------- d--h--w- C:\ProgramData\Common Files
2011-08-17 17:26:54 -------- d-----w- C:\ProgramData\AVG10
2011-08-17 17:26:25 -------- d-----w- C:\Program Files (x86)\AVG
2011-08-17 16:58:23 -------- d-----w- C:\Program Files (x86)\Lavasoft
2011-08-16 21:08:11 -------- d-----w- C:\Users\Craig\AppData\Roaming\Malwarebytes
2011-08-16 21:07:44 -------- d-----w- C:\ProgramData\Malwarebytes
2011-08-16 21:07:40 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-08-09 23:04:33 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-08-09 23:04:21 8578896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
.
==================== Find3M ====================
.
2011-08-23 17:42:39 270776 ----a-w- C:\Windows\SysWow64\PnkBstrB.xtr
2011-08-23 17:42:39 270776 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2011-08-23 17:42:14 111928 ----a-w- C:\Windows\SysWow64\PnkBstrB.ex0
2011-07-22 05:22:26 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-07-22 04:54:18 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-07-16 05:41:50 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:41:49 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:41:49 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:39:10 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:37:12 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 04:29:19 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:26:00 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:25:37 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:24:23 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:24:22 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:21:44 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:21:41 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:17:19 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:17:19 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:17:19 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:17:19 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-06 18:52:42 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-27 20:30:40 9883136 ----a-w- C:\Windows\System32\drivers\atikmdag.sys
2011-06-27 20:16:32 23385600 ----a-w- C:\Windows\System32\atio6axx.dll
2011-06-27 19:52:04 17940992 ----a-w- C:\Windows\SysWow64\atioglxx.dll
2011-06-27 19:50:06 151552 ----a-w- C:\Windows\System32\atiapfxx.exe
2011-06-27 19:49:52 689152 ----a-w- C:\Windows\SysWow64\aticfx32.dll
2011-06-27 19:48:26 814080 ----a-w- C:\Windows\System32\aticfx64.dll
2011-06-27 19:45:38 462848 ----a-w- C:\Windows\System32\ATIDEMGX.dll
2011-06-27 19:45:22 485376 ----a-w- C:\Windows\System32\atieclxx.exe
2011-06-27 19:44:46 204288 ----a-w- C:\Windows\System32\atiesrxx.exe
2011-06-27 19:43:32 120320 ----a-w- C:\Windows\System32\atitmm64.dll
2011-06-27 19:43:12 423424 ----a-w- C:\Windows\System32\atipdl64.dll
2011-06-27 19:43:06 356352 ----a-w- C:\Windows\SysWow64\atipdlxx.dll
2011-06-27 19:42:54 278528 ----a-w- C:\Windows\SysWow64\Oemdspif.dll
2011-06-27 19:42:48 16384 ----a-w- C:\Windows\System32\atimuixx.dll
2011-06-27 19:42:44 59392 ----a-w- C:\Windows\System32\atiedu64.dll
2011-06-27 19:42:38 43520 ----a-w- C:\Windows\SysWow64\ati2edxx.dll
2011-06-27 19:39:32 4275712 ----a-w- C:\Windows\SysWow64\atidxx32.dll
2011-06-27 19:29:34 5072896 ----a-w- C:\Windows\System32\atidxx64.dll
2011-06-27 19:27:22 1113088 ----a-w- C:\Windows\System32\atiumd6v.dll
2011-06-27 19:26:48 1828864 ----a-w- C:\Windows\SysWow64\atiumdmv.dll
2011-06-27 19:26:36 3847680 ----a-w- C:\Windows\System32\atiumd6a.dll
2011-06-27 19:19:42 51200 ----a-w- C:\Windows\System32\aticalrt64.dll
2011-06-27 19:19:40 46080 ----a-w- C:\Windows\SysWow64\aticalrt.dll
2011-06-27 19:19:30 44544 ----a-w- C:\Windows\System32\aticalcl64.dll
2011-06-27 19:19:28 44032 ----a-w- C:\Windows\SysWow64\aticalcl.dll
2011-06-27 19:19:16 8134656 ----a-w- C:\Windows\System32\aticaldd64.dll
2011-06-27 19:17:54 4367360 ----a-w- C:\Windows\SysWow64\atiumdag.dll
2011-06-27 19:17:14 4039680 ----a-w- C:\Windows\SysWow64\atiumdva.dll
2011-06-27 19:15:48 6739968 ----a-w- C:\Windows\SysWow64\aticaldd.dll
2011-06-27 19:11:04 5540352 ----a-w- C:\Windows\System32\atiumd64.dll
2011-06-27 19:10:36 58880 ----a-w- C:\Windows\System32\coinst.dll
2011-06-27 19:03:16 375808 ----a-w- C:\Windows\System32\atiadlxx.dll
2011-06-27 19:03:08 266240 ----a-w- C:\Windows\SysWow64\atiadlxy.dll
2011-06-27 19:02:56 15360 ----a-w- C:\Windows\System32\atig6pxx.dll
2011-06-27 19:02:52 13312 ----a-w- C:\Windows\SysWow64\atiglpxx.dll
2011-06-27 19:02:52 13312 ----a-w- C:\Windows\System32\atiglpxx.dll
2011-06-27 19:02:48 39936 ----a-w- C:\Windows\System32\atig6txx.dll
2011-06-27 19:02:40 32768 ----a-w- C:\Windows\SysWow64\atigktxx.dll
2011-06-27 19:02:32 307712 ----a-w- C:\Windows\System32\drivers\atikmpag.sys
2011-06-27 19:01:44 40960 ----a-w- C:\Windows\System32\atiuxp64.dll
2011-06-27 19:01:38 31744 ----a-w- C:\Windows\SysWow64\atiuxpag.dll
2011-06-27 19:01:30 38912 ----a-w- C:\Windows\System32\atiu9p64.dll
2011-06-27 19:01:24 29184 ----a-w- C:\Windows\SysWow64\atiu9pag.dll
2011-06-27 19:00:46 53248 ----a-w- C:\Windows\System32\drivers\ati2erec.dll
2011-06-27 19:00:38 53760 ----a-w- C:\Windows\System32\atimpc64.dll
2011-06-27 19:00:38 53760 ----a-w- C:\Windows\System32\amdpcom64.dll
2011-06-27 19:00:32 52736 ----a-w- C:\Windows\SysWow64\atimpc32.dll
2011-06-27 19:00:32 52736 ----a-w- C:\Windows\SysWow64\amdpcom32.dll
2011-06-27 15:23:22 60416 ----a-w- C:\Windows\System32\OVDecode64.dll
2011-06-27 15:23:20 53760 ----a-w- C:\Windows\SysWow64\OVDecode.dll
2011-06-27 15:23:06 51200 ----a-w- C:\Windows\System32\OpenCL.dll
2011-06-27 15:23:02 43520 ----a-w- C:\Windows\SysWow64\OpenCL.dll
2011-06-27 15:22:52 16906752 ----a-w- C:\Windows\System32\amdocl64.dll
2011-06-27 15:22:40 13904896 ----a-w- C:\Windows\SysWow64\amdocl.dll
2011-06-24 05:34:53 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-24 05:25:49 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-06-21 06:34:00 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-21 06:20:53 1188864 ----a-w- C:\Windows\System32\wininet.dll
2011-06-21 05:28:33 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-06-15 10:02:23 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 10:02:23 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 10:02:23 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 08:55:19 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 08:55:19 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 08:55:19 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 08:55:19 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 08:55:19 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-14 18:28:19 61 --sh--w- C:\Windows\cnerolf.bin
2011-06-11 03:07:25 3137536 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 16:15:18.23 ===============


Craig

#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 28 August 2011 - 06:00 AM

Hello, FallenPhoenix1986.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!












Two Antiviruses Warning


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Microsoft Security Essentials, Avira Antivir or AVG.





Step 1

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • It gives you the option to add the latest Avast definitions and recommends you do so. Ignore it and click No as it may crash your system or hang up and we don't need that info.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Note: aswMBR will save MBR.dat to your desktop. Do NOT delete it until I tell you your computer is clean. It is a backup of your MBR that we may need later.



Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 3

We need to create an OTL report,
  • Please download OTL from this link.
  • (If that link doesn't work, try this alternate link
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Select "Use Safelist" under "Extra Registry"
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.sys /90
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\*
    %USERPROFILE%\..|smtmp;true;true;true /FP
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    CREATERESTOREPOINT


  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply. If they are too big to paste in one reply, please split them into separate posts.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 FallenPhoenix1986

FallenPhoenix1986
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 29 August 2011 - 01:27 PM

Thanks for the reply, however as soon as I saved the aswMBR log Defender told me that MBR.dat was infected with Alureon.C
Should I be concerned or is this a false alarm? I'd rather know before I proceed.

Craig

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 29 August 2011 - 07:09 PM

Hello, FallenPhoenix1986.

