Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirector virus and combo fix


  • This topic is locked This topic is locked
32 replies to this topic

#1 iixsive

iixsive

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 12 October 2011 - 07:48 PM

I have used this forum and others for some time as a watcher, and have found it to be very helpful and a wealth .
I am not new at killing viruses, i have been working on computers for some 30 years, so i am not a newbie
I have stopped the virus from causing anymore HAVOK however i am not sure it is dead,
Used Malware bytes to get it under control, after AVG 2011 turned out to have no clue what was going on and never saw it at all

As usual i saw allot of redirects while on google, and as allot of others thought it was just typical web junk
after looking into it more i found Ping.exe active as well as a rogue Svshost! (Alarm) outgoing traffic, firewall inoperative, remote access turned on! etc....

Lenovo Lap Top dual core win7-64

I have the Combofix log, and though I do allot of computer work, and are very familiar with many OS I am new at win-7 would appreciate some assistance in checking out the log and setting it up for the final hunt.

I will post it once i have a response from a knowledgeable party.

thank you in advance for your anticipated help

IIXSIVE

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:03 AM

Posted 13 October 2011 - 12:21 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button. Since you have run ComboFix, please include the ComboFix log in the new topic.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, include the information that you were unable to produce the other logs, include the ComboFix log, and describe what happens when you try to create the other logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 iixsive

iixsive
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 13 October 2011 - 01:40 PM

thank you so much, i will work on this tomorrow night and post a reply with the logs and notes you requested

#4 iixsive

iixsive
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 14 October 2011 - 11:17 PM

Thank you OBleepin Investigator, here are the logs
Note when I ran GMER the check box options on the right side of the screen that start at "System" and go down to "show all" were mostly grayed out, only services, registry, files, C:, and ADS were checked and could be checked


DDS Log, on my computer, dds.SCR WOULD ONLY OPEN UP NOTEPAD, i gave it a EXE extention and it ran fine then

do you need the attach.txt ?