With Google redirects, Aleureon is one of the first suspects. MBR.dat is a copy of your MBR that is saved by aswMBR in case we need it later. Sounds like it's infected, which means your MBR likely is. Let's run this instead:

  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 FallenPhoenix1986

FallenPhoenix1986
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 31 August 2011 - 02:02 PM

Hi, sorry for the delay

As requested:

2011/08/31 19:19:21.0874 6708 TDSS rootkit removing tool 2.5.17.0 Aug 22 2011 15:46:57
2011/08/31 19:19:21.0874 6708 ================================================================================
2011/08/31 19:19:21.0874 6708 SystemInfo:
2011/08/31 19:19:21.0874 6708
2011/08/31 19:19:21.0874 6708 OS Version: 6.1.7601 ServicePack: 1.0
2011/08/31 19:19:21.0874 6708 Product type: Workstation
2011/08/31 19:19:21.0874 6708 ComputerName: MCDOUGALL-PC
2011/08/31 19:19:21.0874 6708 UserName: Craig
2011/08/31 19:19:21.0874 6708 Windows directory: C:\Windows
2011/08/31 19:19:21.0874 6708 System windows directory: C:\Windows
2011/08/31 19:19:21.0874 6708 Running under WOW64
2011/08/31 19:19:21.0874 6708 Processor architecture: Intel x64
2011/08/31 19:19:21.0874 6708 Number of processors: 8
2011/08/31 19:19:21.0874 6708 Page size: 0x1000
2011/08/31 19:19:21.0874 6708 Boot type: Normal boot
2011/08/31 19:19:21.0874 6708 ================================================================================
2011/08/31 19:19:22.0810 6708 Initialize success
2011/08/31 19:19:46.0710 5864 ================================================================================
2011/08/31 19:19:46.0710 5864 Scan started
2011/08/31 19:19:46.0710 5864 Mode: Manual;
2011/08/31 19:19:46.0710 5864 ================================================================================
2011/08/31 19:19:47.0895 5864 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
2011/08/31 19:19:47.0942 5864 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
2011/08/31 19:19:47.0973 5864 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
2011/08/31 19:19:48.0020 5864 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/08/31 19:19:48.0036 5864 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2011/08/31 19:19:48.0067 5864 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2011/08/31 19:19:48.0114 5864 AFD (d5b031c308a409a0a576bff4cf083d30) C:\Windows\system32\drivers\afd.sys
2011/08/31 19:19:48.0145 5864 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
2011/08/31 19:19:48.0160 5864 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
2011/08/31 19:19:48.0223 5864 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
2011/08/31 19:19:48.0254 5864 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2011/08/31 19:19:48.0394 5864 amdkmdag (37a897969b0082dbbba7604a2149e7ed) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/08/31 19:19:48.0613 5864 amdkmdap (bd9dc4508a27ca893527a5f42cf9570f) C:\Windows\system32\DRIVERS\atikmpag.sys
2011/08/31 19:19:48.0660 5864 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2011/08/31 19:19:48.0691 5864 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
2011/08/31 19:19:48.0706 5864 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/08/31 19:19:48.0738 5864 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
2011/08/31 19:19:48.0800 5864 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
2011/08/31 19:19:48.0831 5864 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2011/08/31 19:19:48.0847 5864 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2011/08/31 19:19:48.0862 5864 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/08/31 19:19:48.0894 5864 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
2011/08/31 19:19:48.0925 5864 athrusb (788914c42ad8318f1dd7a565eaffb049) C:\Windows\system32\DRIVERS\athrxusb.sys
2011/08/31 19:19:49.0003 5864 AtiHDAudioService (cbd14f698def12ee3557604b726cb8eb) C:\Windows\system32\drivers\AtihdW76.sys
2011/08/31 19:19:49.0050 5864 avgntflt (b1224e6b086cd6548315b04ab575a23e) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/08/31 19:19:49.0065 5864 avipbb (ed45f12cfa62b83765c9c1496758cc87) C:\Windows\system32\DRIVERS\avipbb.sys
2011/08/31 19:19:49.0096 5864 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2011/08/31 19:19:49.0143 5864 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/08/31 19:19:49.0159 5864 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2011/08/31 19:19:49.0190 5864 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/08/31 19:19:49.0221 5864 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
2011/08/31 19:19:49.0252 5864 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/08/31 19:19:49.0252 5864 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/08/31 19:19:49.0284 5864 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2011/08/31 19:19:49.0299 5864 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/08/31 19:19:49.0315 5864 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/08/31 19:19:49.0315 5864 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/08/31 19:19:49.0346 5864 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/08/31 19:19:49.0362 5864 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/08/31 19:19:49.0393 5864 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\drivers\cdrom.sys
2011/08/31 19:19:49.0408 5864 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2011/08/31 19:19:49.0440 5864 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2011/08/31 19:19:49.0455 5864 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/08/31 19:19:49.0471 5864 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
2011/08/31 19:19:49.0518 5864 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
2011/08/31 19:19:49.0533 5864 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2011/08/31 19:19:49.0580 5864 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
2011/08/31 19:19:49.0596 5864 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/08/31 19:19:49.0642 5864 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
2011/08/31 19:19:49.0658 5864 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2011/08/31 19:19:49.0674 5864 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2011/08/31 19:19:49.0720 5864 Dot4 (b42ed0320c6e41102fde0005154849bb) C:\Windows\system32\DRIVERS\Dot4.sys
2011/08/31 19:19:49.0752 5864 Dot4Print (e9f5969233c5d89f3c35e3a66a52a361) C:\Windows\system32\drivers\Dot4Prt.sys
2011/08/31 19:19:49.0767 5864 dot4usb (fd05a02b0370bc3000f402e543ca5814) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/08/31 19:19:49.0798 5864 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2011/08/31 19:19:49.0845 5864 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
2011/08/31 19:19:49.0923 5864 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2011/08/31 19:19:50.0001 5864 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2011/08/31 19:19:50.0048 5864 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
2011/08/31 19:19:50.0173 5864 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2011/08/31 19:19:50.0220 5864 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2011/08/31 19:19:50.0251 5864 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2011/08/31 19:19:50.0266 5864 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2011/08/31 19:19:50.0282 5864 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2011/08/31 19:19:50.0298 5864 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/08/31 19:19:50.0329 5864 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
2011/08/31 19:19:50.0376 5864 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2011/08/31 19:19:50.0407 5864 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2011/08/31 19:19:50.0438 5864 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
2011/08/31 19:19:50.0454 5864 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/08/31 19:19:50.0469 5864 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2011/08/31 19:19:50.0516 5864 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
2011/08/31 19:19:50.0563 5864 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
2011/08/31 19:19:50.0563 5864 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/08/31 19:19:50.0578 5864 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2011/08/31 19:19:50.0594 5864 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2011/08/31 19:19:50.0625 5864 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\drivers\hidusb.sys
2011/08/31 19:19:50.0656 5864 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
2011/08/31 19:19:50.0719 5864 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
2011/08/31 19:19:50.0766 5864 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
2011/08/31 19:19:50.0781 5864 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
2011/08/31 19:19:50.0828 5864 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
2011/08/31 19:19:50.0859 5864 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2011/08/31 19:19:50.0922 5864 IntcAzAudAddService (e8017f1662d9142f45ceab694d013c00) C:\Windows\system32\drivers\RTKVHD64.sys
2011/08/31 19:19:50.0984 5864 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
2011/08/31 19:19:51.0000 5864 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2011/08/31 19:19:51.0031 5864 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/08/31 19:19:51.0078 5864 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
2011/08/31 19:19:51.0093 5864 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2011/08/31 19:19:51.0109 5864 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2011/08/31 19:19:51.0124 5864 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
2011/08/31 19:19:51.0156 5864 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
2011/08/31 19:19:51.0187 5864 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
2011/08/31 19:19:51.0218 5864 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
2011/08/31 19:19:51.0234 5864 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
2011/08/31 19:19:51.0265 5864 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
2011/08/31 19:19:51.0280 5864 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2011/08/31 19:19:51.0390 5864 Lavasoft Kernexplorer (9a7fa6371f68335fd3c3d6488bc5a9f8) C:\Program Files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys
2011/08/31 19:19:51.0405 5864 Lbd (c8b3131857931ae76798a741cc52b021) C:\Windows\system32\DRIVERS\Lbd.sys
2011/08/31 19:19:51.0452 5864 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2011/08/31 19:19:51.0483 5864 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/08/31 19:19:51.0499 5864 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/08/31 19:19:51.0514 5864 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/08/31 19:19:51.0530 5864 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/08/31 19:19:51.0546 5864 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2011/08/31 19:19:51.0577 5864 MBfilt (8ff2d95cba49b405c5de27039ff0bf35) C:\Windows\system32\drivers\MBfilt64.sys
2011/08/31 19:19:51.0592 5864 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2011/08/31 19:19:51.0608 5864 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/08/31 19:19:51.0624 5864 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2011/08/31 19:19:51.0655 5864 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2011/08/31 19:19:51.0686 5864 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\drivers\mouclass.sys
2011/08/31 19:19:51.0702 5864 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2011/08/31 19:19:51.0733 5864 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
2011/08/31 19:19:51.0780 5864 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\Windows\system32\DRIVERS\MpFilter.sys
2011/08/31 19:19:51.0811 5864 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
2011/08/31 19:19:51.0826 5864 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\Windows\system32\DRIVERS\MpNWMon.sys
2011/08/31 19:19:51.0842 5864 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2011/08/31 19:19:51.0873 5864 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
2011/08/31 19:19:51.0904 5864 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/08/31 19:19:51.0951 5864 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/08/31 19:19:51.0967 5864 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/08/31 19:19:51.0967 5864 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
2011/08/31 19:19:51.0982 5864 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
2011/08/31 19:19:52.0014 5864 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2011/08/31 19:19:52.0029 5864 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2011/08/31 19:19:52.0060 5864 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
2011/08/31 19:19:52.0092 5864 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2011/08/31 19:19:52.0107 5864 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/08/31 19:19:52.0123 5864 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2011/08/31 19:19:52.0170 5864 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
2011/08/31 19:19:52.0185 5864 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
2011/08/31 19:19:52.0201 5864 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2011/08/31 19:19:52.0216 5864 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/08/31 19:19:52.0232 5864 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2011/08/31 19:19:52.0263 5864 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2011/08/31 19:19:52.0310 5864 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
2011/08/31 19:19:52.0341 5864 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/08/31 19:19:52.0372 5864 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/08/31 19:19:52.0404 5864 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/08/31 19:19:52.0435 5864 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/08/31 19:19:52.0482 5864 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
2011/08/31 19:19:52.0497 5864 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2011/08/31 19:19:52.0544 5864 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
2011/08/31 19:19:52.0575 5864 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/08/31 19:19:52.0606 5864 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
2011/08/31 19:19:52.0653 5864 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2011/08/31 19:19:52.0669 5864 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2011/08/31 19:19:52.0716 5864 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
2011/08/31 19:19:52.0778 5864 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2011/08/31 19:19:52.0809 5864 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
2011/08/31 19:19:52.0840 5864 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
2011/08/31 19:19:52.0872 5864 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
2011/08/31 19:19:52.0903 5864 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
2011/08/31 19:19:52.0950 5864 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2011/08/31 19:19:52.0981 5864 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
2011/08/31 19:19:52.0996 5864 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
2011/08/31 19:19:53.0012 5864 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
2011/08/31 19:19:53.0028 5864 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/08/31 19:19:53.0043 5864 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2011/08/31 19:19:53.0059 5864 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2011/08/31 19:19:53.0168 5864 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
2011/08/31 19:19:53.0184 5864 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2011/08/31 19:19:53.0230 5864 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
2011/08/31 19:19:53.0262 5864 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2011/08/31 19:19:53.0308 5864 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/08/31 19:19:53.0324 5864 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2011/08/31 19:19:53.0340 5864 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2011/08/31 19:19:53.0355 5864 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/08/31 19:19:53.0386 5864 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/08/31 19:19:53.0418 5864 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/08/31 19:19:53.0418 5864 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2011/08/31 19:19:53.0464 5864 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
2011/08/31 19:19:53.0480 5864 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/08/31 19:19:53.0496 5864 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/08/31 19:19:53.0496 5864 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2011/08/31 19:19:53.0511 5864 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2011/08/31 19:19:53.0542 5864 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
2011/08/31 19:19:53.0574 5864 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
2011/08/31 19:19:53.0605 5864 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2011/08/31 19:19:53.0652 5864 RTL8167 (baefee35d27a5440d35092ce10267bec) C:\Windows\system32\DRIVERS\Rt64win7.sys
2011/08/31 19:19:53.0683 5864 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
2011/08/31 19:19:53.0698 5864 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
2011/08/31 19:19:53.0730 5864 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/08/31 19:19:53.0761 5864 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2011/08/31 19:19:53.0792 5864 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2011/08/31 19:19:53.0808 5864 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2011/08/31 19:19:53.0839 5864 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
2011/08/31 19:19:53.0854 5864 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
2011/08/31 19:19:53.0870 5864 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
2011/08/31 19:19:53.0886 5864 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/08/31 19:19:53.0917 5864 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/08/31 19:19:53.0932 5864 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/08/31 19:19:53.0948 5864 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2011/08/31 19:19:53.0964 5864 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2011/08/31 19:19:54.0010 5864 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
2011/08/31 19:19:54.0026 5864 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
2011/08/31 19:19:54.0073 5864 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
2011/08/31 19:19:54.0104 5864 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2011/08/31 19:19:54.0120 5864 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
2011/08/31 19:19:54.0182 5864 Tcpip (f0e98c00a09fdf791525829a1d14240f) C:\Windows\system32\drivers\tcpip.sys
2011/08/31 19:19:54.0244 5864 TCPIP6 (f0e98c00a09fdf791525829a1d14240f) C:\Windows\system32\DRIVERS\tcpip.sys
2011/08/31 19:19:54.0291 5864 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
2011/08/31 19:19:54.0291 5864 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2011/08/31 19:19:54.0307 5864 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2011/08/31 19:19:54.0338 5864 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
2011/08/31 19:19:54.0354 5864 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
2011/08/31 19:19:54.0400 5864 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/08/31 19:19:54.0447 5864 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
2011/08/31 19:19:54.0478 5864 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
2011/08/31 19:19:54.0494 5864 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2011/08/31 19:19:54.0541 5864 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
2011/08/31 19:19:54.0556 5864 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
2011/08/31 19:19:54.0572 5864 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\drivers\umbus.sys
2011/08/31 19:19:54.0588 5864 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2011/08/31 19:19:54.0634 5864 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/08/31 19:19:54.0666 5864 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
2011/08/31 19:19:54.0681 5864 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\drivers\usbehci.sys
2011/08/31 19:19:54.0697 5864 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
2011/08/31 19:19:54.0728 5864 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
2011/08/31 19:19:54.0759 5864 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2011/08/31 19:19:54.0790 5864 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
2011/08/31 19:19:54.0822 5864 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\drivers\USBSTOR.SYS
2011/08/31 19:19:54.0837 5864 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\drivers\usbuhci.sys
2011/08/31 19:19:54.0853 5864 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
2011/08/31 19:19:54.0868 5864 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/08/31 19:19:54.0884 5864 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2011/08/31 19:19:54.0900 5864 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
2011/08/31 19:19:54.0931 5864 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
2011/08/31 19:19:54.0946 5864 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
2011/08/31 19:19:54.0993 5864 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
2011/08/31 19:19:55.0009 5864 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
2011/08/31 19:19:55.0040 5864 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/08/31 19:19:55.0056 5864 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
2011/08/31 19:19:55.0087 5864 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2011/08/31 19:19:55.0102 5864 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/31 19:19:55.0118 5864 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/31 19:19:55.0149 5864 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2011/08/31 19:19:55.0165 5864 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/08/31 19:19:55.0243 5864 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/08/31 19:19:55.0243 5864 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2011/08/31 19:19:55.0305 5864 WmBEnum (14dc5897bc6c4e03c023ad80abb7f539) C:\Windows\system32\drivers\WmBEnum.sys
2011/08/31 19:19:55.0321 5864 WmFilter (2de0a0cea49972c82c7e9d36bd4c1247) C:\Windows\system32\drivers\WmFilter.sys
2011/08/31 19:19:55.0352 5864 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
2011/08/31 19:19:55.0368 5864 WmVirHid (53c12ae1183f3f7787f1f1835001ccc0) C:\Windows\system32\drivers\WmVirHid.sys
2011/08/31 19:19:55.0383 5864 WmXlCore (c807e470cca24f5e479da4872a7d2121) C:\Windows\system32\drivers\WmXlCore.sys
2011/08/31 19:19:55.0399 5864 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2011/08/31 19:19:55.0446 5864 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
2011/08/31 19:19:55.0461 5864 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/08/31 19:19:55.0492 5864 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
2011/08/31 19:19:55.0508 5864 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
2011/08/31 19:19:55.0524 5864 Boot (0x1200) (29cd640e55a2f15bc380125349d87633) \Device\Harddisk0\DR0\Partition0
2011/08/31 19:19:55.0539 5864 Boot (0x1200) (d662fe64d5021f39a11dfdb234717ba0) \Device\Harddisk0\DR0\Partition1
2011/08/31 19:19:55.0539 5864 Boot (0x1200) (a57e4a56803927a8ba49a57bb51375a2) \Device\Harddisk1\DR2\Partition0
2011/08/31 19:19:55.0539 5864 ================================================================================
2011/08/31 19:19:55.0539 5864 Scan finished
2011/08/31 19:19:55.0539 5864 ================================================================================



I had intended to give you the aswMBR log however forgot to put it on the flash drive the other day, dont know if its any use to you now:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-08-29 19:13:54
-----------------------------
19:13:54.907 OS Version: Windows x64 6.1.7601 Service Pack 1
19:13:54.907 Number of processors: 8 586 0x1E05
19:13:54.907 ComputerName: MCDOUGALL-PC UserName: Craig
19:13:55.687 Initialize success
19:14:12.443 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
19:14:12.443 Disk 0 Vendor: WDC_WD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
19:14:12.459 Disk 0 MBR read successfully
19:14:12.459 Disk 0 MBR scan
19:14:12.459 Disk 0 TDL4@MBR code has been found
19:14:12.459 Disk 0 Windows 7 default MBR code found via API
19:14:12.459 Disk 0 MBR hidden
19:14:12.459 Disk 0 MBR [TDL4] **ROOTKIT**
19:14:12.459 Disk 0 trace - called modules:
19:14:12.459 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004ae7254]<<
19:14:12.459 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a4d790]
19:14:12.459 3 CLASSPNP.SYS[fffff8800196a43f] -> nt!IofCallDriver -> [0xfffffa80047ed520]
19:14:12.459 5 ACPI.sys[fffff88000fae7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80047e9680]
19:14:12.474 \Driver\atapi[0xfffffa80047ad5e0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8004ae7254
19:14:12.474 Scan finished successfully
19:15:37.744 Disk 0 MBR has been saved successfully to "C:\Users\Craig\Desktop\MBR.dat"
19:15:37.744 The log file has been saved successfully to "C:\Users\Craig\Desktop\aswMBR.txt"


aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-08-29 19:13:54
-----------------------------
19:13:54.907 OS Version: Windows x64 6.1.7601 Service Pack 1
19:13:54.907 Number of processors: 8 586 0x1E05
19:13:54.907 ComputerName: MCDOUGALL-PC UserName: Craig
19:13:55.687 Initialize success
19:14:12.443 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
19:14:12.443 Disk 0 Vendor: WDC_WD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
19:14:12.459 Disk 0 MBR read successfully
19:14:12.459 Disk 0 MBR scan
19:14:12.459 Disk 0 TDL4@MBR code has been found
19:14:12.459 Disk 0 Windows 7 default MBR code found via API
19:14:12.459 Disk 0 MBR hidden
19:14:12.459 Disk 0 MBR [TDL4] **ROOTKIT**
19:14:12.459 Disk 0 trace - called modules:
19:14:12.459 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004ae7254]<<
19:14:12.459 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a4d790]
19:14:12.459 3 CLASSPNP.SYS[fffff8800196a43f] -> nt!IofCallDriver -> [0xfffffa80047ed520]
19:14:12.459 5 ACPI.sys[fffff88000fae7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80047e9680]
19:14:12.474 \Driver\atapi[0xfffffa80047ad5e0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8004ae7254
19:14:12.474 Scan finished successfully
19:15:37.744 Disk 0 MBR has been saved successfully to "C:\Users\Craig\Desktop\MBR.dat"
19:15:37.744 The log file has been saved successfully to "C:\Users\Craig\Desktop\aswMBR.txt"
19:17:24.374 Disk 0 MBR has been saved successfully to "C:\Users\Craig\Desktop\MBR.dat"
19:17:24.374 The log file has been saved successfully to "C:\Users\Craig\Desktop\aswMBR.txt"


I also have a set of logs for Malwarebytes, one from today that found nothing and another from the day I noticed the infection for comparison.