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Run by sam at 19:43:38 on 2011-10-14
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4029.3015 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\Pen_Tablet.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\windows\SysWOW64\vmnat.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\windows\SysWOW64\vmnetdhcp.exe
C:\windows\system32\taskhost.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\WTablet\Pen_TabletUser.exe
C:\windows\system32\Pen_Tablet.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
C:\windows\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Microsoft Office\Office\excel.exe
C:\windows\splwow64.exe
C:\windows\system32\taskhost.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://lenovo.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
dRunOnce: [WLStart] "C:\Program Files (x86)\Windows Live\Installer\wlstart.exe" /nosearch /nohomepage
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 68.94.156.1
TCP: Interfaces\{E6608602-7B45-452A-BD8F-48C9536012B9} : DhcpNameServer = 192.168.0.1 68.94.156.1
TCP: Interfaces\{E6608602-7B45-452A-BD8F-48C9536012B9}\3716D637D2960586F6E65602D4977596 : DhcpNameServer = 8.8.8.8
TCP: Interfaces\{E6608602-7B45-452A-BD8F-48C9536012B9}\960786F6E6563716D6 : DhcpNameServer = 68.28.114.91
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO-X64: Search Helper - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox\components\avgssff.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\windows\system32\DRIVERS\avgrkx64.sys --> C:\windows\system32\DRIVERS\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\windows\system32\DRIVERS\avgldx64.sys --> C:\windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\windows\system32\DRIVERS\avgmfx64.sys --> C:\windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\windows\system32\DRIVERS\avgtdia.sys --> C:\windows\system32\DRIVERS\avgtdia.sys [?]
R1 funfrm;funfrm;C:\windows\system32\drivers\funfrm.sys --> C:\windows\system32\drivers\funfrm.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 DDNIMSGService;DDNIMSGService;C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2009-6-23 172720]
R2 IGRS;IGRS;C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [2009-7-14 38152]
R2 TabletServicePen;TabletServicePen;C:\windows\system32\Pen_Tablet.exe --> C:\windows\system32\Pen_Tablet.exe [?]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760]
R2 WTouchService;WTouch Service;C:\Program Files\WTouch\WTouchService.exe [2010-5-22 127272]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\windows\system32\DRIVERS\AcpiVpc.sys --> C:\windows\system32\DRIVERS\AcpiVpc.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 pnetmdm;PdaNet Modem;C:\windows\system32\DRIVERS\pnetmdm64.sys --> C:\windows\system32\DRIVERS\pnetmdm64.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
R3 wdmirror;wdmirror;C:\windows\system32\DRIVERS\WDMirror.sys --> C:\windows\system32\DRIVERS\WDMirror.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-9-1 5265248]
S2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-27 136176]
S2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;C:\windows\System32\IgrsSvcs.exe -k IgrsSvcs --> C:\windows\System32\IgrsSvcs.exe -k IgrsSvcs [?]
S3 Bridge0;Bridge0;C:\windows\system32\drivers\WDBridge.sys --> C:\windows\system32\drivers\WDBridge.sys [?]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-5-23 1030600]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-27 136176]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\windows\system32\DRIVERS\k57nd60a.sys --> C:\windows\system32\DRIVERS\k57nd60a.sys [?]
S3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [2010-3-7 509192]
S3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [2010-3-7 579400]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\windows\system32\DRIVERS\netw5v64.sys --> C:\windows\system32\DRIVERS\netw5v64.sys [?]
S3 PS_MDP;ReadyComm Presentation Space Helper Service;C:\windows\System32\IgrsSvcs.exe -k IgrsSvcs --> C:\windows\System32\IgrsSvcs.exe -k IgrsSvcs [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S3 wsvd;wsvd;C:\windows\system32\DRIVERS\wsvd.sys --> C:\windows\system32\DRIVERS\wsvd.sys [?]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-10-09 18:00:15 -------- d-----w- C:\$RECYCLE.BIN