(from 16/08/11)

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7482

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

16/08/2011 22:47:42
mbam-log-2011-08-16 (22-47-42).txt

Scan type: Full scan (C:\|F:\|G:\|)
Objects scanned: 401766
Time elapsed: 34 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Users\Craig\AppData\Local\KBDTav.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vhehuja (Trojan.Hiloti) -> Value: Vhehuja -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Security Protection (Trojan.FakeAlert) -> Value: Security Protection -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Craig\AppData\Local\KBDTav.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\Craig\AppData\Local\Temp\545D.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\Craig\AppData\Roaming\Adobe\plugs\mmc23737143.txt (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\Users\Craig\AppData\Roaming\Adobe\plugs\mmc251.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\programdata\defender.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Craig\AppData\Local\Temp\0.6055369918946344.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Users\Craig\AppData\Roaming\Adobe\shed\thr1.chm (Malware.Trace) -> Quarantined and deleted successfully.
c:\Users\Craig\AppData\Roaming\Adobe\plugs\mmc23848450.txt (Trojan.Agent.Gen) -> Quarantined and deleted successfully.


and from Today:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7622

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

31/08/2011 19:28:14
mbam-log-2011-08-31 (19-28-14).txt

Scan type: Quick scan
Objects scanned: 195972
Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Craig

#8 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 31 August 2011 - 05:18 PM

Hello, FallenPhoenix1986.

Yes, you do have the TDL4/Alureon Rootkit. Or at least did. TDSSKiller iddn't see it. We'll move onto Combofix. I do need to warn you it is a backdoor rootkit.

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.




Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#9 FallenPhoenix1986

FallenPhoenix1986
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 01 September 2011 - 12:15 PM

Hi, from reading other threads I thought that might be the case and have had it offline for over a week now. Its a student/gamming rig so there are no financial records or any other sensitive information on it.

* I noticed that at the end of the log tit states Avira was running, I did dissable this before initiating and am assuming it reactivated itself upon rebooting.

ComboFix 11-09-01.02 - Craig 01/09/2011 17:05:28.2.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.44.1033.18.4087.2676 [GMT 1:00]
Running from: c:\users\Craig\Desktop\etavaresCF.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-08-01 to 2011-09-01 )))))))))))))))))))))))))))))))
.
.
2011-09-01 16:31 . 2011-09-01 16:31 -------- d-----w- c:\users\Kayleigh\AppData\Local\temp
2011-09-01 16:31 . 2011-09-01 16:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-31 18:19 . 2011-08-31 18:19 110896 ----a-w- c:\windows\system32\drivers\26576971.sys
2011-08-31 15:01 . 2011-08-12 04:10 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{DE518FC9-773B-4936-8DA9-2D3634B1FBF6}\mpengine.dll
2011-08-24 12:39 . 2011-07-09 05:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-24 12:39 . 2011-07-09 04:29 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2011-08-20 20:40 . 2011-08-20 20:40 89804 ----a-w- c:\program files (x86)\Microsoft Games\Microsoft Flight Simulator X\Uninstal VEH_Foch-Clemenceau_V3-00.exe
2011-08-20 16:32 . 2011-09-01 15:56 -------- d-----w- C:\ComboFix
2011-08-20 13:17 . 2011-03-16 16:26 601424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9BF4E714-F009-436C-A19D-2A69274B6E29}\gapaengine.dll
2011-08-18 13:59 . 2011-08-18 13:59 -------- d-----w- c:\users\Craig\AppData\Roaming\AVG10
2011-08-18 13:56 . 2011-08-29 18:04 -------- d-----w- c:\windows\system32\drivers\AVG
2011-08-18 13:52 . 2011-08-18 13:52 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-08-18 13:49 . 2011-08-18 13:49 -------- dc----w- c:\windows\system32\DRVSTORE
2011-08-18 13:49 . 2011-07-21 13:59 69376 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-08-18 13:45 . 2011-08-20 13:11 88288 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-08-18 13:45 . 2011-08-20 13:11 123784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-08-18 13:39 . 2011-07-09 02:46 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-18 13:38 . 2011-06-23 05:43 5561216 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-18 13:38 . 2011-06-23 04:33 3912576 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-08-18 13:38 . 2011-06-23 04:33 3967872 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-08-17 20:39 . 2011-08-17 20:39 -------- d-----w- c:\users\Craig\AppData\Roaming\Avira
2011-08-17 20:24 . 2011-08-17 20:24 -------- d-----w- c:\programdata\Avira
2011-08-17 20:24 . 2011-08-17 20:24 -------- d-----w- c:\program files (x86)\Avira
2011-08-17 17:58 . 2011-08-17 17:58 -------- d-----w- C:\$AVG
2011-08-17 17:27 . 2011-08-17 17:27 -------- d--h--w- c:\programdata\Common Files
2011-08-17 17:26 . 2011-08-29 18:07 -------- d-----w- c:\programdata\AVG10
2011-08-17 17:26 . 2011-08-17 17:26 -------- d-----w- c:\program files (x86)\AVG
2011-08-17 16:58 . 2011-08-17 16:58 -------- d-----w- c:\programdata\Lavasoft
2011-08-17 16:58 . 2011-08-17 16:58 -------- d-----w- c:\program files (x86)\Lavasoft
2011-08-16 21:08 . 2011-08-16 21:08 -------- d-----w- c:\users\Craig\AppData\Roaming\Malwarebytes
2011-08-16 21:07 . 2011-08-16 21:07 -------- d-----w- c:\programdata\Malwarebytes
2011-08-16 21:07 . 2011-08-18 13:39 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-08-09 23:04 . 2011-08-18 13:22 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-08-09 23:04 . 2011-07-13 04:53 8578896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-27 17:27 . 2011-01-12 16:34 270776 ----a-w- c:\windows\SysWow64\PnkBstrB.xtr
2011-08-27 17:27 . 2011-01-05 00:15 270776 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2011-08-27 17:26 . 2011-01-05 00:15 111928 ----a-w- c:\windows\SysWow64\PnkBstrB.ex0
2011-08-12 04:10 . 2011-03-16 16:26 8862544 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-07-16 04:26 . 2011-08-18 13:39 44032 ----a-w- c:\windows\apppatch\acwow64.dll
2011-06-27 20:30 . 2011-06-27 20:30 9883136 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2011-06-27 20:16 . 2011-06-27 20:16 23385600 ----a-w- c:\windows\system32\atio6axx.dll
2011-06-27 19:52 . 2011-06-27 19:52 17940992 ----a-w- c:\windows\SysWow64\atioglxx.dll
2011-06-27 19:50 . 2011-06-27 19:50 151552 ----a-w- c:\windows\system32\atiapfxx.exe
2011-06-27 19:49 . 2011-06-27 19:49 689152 ----a-w- c:\windows\SysWow64\aticfx32.dll
2011-06-27 19:48 . 2010-09-29 01:54 814080 ----a-w- c:\windows\system32\aticfx64.dll
2011-06-27 19:45 . 2011-06-27 19:45 462848 ----a-w- c:\windows\system32\ATIDEMGX.dll
2011-06-27 19:45 . 2011-06-27 19:45 485376 ----a-w- c:\windows\system32\atieclxx.exe
2011-06-27 19:44 . 2011-06-27 19:44 204288 ----a-w- c:\windows\system32\atiesrxx.exe
2011-06-27 19:43 . 2011-06-27 19:43 120320 ----a-w- c:\windows\system32\atitmm64.dll
2011-06-27 19:43 . 2011-06-27 19:43 423424 ----a-w- c:\windows\system32\atipdl64.dll
2011-06-27 19:43 . 2011-06-27 19:43 356352 ----a-w- c:\windows\SysWow64\atipdlxx.dll
2011-06-27 19:42 . 2011-06-27 19:42 278528 ----a-w- c:\windows\SysWow64\Oemdspif.dll
2011-06-27 19:42 . 2011-06-27 19:42 16384 ----a-w- c:\windows\system32\atimuixx.dll
2011-06-27 19:42 . 2011-06-27 19:42 59392 ----a-w- c:\windows\system32\atiedu64.dll
2011-06-27 19:42 . 2011-06-27 19:42 43520 ----a-w- c:\windows\SysWow64\ati2edxx.dll
2011-06-27 19:39 . 2011-06-27 19:39 4275712 ----a-w- c:\windows\SysWow64\atidxx32.dll
2011-06-27 19:29 . 2010-09-29 01:37 5072896 ----a-w- c:\windows\system32\atidxx64.dll
2011-06-27 19:27 . 2011-06-27 19:27 1113088 ----a-w- c:\windows\system32\atiumd6v.dll
2011-06-27 19:26 . 2011-06-27 19:26 1828864 ----a-w- c:\windows\SysWow64\atiumdmv.dll
2011-06-27 19:26 . 2011-06-27 19:26 3847680 ----a-w- c:\windows\system32\atiumd6a.dll
2011-06-27 19:19 . 2011-06-27 19:19 51200 ----a-w- c:\windows\system32\aticalrt64.dll
2011-06-27 19:19 . 2011-06-27 19:19 46080 ----a-w- c:\windows\SysWow64\aticalrt.dll
2011-06-27 19:19 . 2011-06-27 19:19 44544 ----a-w- c:\windows\system32\aticalcl64.dll
2011-06-27 19:19 . 2011-06-27 19:19 44032 ----a-w- c:\windows\SysWow64\aticalcl.dll
2011-06-27 19:19 . 2011-06-27 19:19 8134656 ----a-w- c:\windows\system32\aticaldd64.dll
2011-06-27 19:17 . 2011-06-27 19:17 4367360 ----a-w- c:\windows\SysWow64\atiumdag.dll
2011-06-27 19:17 . 2011-06-27 19:17 4039680 ----a-w- c:\windows\SysWow64\atiumdva.dll
2011-06-27 19:15 . 2011-06-27 19:15 6739968 ----a-w- c:\windows\SysWow64\aticaldd.dll
2011-06-27 19:11 . 2011-06-27 19:11 5540352 ----a-w- c:\windows\system32\atiumd64.dll
2011-06-27 19:10 . 2010-08-04 01:23 58880 ----a-w- c:\windows\system32\coinst.dll
2011-06-27 19:03 . 2011-06-27 19:03 375808 ----a-w- c:\windows\system32\atiadlxx.dll
2011-06-27 19:03 . 2011-06-27 19:03 266240 ----a-w- c:\windows\SysWow64\atiadlxy.dll
2011-06-27 19:02 . 2011-06-27 19:02 15360 ----a-w- c:\windows\system32\atig6pxx.dll
2011-06-27 19:02 . 2011-06-27 19:02 13312 ----a-w- c:\windows\SysWow64\atiglpxx.dll
2011-06-27 19:02 . 2011-06-27 19:02 13312 ----a-w- c:\windows\system32\atiglpxx.dll
2011-06-27 19:02 . 2011-06-27 19:02 39936 ----a-w- c:\windows\system32\atig6txx.dll
2011-06-27 19:02 . 2011-06-27 19:02 32768 ----a-w- c:\windows\SysWow64\atigktxx.dll
2011-06-27 19:02 . 2011-06-27 19:02 307712 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2011-06-27 19:01 . 2010-08-04 01:15 40960 ----a-w- c:\windows\system32\atiuxp64.dll
2011-06-27 19:01 . 2011-06-27 19:01 31744 ----a-w- c:\windows\SysWow64\atiuxpag.dll
2011-06-27 19:01 . 2011-06-27 19:01 38912 ----a-w- c:\windows\system32\atiu9p64.dll
2011-06-27 19:01 . 2011-06-27 19:01 29184 ----a-w- c:\windows\SysWow64\atiu9pag.dll
2011-06-27 19:00 . 2011-06-27 19:00 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2011-06-27 19:00 . 2011-06-27 19:00 53760 ----a-w- c:\windows\system32\atimpc64.dll
2011-06-27 19:00 . 2011-06-27 19:00 53760 ----a-w- c:\windows\system32\amdpcom64.dll
2011-06-27 19:00 . 2011-06-27 19:00 52736 ----a-w- c:\windows\SysWow64\atimpc32.dll
2011-06-27 19:00 . 2011-06-27 19:00 52736 ----a-w- c:\windows\SysWow64\amdpcom32.dll
2011-06-27 15:23 . 2011-06-27 15:23 60416 ----a-w- c:\windows\system32\OVDecode64.dll
2011-06-27 15:23 . 2011-06-27 15:23 53760 ----a-w- c:\windows\SysWow64\OVDecode.dll
2011-06-27 15:23 . 2011-06-27 15:23 51200 ----a-w- c:\windows\system32\OpenCL.dll
2011-06-27 15:23 . 2011-06-27 15:23 43520 ----a-w- c:\windows\SysWow64\OpenCL.dll
2011-06-27 15:22 . 2011-06-27 15:22 16906752 ----a-w- c:\windows\system32\amdocl64.dll
2011-06-27 15:22 . 2011-06-27 15:22 13904896 ----a-w- c:\windows\SysWow64\amdocl.dll
2011-06-11 03:07 . 2011-07-15 17:07 3137536 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-08-20_17.15.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2011-09-01 15:55 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-08-20 16:58 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-08-20 16:58 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-09-01 15:55 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-20 16:58 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-09-01 15:55 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-04 15:33 . 2011-09-01 16:36 36038 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-09-01 16:36 31660 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-11-04 15:10 . 2011-09-01 15:46 13038 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3134900388-825949598-3030886330-1000_UserData.bin
+ 2010-11-04 14:49 . 2011-09-01 15:39 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-11-04 14:49 . 2011-08-20 16:07 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-11-04 14:49 . 2011-09-01 15:39 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-11-04 14:49 . 2011-08-20 16:07 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-08-20 16:07 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-09-01 15:39 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-03-16 16:19 . 2010-11-20 13:25 49664 c:\windows\servicing\GC64\tzupd.exe
+ 2011-08-24 12:39 . 2011-07-09 05:29 49664 c:\windows\servicing\GC64\tzupd.exe
+ 2010-11-11 19:02 . 2011-09-01 16:34 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-11-11 19:02 . 2011-08-20 17:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2011-08-28 17:13 92448 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-08-16 20:39 . 2011-09-01 15:51 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2011-08-16 20:39 . 2011-08-20 17:14 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2011-08-16 20:39 . 2011-09-01 15:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2011-08-16 20:39 . 2011-08-20 17:14 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
- 2011-08-16 20:39 . 2011-08-20 17:14 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2011-08-16 20:39 . 2011-09-01 15:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
+ 2010-11-11 19:02 . 2011-09-01 16:34 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-11-11 19:02 . 2011-08-20 17:14 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-11-11 19:02 . 2011-08-20 17:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-11 19:02 . 2011-09-01 16:34 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-11-04 17:12 . 2011-08-20 17:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-11-04 17:12 . 2011-09-01 16:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-11-04 17:12 . 2011-09-01 16:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-11-04 17:12 . 2011-08-20 17:14 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-08-20 20:20 . 2011-08-20 20:20 60416 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Pres#\f4b0a65a0cad6d091bb903fb5f7f490d\System.Windows.Presentation.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 54784 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\055b996b602a243bd4fcbdde8accc09c\System.Web.DynamicData.Design.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 72192 c:\windows\assembly\NativeImages_v2.0.50727_64\PresentationFontCac#\fe5b12605f26ab36c26f0a3b3c475dd5\PresentationFontCache.ni.exe
+ 2011-08-20 20:20 . 2011-08-20 20:20 33792 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Run#\66019b987c020943413851e959ca80c2\Microsoft.WSMan.Runtime.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 45056 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\e29ed5ad26446d196b4a5ea7e69c74e9\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 43520 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\b1c9507f23021701932fca6306d0df0f\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 36864 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\a4d48547af11390249b96fd1526ea514\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 40448 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\6096a2f20727ede39049c5f3628b9a60\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 65536 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\b1a1a072eba978666cefe4f99fc6401c\Microsoft.MediaCenter.iTv.Hosting.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 40960 c:\windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\cdbee55e7f6c60f5cb56d6ec9f083951\LoadMxf.ni.exe
+ 2011-08-20 19:43 . 2011-08-20 19:43 93184 c:\windows\assembly\NativeImages_v2.0.50727_64\ehiTVMSMusic\867a57af137c4a524067cdbbf09766e0\ehiTVMSMusic.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\3ef94ae15e7d80bb818934265bb90c10\System.Windows.Presentation.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\dd2bb107a0bbac08a0ccaf93c8bb7490\System.Web.DynamicData.Design.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 94208 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ComponentMod#\54d33aa6cf3af2d6e28c7d46c0ce363f\System.ComponentModel.DataAnnotations.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 47104 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\fe7afc935e0c66172577a1ded815993b\PresentationFontCache.ni.exe
+ 2011-08-20 19:42 . 2011-08-20 19:42 17920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Run#\ab2d4de59dee683a2f77123f671839ba\Microsoft.WSMan.Runtime.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 25088 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\8a102c44ccfe60d131d7e350d149bf85\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 19968 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\7ce6ebef5427853ecb5bd68da29f1fdd\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 23040 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\20c20811d44ba8c9513f2f2ba96d7047\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 27136 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\09a9791efe9f32a50bd01346f0b05666\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 86528 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Windows.D#\034ab6a3d60fdfba641443f16efdf309\Microsoft.Windows.Diagnosis.TroubleshootingPack.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\2ac41c859d5e5e84993a555e3eeaea90\Microsoft.Vsa.ni.dll
- 2011-08-20 17:12 . 2011-08-20 17:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-09-01 16:34 . 2011-09-01 16:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-08-20 17:12 . 2011-08-20 17:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-09-01 16:34 . 2011-09-01 16:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2011-08-20 18:39 621306 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-08-20 13:13 621306 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-08-20 18:39 108388 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2011-08-20 13:13 108388 c:\windows\system32\perfc009.dat