2011-10-09 16:52:18 98816 ----a-w- C:\windows\sed.exe
2011-10-09 16:52:18 518144 ----a-w- C:\windows\SWREG.exe
2011-10-09 16:52:18 256000 ----a-w- C:\windows\PEV.exe
2011-10-09 16:52:18 208896 ----a-w- C:\windows\MBR.exe
2011-10-07 15:59:16 -------- d-----w- C:\Users\sam\AppData\Roaming\z9wezxvbGJK9qkN
2011-10-07 15:59:16 -------- d-----w- C:\Users\sam\AppData\Roaming\tZwlzxv356fTUIN
2011-10-07 15:59:16 -------- d-----w- C:\Users\sam\AppData\Roaming\SomQWLqezx2GWRT
2011-10-07 15:59:16 -------- d-----w- C:\Users\sam\AppData\Roaming\S23adfTUrAipQWL
2011-10-07 15:59:16 -------- d-----w- C:\Users\sam\AppData\Roaming\FZwlzxv356fTUIN
2011-10-07 15:59:15 -------- d-----w- C:\Users\sam\AppData\Roaming\XwezxvbGJK
2011-10-07 15:59:15 -------- d-----w- C:\Users\sam\AppData\Roaming\QUBN1omQWLq
2011-10-07 15:59:15 -------- d-----w- C:\Users\sam\AppData\Roaming\KdZwlzxv356fTUI
2011-10-07 15:57:39 -------- d-----w- C:\Users\sam\AppData\Roaming\xyGhxakb7VD
2011-10-07 15:57:37 -------- d-----w- C:\Users\sam\AppData\Roaming\PDLrvsqBvQYt2J
2011-10-07 15:57:27 -------- d-----w- C:\Users\sam\AppData\Roaming\KKZlcGEw05ZOi5R
2011-10-07 15:57:26 -------- d-----w- C:\Users\sam\AppData\Roaming\eA5LISsCumq
2011-10-07 15:57:26 -------- d-----w- C:\Users\sam\AppData\Roaming\bhrbWqzS4fYNim8
2011-10-07 15:57:23 -------- d-----w- C:\Users\sam\AppData\Roaming\S6jP4TO38On8IvQ
2011-10-07 15:57:17 -------- d-----w- C:\Users\sam\AppData\Roaming\vp7w0GLkcmhcm
2011-10-07 15:57:15 -------- d-----w- C:\Users\sam\AppData\Roaming\UP4gB4ZBphOpLri
2011-10-07 15:57:15 -------- d-----w- C:\Users\sam\AppData\Roaming\oIv5fUypKqOiQ9
2011-10-07 15:57:10 -------- d-----w- C:\Users\sam\AppData\Roaming\ExGTynRkuG
2011-10-07 15:57:08 -------- d-----w- C:\Users\sam\AppData\Roaming\DfI2Zt4Tt4RBoKV
2011-10-07 15:57:07 -------- d-----w- C:\Users\sam\AppData\Roaming\Ikx3KqN1afCy
2011-10-07 15:55:26 -------- d-----w- C:\Users\sam\AppData\Roaming\FkiLIcWhxo7wymg
2011-10-07 15:55:20 -------- d-----w- C:\Users\sam\AppData\Roaming\yjxF6e26gkP3Jql
2011-10-07 15:55:20 -------- d-----w- C:\Users\sam\AppData\Roaming\rv5XNiaLOnLCtbs
2011-10-07 15:55:16 -------- d-----w- C:\Users\sam\AppData\Roaming\nt1mEheP25gV
2011-10-07 15:55:16 -------- d-----w- C:\Users\sam\AppData\Roaming\Fx14Ekz2HKXP
2011-10-07 15:55:16 -------- d-----w- C:\Users\sam\AppData\Roaming\Ft1mEheP25gV
2011-10-07 15:55:16 -------- d-----w- C:\Users\sam\AppData\Roaming\dUx14Ekz2
2011-10-07 15:55:12 -------- d-----w- C:\Users\sam\AppData\Roaming\m8CPos8wClrNxvo
2011-10-07 15:53:57 -------- d-----w- C:\Users\sam\AppData\Roaming\r159r2HTOb6qNDW
2011-10-07 15:53:51 -------- d-----w- C:\Users\sam\AppData\Roaming\Ul1pdhIunWXruG
2011-10-07 15:53:47 -------- d-----w- C:\Users\sam\AppData\Roaming\yk0ba7Yru3HEqIx
2011-10-07 15:53:42 -------- d-----w- C:\Users\sam\AppData\Roaming\PQLjOv3HfXItb69
2011-10-07 15:53:42 -------- d-----w- C:\Users\sam\AppData\Roaming\eOv3HfXItb69COc
2011-10-07 15:53:41 -------- d-----w- C:\Users\sam\AppData\Roaming\JTBumKXI0baKgeO
2011-10-07 15:53:40 -------- d-----w- C:\Users\sam\AppData\Roaming\ZziFQRwzD5fUNoJ
2011-10-07 15:53:40 -------- d-----w- C:\Users\sam\AppData\Roaming\t5dghUIP1F56Rjy
2011-10-07 15:53:39 -------- d-----w- C:\Users\sam\AppData\Roaming\TXkeOzcvF5EqVzi
2011-10-07 04:04:19 2412032 ----a-w- C:\windows\SysWow64\EZZqqjYYCwIVr.exe
2011-10-07 04:03:53 2412032 ----a-w- C:\windows\SysWow64\A999hTTXq.exe
2011-10-07 04:01:00 2412032 ----a-w- C:\windows\SysWow64\BWWWJ77dEL.exe
2011-10-07 04:00:24 2412032 ----a-w- C:\windows\SysWow64\cggTTXqjj.exe
2011-10-07 04:00:14 2412032 ----a-w- C:\windows\SysWow64\U333pnnG5aQ6dK7.exe
2011-10-07 03:58:18 2412032 ----a-w- C:\windows\SysWow64\rIVVrllON.exe
2011-10-07 03:50:45 2412032 ----a-w- C:\windows\SysWow64\OL99hhTXqjUCkBr.exe
2011-10-07 03:45:13 2412032 ----a-w- C:\windows\SysWow64\KDDD2obFF4.exe
2011-10-07 03:41:02 2412032 ----a-w- C:\windows\SysWow64\X22iibFF3paHd.exe
2011-10-07 03:40:36 2412032 ----a-w- C:\windows\SysWow64\KXXwwjUVVeIBt.exe
2011-10-07 03:38:51 2412032 ----a-w- C:\windows\SysWow64\o66ssWK77fL.exe
2011-10-07 03:38:43 2412032 ----a-w- C:\windows\SysWow64\JeellOBBtz0y.exe
2011-10-07 03:27:43 2412032 ----a-w- C:\windows\SysWow64\uS22oobF3pmGaJ6.exe
2011-10-07 02:58:29 2412032 ----a-w- C:\windows\SysWow64\SCCCekkIBrzOyx0.exe