- 2009-07-14 05:12 . 2011-08-05 15:23 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2011-08-28 22:24 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-07-23 05:09 . 2011-09-01 16:33 203408 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-07-23 05:09 . 2011-08-20 17:10 203408 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-07-14 05:01 . 2011-09-01 16:33 327112 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2011-08-20 17:10 327112 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-08-20 20:21 . 2011-08-20 20:21 468992 c:\windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\bfb29034e69046d05e1ff758c0fcda27\WsatConfig.ni.exe
+ 2011-08-20 20:21 . 2011-08-20 20:21 329216 c:\windows\assembly\NativeImages_v2.0.50727_64\WindowsFormsIntegra#\1c573262c14ba755ac6ccab0945711cb\WindowsFormsIntegration.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 653312 c:\windows\assembly\NativeImages_v2.0.50727_64\UIAutomationClient\ad5c1e837ea97e2e6401fd4fac9d99d4\UIAutomationClient.ni.dll
+ 2011-08-20 20:21 . 2011-08-20 20:21 304128 c:\windows\assembly\NativeImages_v2.0.50727_64\TaskScheduler\50621c88a5345fd8fcb959a9fc25f084\TaskScheduler.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 529920 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Xml.Linq\ebd55d35d25cf10e6e24453238d3c5eb\System.Xml.Linq.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 187392 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Routing\0bf594db7ec4fd4754f7535f24b254aa\System.Web.Routing.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 449024 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity\09199f147cafe8a357cbcf68f6098a77\System.Web.Entity.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 398848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity.D#\b21a0f26bff3d30480050c41f4f786f6\System.Web.Entity.Design.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 753664 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\adfea0205de0aeb42c9bd80be40d7c47\System.Web.DynamicData.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 204800 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Abstract#\b6cc0ab04339d7cf16e83487e921fb71\System.Web.Abstractions.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 916480 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Net\0646a91d680e840b201eb7a96876f053\System.Net.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 534016 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Management.I#\b9e961f0a21c8afe6213218fdbc8f8a2\System.Management.Instrumentation.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 569856 c:\windows\assembly\NativeImages_v2.0.50727_64\System.IO.Log\49a6af02ac362d95ccf98068492053e5\System.IO.Log.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 629760 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Service#\5e0b2a3713da55d99450c9cad93c4d2f\System.Data.Services.Design.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 194560 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.DataSet#\486d44582be2000df84c46e187a88e70\System.Data.DataSetExtensions.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 132096 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ComponentMod#\1bcd63abfac2072c18ab799a37dd89cf\System.ComponentModel.DataAnnotations.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 889344 c:\windows\assembly\NativeImages_v2.0.50727_64\System.AddIn\268f6f10ba5e94d24677a1a68f97ac15\System.AddIn.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 525824 c:\windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\8103d9a6fe544e521f89b92d24ac298a\SMSvcHost.ni.exe
+ 2011-08-20 20:20 . 2011-08-20 20:20 855040 c:\windows\assembly\NativeImages_v2.0.50727_64\napsnap\a04a8437f757b8da7a707e31702169d6\napsnap.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 162816 c:\windows\assembly\NativeImages_v2.0.50727_64\napinit\711d1c8357619b22e5caffd9cab59736\napinit.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 184320 c:\windows\assembly\NativeImages_v2.0.50727_64\MSBuild\b75df85509061d9729506b8af64513f7\MSBuild.ni.exe
+ 2011-08-20 19:43 . 2011-08-20 19:43 417792 c:\windows\assembly\NativeImages_v2.0.50727_64\MMCFxCommon\c42d34f67692030a55a9bc64004e9041\MMCFxCommon.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 681984 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\5db5412b8b9fdbe83b43a79b76cb39c6\Microsoft.WSMan.Management.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 122368 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\de2193a90cfc32eed4ad1c78a99b8363\Microsoft.Windows.Diagnosis.TroubleshootingPack.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 105984 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Vsa\0836bcb90046e51c8bd055c0755bd57d\Microsoft.Vsa.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 584192 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Transacti#\b3361f5be5cde787e5e6c67b1bf55684\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 237056 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\d99d7734ec2e39696ac5ce7e7b2d76bd\Microsoft.PowerShell.Security.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 999936 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\77160cddd8417526c586e13b529f68bf\Microsoft.PowerShell.GraphicalHost.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 416768 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\6a1869785554446d202d6f718d036a3e\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 713216 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\5c7ffe4abea4b5a400f768cad060835d\Microsoft.PowerShell.ConsoleHost.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 164864 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\f0cb734b7acfb102c57ed39f8918ce3d\Microsoft.MediaCenter.Mheg.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 522240 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\e4313e989939114d32f9254a74eee676\Microsoft.MediaCenter.Interop.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 370176 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\87d3f8fed35fa164d0e5dabbcee46df8\Microsoft.MediaCenter.Playback.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 312320 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\5ec49bda571c34526ad7db5ec7a201c4\Microsoft.MediaCenter.iTv.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 965632 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\3ea7a7a15d59a1185b74f340f05c0b33\Microsoft.MediaCenter.Sports.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 798720 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Managemen#\503235feed6b59fff53b29c9def81a5d\Microsoft.ManagementConsole.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 198656 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Uti#\6c999c27e6724dd1d0a10202f3e52e57\Microsoft.Build.Utilities.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 244736 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Uti#\137428fc7e8ae3a1b733ffc45a3f3076\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 294912 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Con#\8be3ef8d90c0f3e97437887dac5a8d78\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 380928 c:\windows\assembly\NativeImages_v2.0.50727_64\Mcx2Dvcs\39e1e694a468028f2ca73994f76322d4\Mcx2Dvcs.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 547328 c:\windows\assembly\NativeImages_v2.0.50727_64\mcupdate\d820c1a490dfb31933fd53f96514bbce\mcupdate.ni.exe
+ 2011-08-20 19:43 . 2011-08-20 19:43 533504 c:\windows\assembly\NativeImages_v2.0.50727_64\mcstoredb\428aa9c2151b0f385227c513c9497673\mcstoredb.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 549376 c:\windows\assembly\NativeImages_v2.0.50727_64\mcplayerinterop\614f7b9e9c362ac6d4175638ea2237d9\mcplayerinterop.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 696320 c:\windows\assembly\NativeImages_v2.0.50727_64\mcGlidHostObj\7f8a262f2b6807a47517c1ea6e6b2a7b\mcGlidHostObj.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 156672 c:\windows\assembly\NativeImages_v2.0.50727_64\MCESidebarCtrl\0801a977b58776ed017238d4aaa7995e\MCESidebarCtrl.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 659456 c:\windows\assembly\NativeImages_v2.0.50727_64\EventViewer\136009b4f22e65e77a916747429e599b\EventViewer.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 969216 c:\windows\assembly\NativeImages_v2.0.50727_64\ehRecObj\d313ec20c40b0fd3125b8e710f74556d\ehRecObj.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 389120 c:\windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\a267870c9fce983dca1c454fbde4cc7e\ehExtHost.ni.exe
+ 2011-08-20 19:42 . 2011-08-20 19:42 321024 c:\windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\41ccc24e8cc5f2474ce1105f0b8ebb78\WsatConfig.ni.exe
+ 2011-08-20 19:42 . 2011-08-20 19:42 240128 c:\windows\assembly\NativeImages_v2.0.50727_32\WindowsFormsIntegra#\bb04320c07e3c71ac2d18cb382d97f41\WindowsFormsIntegration.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 452096 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\d63e6fb41aa502bf6724043e6ac1367f\UIAutomationClient.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 245248 c:\windows\assembly\NativeImages_v2.0.50727_32\TaskScheduler\1c1f731e8684204f56f37cc66b5bc60d\TaskScheduler.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 401408 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\b096bd83a66a8d1dcd761747730cc64c\System.Xml.Linq.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\efca1fd7e9df8e24c007cd003346e0e5\System.Web.Routing.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 860160 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\6c551bf6f7716b0f527f4274fb04cc2e\System.Web.Extensions.Design.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 328192 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\03eda303152940cb2e78a0030cf572b5\System.Web.Entity.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 301568 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\7b93fe55a51f2a6010365a17546170bc\System.Web.Entity.Design.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\979bf2cab91b5d50aef1525ca96ff690\System.Web.DynamicData.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\067516a8300bb5fdbddb38cb9f6c934e\System.Web.Abstractions.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 624128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\e16f381a978103ac92bf64b99716c857\System.Net.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 593408 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Messaging\ac9fe083b4cf11aab834d6654cdeb429\System.Messaging.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 330240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\b95b509ac74958a1d8568293c3dc43ba\System.Management.Instrumentation.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 381440 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IO.Log\e083fdbcc88f5850290f2cf65ae1efae\System.IO.Log.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityMode#\736226563a7f564e4629e34d52b3d6c6\System.IdentityModel.Selectors.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 888320 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\1f6d55f401cfe7041f9fd3b4aebffa9b\System.DirectoryServices.AccountManagement.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 462336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\0896f955eb175a4e0bfff73b94f57619\System.Data.Services.Design.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 763392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\8f130b77f8f47e23cd748679173bdf33\System.Data.Entity.Design.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 135680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.DataSet#\ad3f6eae36ce486187311de6836b4904\System.Data.DataSetExtensions.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 633344 c:\windows\assembly\NativeImages_v2.0.50727_32\System.AddIn\fc5edc97ac59d0d0d45bb9b623b9927b\System.AddIn.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 366080 c:\windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\4a33aa8911167af5fcba60f1b02ad45b\SMSvcHost.ni.exe
+ 2011-08-20 19:41 . 2011-08-20 19:41 256000 c:\windows\assembly\NativeImages_v2.0.50727_32\SMDiagnostics\b907dd027bbe99c5035b1d6355f83998\SMDiagnostics.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 723456 c:\windows\assembly\NativeImages_v2.0.50727_32\napsnap\96f4e4b87e625a1c36e4de2efb6f7dcc\napsnap.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 117760 c:\windows\assembly\NativeImages_v2.0.50727_32\napinit\a4e2648f8b4962f4c9660b2085290b06\napinit.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 133632 c:\windows\assembly\NativeImages_v2.0.50727_32\MSBuild\46d3794a4a440f22cff17197648f6887\MSBuild.ni.exe
+ 2011-08-20 19:41 . 2011-08-20 19:41 287232 c:\windows\assembly\NativeImages_v2.0.50727_32\MMCFxCommon\71b549afed40761f8be9075ca9ad8dd7\MMCFxCommon.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 531968 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.WSMan.Man#\fd457e872296300765fa1a6d96a6683c\Microsoft.WSMan.Management.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 386560 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\b96b80f166196dc0e148c73dc8452d25\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 786432 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\f5b347719df9fa791416713aa0fd342f\Microsoft.PowerShell.Commands.Management.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 729088 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\bebf12cadd8b4fbd9c8135405c64794b\Microsoft.PowerShell.GraphicalHost.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 291328 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\b3b22c86860de1de178e294bc4bd534d\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 167424 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\512a72ebad1bd44687d8134cd46e1a5c\Microsoft.PowerShell.Security.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 515584 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\1e510aa4de5a90cd44ee2443ae45e097\Microsoft.PowerShell.ConsoleHost.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 561664 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Managemen#\9658825555dc2c9af1a8ce12e6da2cd7\Microsoft.ManagementConsole.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 144384 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\c52f2b0958be337e88f37a141e18be78\Microsoft.Build.Utilities.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 175104 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\3f194ebe9a0c1e0903b32f663cb53556\Microsoft.Build.Utilities.v3.5.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 839680 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\e62aa0d898b65d0d831c11b4f56c0785\Microsoft.Build.Engine.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 222720 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Con#\78fb000aaaba73f34dfa9028b7caef8c\Microsoft.Build.Conversion.v3.5.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 364032 c:\windows\assembly\NativeImages_v2.0.50727_32\mcstoredb\fe969316614223634cba1c5544f4e3dd\mcstoredb.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 553472 c:\windows\assembly\NativeImages_v2.0.50727_32\EventViewer\31231127c783eddf25c3d21761e1a15c\EventViewer.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 693248 c:\windows\assembly\NativeImages_v2.0.50727_32\ehRecObj\aceba77dc2230519296726c4a1ce9518\ehRecObj.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 254464 c:\windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\42621a148e3691a5a992816cb49bee0a\ehExtHost32.ni.exe
- 2009-07-14 04:45 . 2011-08-20 13:09 7150424 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2009-07-14 04:45 . 2011-08-26 21:16 7150424 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-08-20 20:21 . 2011-08-20 20:21 1459712 c:\windows\assembly\NativeImages_v2.0.50727_64\UIAutomationClients#\b8bf364f0522a662055f670bf4e86c8f\UIAutomationClientsideProviders.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 2218496 c:\windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPA757.tmp\Microsoft.Build.Tasks.dll
+ 2011-08-20 20:21 . 2011-08-20 20:21 1818112 c:\windows\assembly\NativeImages_v2.0.50727_64\System.WorkflowServ#\394711b95ef17f6a7314eca2aba756e7\System.WorkflowServices.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 3336704 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Mobile\fe69339f03e5b94b558c688512246a5e\System.Web.Mobile.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 1155072 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\b513632337cadf6b2a8f8b6975c7d96f\System.Web.Extensions.Design.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 3042304 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\9c1f2e29f7b5f1d398405640ef4b1c7c\System.Web.Extensions.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 2727936 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Speech\31bbf607c61e3b9aeced14cb984ea9f6\System.Speech.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 2312704 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ServiceModel#\667a561422e2ccf10daef0a5dc6c8043\System.ServiceModel.Web.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 1472000 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Management\36723de72c78b2791de226253580f107\System.Management.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 1230848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\11a932eb07432edfc6f9de22753337ba\System.DirectoryServices.AccountManagement.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 2805760 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Services\f7483e84119e0be9074377e731ffbe0c\System.Data.Services.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 1868288 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Service#\16932309d9a552f362c85ac0adfe1607\System.Data.Services.Client.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 3480576 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Linq\82b491f0b4a55a29d4de0e7648a43707\System.Data.Linq.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 1080320 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Entity.#\22600cdf0f670e44b03b243af68cd76d\System.Data.Entity.Design.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 3315200 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Core\5f7c48b31971fee1af48dd20c7dd7033\System.Core.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 1884160 c:\windows\assembly\NativeImages_v2.0.50727_64\PresentationBuildTa#\ff71ee8681938634786fac49359c8b15\PresentationBuildTasks.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 3601920 c:\windows\assembly\NativeImages_v2.0.50727_64\Narrator\2f9ac667c184e068523d6047153f2d91\Narrator.ni.exe
+ 2011-08-20 20:20 . 2011-08-20 20:20 2327552 c:\windows\assembly\NativeImages_v2.0.50727_64\MMCEx\92414dfe464e98f09057245b6dd04d05\MMCEx.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 7970304 c:\windows\assembly\NativeImages_v2.0.50727_64\MIGUIControls\c66470a9076fc188a35ec7643aa1ee2e\MIGUIControls.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 2131968 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\4b85c3384fdda12490074283615d4723\Microsoft.VisualBasic.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 2176512 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\f1cc6b5a2520e6b946198cd51498dff9\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 5350912 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\b1d791e971f5c23b5ab0bf61bcfe60a0\Microsoft.PowerShell.Editor.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 2105344 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\42c4e6bd35af9d592663de61cb8c8108\Microsoft.PowerShell.GPowerShell.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 1131008 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\332067cce1149bb2008d5af79ef8024d\Microsoft.PowerShell.Commands.Management.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 8979456 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\fc417f7e196b7d7d5e717cb892f16144\Microsoft.MediaCenter.UI.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 1170432 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\ce834b9729a66c3ef9ec5c4350e6ab59\Microsoft.MediaCenter.TV.Tuners.Interop.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 1516544 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\cc0f76a8214ddc88b56c6c14146c2555\Microsoft.MediaCenter.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 1142784 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\8f1d674c4309a0c29fb708ba7a5e54c4\Microsoft.MediaCenter.Shell.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 1508864 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\52e7f067d8a3358baeb77ac8cd988c0e\Microsoft.MediaCenter.Bml.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 3213312 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.JScript\95184c861c38e940aeadc4276a8596e6\Microsoft.JScript.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 2365952 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Ink\0e8c24abc2dbbafc9519f64571a39433\Microsoft.Ink.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 2218496 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Tas#\638f3afd3c310ed7d048e60cc1daf57e\Microsoft.Build.Tasks.ni.dll
+ 2011-08-20 20:19 . 2011-08-20 20:19 2682880 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Tas#\58e96fd5359c0f3d6ed8f350ff721f87\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 1137152 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Eng#\f2ae54183322e3710c0344c44fd512d8\Microsoft.Build.Engine.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 2544640 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Build.Eng#\37c906e0ea6325e55c1f222aa4a5462b\Microsoft.Build.Engine.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 2801664 c:\windows\assembly\NativeImages_v2.0.50727_64\mcstore\c0018e4aaaa7eebb4fadaf5220854fe8\mcstore.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 4088320 c:\windows\assembly\NativeImages_v2.0.50727_64\mcepg\0d18e8a503ef9e5bc676d89c7d508d7f\mcepg.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 1047552 c:\windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClients#\92104881c09380b6b86ec656e8c502f6\UIAutomationClientsideProviders.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 1358336 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\a6409b4be5018e5cbad7ef197d4237e1\System.WorkflowServices.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 2209792 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\4de6ad3bad2dc4fbbbd33b16b1a7b219\System.Web.Mobile.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\871d3f0cc83d73a106151257ee74a4aa\System.Web.Extensions.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 1917952 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Speech\2c7c32228442440e4c23f772fd64b24b\System.Speech.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 1707008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\0139ae05cabaf2ac25cc85279e187e0a\System.ServiceModel.Web.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 2347008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\e285e2af5e0e8ac7d91936b2cb18542f\System.Runtime.Serialization.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 1051136 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\6e9a08576157b4aeb91a3aaa452fcb00\System.Management.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 8872960 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.A#\f2b1857a7db371f0417a84e8ca25f450\System.Management.Automation.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 1083392 c:\windows\assembly\NativeImages_v2.0.50727_32\System.IdentityModel\5ab23d203c8bfade7160ea915719c730\System.IdentityModel.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 2029568 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\702efea190a39de2bacb81cbaf32de99\System.Data.Services.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 1378816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\3da17a7980d13fae329f2c3a77797b08\System.Data.Services.Client.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 2516992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Linq\1992ecfb8eb3318820e3d28df55bee6a\System.Data.Linq.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 9921536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\301160f0d81368efb2f79e9b714ec505\System.Data.Entity.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 2297856 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Core\ebdaeeb5ef1a6209d67a2f70fcaf5cd5\System.Core.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 1451520 c:\windows\assembly\NativeImages_v2.0.50727_32\PresentationBuildTa#\c16377318357fb4fcda87c1015815a76\PresentationBuildTasks.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 2623488 c:\windows\assembly\NativeImages_v2.0.50727_32\Narrator\ca760a3cb6cabbdf11c1aa42e5b79ee9\Narrator.ni.exe
+ 2011-08-20 19:42 . 2011-08-20 19:42 1545216 c:\windows\assembly\NativeImages_v2.0.50727_32\MMCEx\97051ca60f5e2ea7927adebcb2af9097\MMCEx.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 6438912 c:\windows\assembly\NativeImages_v2.0.50727_32\MIGUIControls\40f947b2a4ecb8ba656104c3f77bb79b\MIGUIControls.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 1670144 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\47a4b624c147aae197214d4ee5f0661b\Microsoft.VisualBasic.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 1093120 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Transacti#\0d7a48003dd32151b3518b3ee7f13350\Microsoft.Transactions.Bridge.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 3724288 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\79af41ccc6bdc25ede7b249ae32f0101\Microsoft.PowerShell.Editor.ni.dll
+ 2011-08-20 19:42 . 2011-08-20 19:42 1704960 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\348ff55789cc23b72b19036f01903b63\Microsoft.PowerShell.GPowerShell.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 1681920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\21f675cbc3d058e68f7f6371644da25f\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 6499840 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\ffec5408d56ba9fb311518d6ec521691\Microsoft.MediaCenter.UI.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 1009664 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.MediaCent#\81359c52225ae557ddf7dbdf3c0bf048\Microsoft.MediaCenter.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 2335744 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\35138a36b7d07f4d37adf96745ef80cb\Microsoft.JScript.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 1361408 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Ink\9c17eb4bfbca7719a4f10bbd3473d07d\Microsoft.Ink.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 1620992 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\4b45a3a1f24d0d773f9f8fb2d8ce8164\Microsoft.Build.Tasks.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 1970176 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\01de5c2808a0c30578614dae24c5d591\Microsoft.Build.Tasks.v3.5.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 1888768 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\db9750e8aae34d7bd25b76564f2cebd5\Microsoft.Build.Engine.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 2035712 c:\windows\assembly\NativeImages_v2.0.50727_32\mcstore\9004890e93911c7612aa5f218c474618\mcstore.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 3025920 c:\windows\assembly\NativeImages_v2.0.50727_32\mcepg\e0683c0b9e68c44011a1f4b70b85239f\mcepg.ni.dll
- 2009-07-14 02:34 . 2011-08-20 13:04 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-08-24 23:43 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2011-08-20 20:19 . 2011-08-20 20:19 11900928 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\34d1eab899a35bb7a0075c0b0b3d5938\System.Management.Automation.ni.dll
+ 2011-08-20 20:20 . 2011-08-20 20:20 13760000 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Entity\7bf5c7476d8c8255a30a4cda0c9f43be\System.Data.Entity.ni.dll
+ 2011-08-20 19:43 . 2011-08-20 19:43 25470976 c:\windows\assembly\NativeImages_v2.0.50727_64\ehshell\857d393b4e25062d5ba400f3422b74e6\ehshell.ni.dll
+ 2011-08-20 19:41 . 2011-08-20 19:41 17478656 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel\052fc9c848a7f4630980ae0fd7a282e0\System.ServiceModel.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-05-04 311296]
"NUSB3MON"="c:\program files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-01-22 106496]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-06-27 336384]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2010-11-30 281768]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R3 ALSysIO;ALSysIO;c:\users\Craig\AppData\Local\Temp\ALSysIO64.sys [x]
R3 athrusb;Belkin Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrxusb.sys [x]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files (x86)\Lavasoft\Ad-Aware\AAWService.exe [2011-08-15 2151640]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files (x86)\Lavasoft\Ad-Aware\KernExplorer64.sys [2011-08-18 17152]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files (x86)\Avira\AntiVir Desktop\sched.exe [2011-08-20 136360]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 MBfilt;MBfilt;c:\windows\system32\drivers\MBfilt64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-07-28 11101800]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-01-21 123400]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.sky.com
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-09-01 17:53:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-01 16:53
ComboFix2.txt 2011-08-20 17:34
.
Pre-Run: 359,382,949,888 bytes free
Post-Run: 359,259,193,344 bytes free
.
- - End Of File - - 39836ED8011A8EDBE502061A850EE129