2011-10-07 02:58:10 2412032 ----a-w- C:\windows\SysWow64\DiibD3ppnGaQHs.exe
2011-10-07 02:49:04 2412032 ----a-w- C:\windows\SysWow64\kUUUCeelIBrzNy.exe
2011-10-07 02:47:43 2412032 ----a-w- C:\windows\SysWow64\zttxxP0uuc1ib.exe
2011-10-07 02:44:11 2412032 ----a-w- C:\windows\SysWow64\mBBttzPPNcAuvDo.exe
2011-10-07 02:36:34 2412032 ----a-w- C:\windows\SysWow64\XYYXXwjjUV.exe
2011-10-07 02:35:59 2412032 ----a-w- C:\windows\SysWow64\I3oonnG4amH6sJf.exe
2011-10-07 02:27:00 2412032 ----a-w- C:\windows\SysWow64\kyccAA1ivonFpm.exe
2011-10-07 02:26:33 2412032 ----a-w- C:\windows\SysWow64\gCCeekIBBrONyAu.exe
2011-10-07 02:24:28 2412032 ----a-w- C:\windows\SysWow64\ennGG4aamH6.exe
2011-10-07 02:23:35 2412032 ----a-w- C:\windows\SysWow64\T0yyccS1ivD3nFa.exe
2011-10-07 02:21:12 2412032 ----a-w- C:\windows\SysWow64\bggTTXqjYCe.exe
2011-10-07 02:13:33 2412032 ----a-w- C:\windows\SysWow64\ztzzPycc1iv2oF4.exe
2011-10-07 02:08:00 2412032 ----a-w- C:\windows\SysWow64\DeeekIVrzONtx0c.exe
2011-10-07 02:07:15 2412032 ----a-w- C:\windows\SysWow64\YvvvS22ibF.exe
2011-10-07 02:05:54 2412032 ----a-w- C:\windows\SysWow64\TpppnGG4aQHs.exe
2011-10-07 01:26:28 -------- d-----w- C:\ProgramData\WSTB
2011-10-05 02:47:35 -------- d-----w- C:\Users\sam\AppData\Roaming\Malwarebytes
2011-10-05 02:47:19 -------- d-----w- C:\ProgramData\Malwarebytes
2011-10-05 02:47:16 -------- d-----w- C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-05 02:47:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-10-05 00:21:56 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-10-05 00:21:56 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-10-05 00:15:40 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2011-10-04 02:32:56 -------- d-----w- C:\WTablet
2011-10-04 02:29:32 12288 ------w- C:\windows\SysWow64\drivers\mtdv2ku2.sys
2011-10-04 02:29:32 11648 ------w- C:\windows\SysWow64\drivers\mtdv2ks2.sys
2011-10-04 02:29:31 -------- d-----w- C:\Pana_USB
2011-09-24 16:43:03 1135104 ----a-w- C:\windows\System32\FntCache.dll
2011-09-24 16:43:02 1074176 ----a-w- C:\windows\SysWow64\DWrite.dll
2011-09-24 16:43:00 902656 ----a-w- C:\windows\System32\d2d1.dll
2011-09-24 16:43:00 739840 ----a-w- C:\windows\SysWow64\d2d1.dll
2011-09-24 16:43:00 1540608 ----a-w- C:\windows\System32\DWrite.dll
2011-09-24 16:42:45 31232 ----a-w- C:\windows\SysWow64\prevhost.exe
2011-09-24 16:42:45 31232 ----a-w- C:\windows\System32\prevhost.exe
2011-09-24 16:19:58 367104 ----a-w- C:\windows\System32\wcncsvc.dll
2011-09-24 16:19:58 276992 ----a-w- C:\windows\SysWow64\wcncsvc.dll
2011-09-24 15:49:59 2228224 ----a-w- C:\windows\System32\mssrch.dll
2011-09-24 15:48:59 3134464 ----a-w- C:\windows\System32\win32k.sys
2011-09-24 15:45:25 5507968 ----a-w- C:\windows\System32\ntoskrnl.exe
2011-09-24 15:45:24 3957120 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2011-09-24 15:45:24 3902336 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2011-09-24 15:43:14 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2011-09-24 15:43:14 720896 ----a-w- C:\windows\System32\odbc32.dll
2011-09-24 15:43:14 573440 ----a-w- C:\windows\SysWow64\odbc32.dll
2011-09-24 15:43:14 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2011-09-24 15:43:14 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2011-09-24 15:43:14 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2011-09-24 15:43:14 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2011-09-24 15:43:14 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2011-09-24 15:43:14 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2011-09-24 15:43:14 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2011-09-24 15:43:13 90624 ----a-w- C:\windows\System32\drivers\bowser.sys
2011-09-23 21:56:03 -------- d-----w- C:\PROGRAM FILES (X86) (X86)
2011-09-23 21:55:19 -------- d-----w- C:\Users\sam\AppData\Roaming\AVG2012
2011-09-23 21:52:39 -------- d-----w- C:\windows\System32\drivers\AVG
2011-09-23 21:52:39 -------- d-----w- C:\ProgramData\AVG2012
.
==================== Find3M ====================
.
2011-08-08 13:08:58 46672 ----a-w- C:\windows\System32\drivers\avgmfx64.sys
2011-07-22 05:35:08 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2011-07-22 04:56:17 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
.
============= FINISH: 19:45:45.47 ===============