Craig

#10 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 01 September 2011 - 05:13 PM

INteresting. Can you please run aswMBR again? It's interesting since both TDSSKiller and CF didn't see it. I wonder if it's removed or still there.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#11 FallenPhoenix1986

FallenPhoenix1986
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 01 September 2011 - 07:32 PM

here goes:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-09-02 00:40:24
-----------------------------
00:40:24.682 OS Version: Windows x64 6.1.7601 Service Pack 1
00:40:24.682 Number of processors: 8 586 0x1E05
00:40:24.682 ComputerName: MCDOUGALL-PC UserName: Craig
00:40:25.540 Initialize success
00:40:32.109 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2
00:40:32.109 Disk 0 Vendor: WDC_WD5000AAKS-00A7B0 01.03B01 Size: 476940MB BusType: 3
00:40:32.109 Disk 0 MBR read successfully
00:40:32.109 Disk 0 MBR scan
00:40:32.109 Disk 0 TDL4@MBR code has been found
00:40:32.109 Disk 0 Windows 7 default MBR code found via API
00:40:32.109 Disk 0 MBR hidden
00:40:32.124 Disk 0 MBR [TDL4] **ROOTKIT**
00:40:32.124 Disk 0 trace - called modules:
00:40:32.124 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa8004adc254]<<
00:40:32.124 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a37790]
00:40:32.124 3 CLASSPNP.SYS[fffff8800161743f] -> nt!IofCallDriver -> [0xfffffa80047d0520]
00:40:32.124 5 ACPI.sys[fffff88000f497a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0xfffffa80047d2060]
00:40:32.124 \Driver\atapi[0xfffffa80047a9cb0] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xfffffa8004adc254
00:40:32.124 Scan finished successfully
00:40:51.578 Disk 0 MBR has been saved successfully to "C:\Users\Craig\Desktop\MBR.dat"
00:40:51.593 The log file has been saved successfully to "C:\Users\Craig\Desktop\aswMBR.txt"

had the same result as last time, as soon as it created the dat file Defender kicked in and told me it was infected.

Craig

#12 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 02 September 2011 - 05:56 AM

OK, well our tools aren't going to do this automatically, so onto the manual method. A few questions:

What brand of computer is this? Dell, Toshia, custom built, etc.
Do you have a Windows CD we can use? If not, do you have access to a non infected computer and a blank USB flash drive?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#13 FallenPhoenix1986

FallenPhoenix1986
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 02 September 2011 - 11:39 AM

Its a custom job, and I know I havce the disks... just can't find 'em.
I've been using an alternate machine since I first asked for help and have a mountain of flash drives.


Craig

#14 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:15 AM

Posted 02 September 2011 - 01:11 PM

Hello, FallenPhoenix1986.

OK, great. I have to ask, since if it was a stock computer with a recovery partition instead of a Windows CD, we'd have to manually restore access back in the MBR. But, we don't have to worry about that with a custom install.

Since you can't find the WIndows CD, we'll use NTBR.



Step 1

You will need a blank USB flash drive for this.

Download NTBR_USB.exe and save it to your desktop on your clean computer. Plug in the USB you want to use and double-click NTBR_USB.exe to run it.
Verify that the drive letter shown is the same as assigned by Windows, then click OK.
Once the image is written to the device, you will be prompted to reboot ~ do not reboot and instead remove the device.
Insert the bootable device in the infected computer and start it, then use the appropriate F key to access the boot menu where you can choose to boot from USB. (same as how it booted with xPud)
You should be presented with a boot screen - select usb and press Enter to boot to the device.
After a warning screen there is a keyboard language options screen - press Enter to leave it at EN-US.
You should now be at the Tool options screen.

First, let's back up your current MBR.

Type 1 and hit Enter to start MBRWORK
At Choose Option: type c and hit Enter ( C) Capture Sectors )
At Enter File Name: type mbr.bin and hit Enter
At LBA: 0 Leave at 0 and hit Enter
At Number of Sectors: 1 Leave at 1 and hit Enter
The screen will show:
Processing ...
Save completed - Press Enter
Hit Enter then at Choose Option: type e and hit Enter to exit MBRWORK

Now, we copy it to your USB drive:

Type 5 and hit Enter to go to an X:\> prompt
Type copy mbr.bin c:\ and hit Enter
You should see mbr.bin => c:\mbr.bin and return to the X:\> prompt
Type menu and hit Enter.



Next, let's replace your MBR:

At the menu type 1 to select MBRWORK then hit Enter

This screen will show the hard drive configuration.

Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Back at the menu, type 6 to Quit.
Press Ctrl+Alt+Del to restart the machine.
Pull out the USB drive at this point.

Did it properly boot into Windows?

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#15 FallenPhoenix1986

FallenPhoenix1986
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:15 AM

Posted 03 September 2011 - 12:27 PM

Just went to have a go at this and had a couple of thoughts (hopefully not too daft :P):

The safe machine is running on Vista and the sick machine is on 7. As I understand this the safe machine is in effect a donnor for the sick one, is that going to cause issues or is it ok to proceed?
Also you say to boot as we did with xPud, I'm not famillair with this.

Sorry I didnt get back sooner, havn't been home much in the last few days.

Craig




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users