GMER Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-14 20:42:10
Windows 6.1.7600
Running: m7jqm1os.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet)

---- EOF - GMER 1.0.15 ----


Combofix Log

ComboFix 11-10-09.01 - sam 10/09/2011 9:54.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4029.2647 [GMT -7:00]
Running from: c:\users\sam\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\sam\AppData\Roaming\jsdfgs.bat
c:\windows\$BLSTUN$
c:\windows\assembly\tmp\U
c:\windows\assembly\tmp\U\00000001.@
c:\windows\assembly\tmp\U\00000002.@
c:\windows\assembly\tmp\U\000000c0.@
c:\windows\assembly\tmp\U\000000cb.@
c:\windows\assembly\tmp\U\000000cf.@
c:\windows\assembly\tmp\U\80000000.@
c:\windows\assembly\tmp\U\80000032.@
c:\windows\assembly\tmp\U\80000064.@
c:\windows\assembly\tmp\U\800000c0.@
c:\windows\assembly\tmp\U\800000cb.@
c:\windows\assembly\tmp\U\800000cf.@
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-09-09 to 2011-10-09 )))))))))))))))))))))))))))))))
.
.
2011-10-09 17:02 . 2011-10-09 17:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\z9wezxvbGJK9qkN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\tZwlzxv356fTUIN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\SomQWLqezx2GWRT
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\S23adfTUrAipQWL
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\FZwlzxv356fTUIN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\XwezxvbGJK
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\QUBN1omQWLq
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\KdZwlzxv356fTUI
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\xyGhxakb7VD
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\PDLrvsqBvQYt2J
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\KKZlcGEw05ZOi5R
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\eA5LISsCumq
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\bhrbWqzS4fYNim8
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\S6jP4TO38On8IvQ
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\vp7w0GLkcmhcm
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\UP4gB4ZBphOpLri
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\oIv5fUypKqOiQ9
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\ExGTynRkuG
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\DfI2Zt4Tt4RBoKV
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\Ikx3KqN1afCy
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\FkiLIcWhxo7wymg
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\yjxF6e26gkP3Jql
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\rv5XNiaLOnLCtbs
2011-10-07 15:55 . 2011-10-07 16:12 -------- d-----w- c:\users\sam\AppData\Roaming\dUx14Ekz2
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\nt1mEheP25gV
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\Fx14Ekz2HKXP
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\Ft1mEheP25gV
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\m8CPos8wClrNxvo
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\r159r2HTOb6qNDW
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\Ul1pdhIunWXruG
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\yk0ba7Yru3HEqIx
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\PQLjOv3HfXItb69
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\eOv3HfXItb69COc
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\JTBumKXI0baKgeO
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\ZziFQRwzD5fUNoJ
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\t5dghUIP1F56Rjy
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\TXkeOzcvF5EqVzi
2011-10-07 04:04 . 2011-10-07 04:04 2412032 ----a-w- c:\windows\SysWow64\EZZqqjYYCwIVr.exe
2011-10-07 04:03 . 2011-10-07 04:03 2412032 ----a-w- c:\windows\SysWow64\A999hTTXq.exe
2011-10-07 04:01 . 2011-10-07 04:01 2412032 ----a-w- c:\windows\SysWow64\BWWWJ77dEL.exe
2011-10-07 04:00 . 2011-10-07 04:00 2412032 ----a-w- c:\windows\SysWow64\cggTTXqjj.exe
2011-10-07 04:00 . 2011-10-07 04:00 2412032 ----a-w- c:\windows\SysWow64\U333pnnG5aQ6dK7.exe
2011-10-07 03:58 . 2011-10-07 03:58 2412032 ----a-w- c:\windows\SysWow64\rIVVrllON.exe
2011-10-07 03:50 . 2011-10-07 03:50 2412032 ----a-w- c:\windows\SysWow64\OL99hhTXqjUCkBr.exe
2011-10-07 03:45 . 2011-10-07 03:45 2412032 ----a-w- c:\windows\SysWow64\KDDD2obFF4.exe
2011-10-07 03:41 . 2011-10-07 03:41 2412032 ----a-w- c:\windows\SysWow64\X22iibFF3paHd.exe
2011-10-07 03:40 . 2011-10-07 03:40 2412032 ----a-w- c:\windows\SysWow64\KXXwwjUVVeIBt.exe
2011-10-07 03:38 . 2011-10-07 03:38 2412032 ----a-w- c:\windows\SysWow64\o66ssWK77fL.exe
2011-10-07 03:38 . 2011-10-07 03:38 2412032 ----a-w- c:\windows\SysWow64\JeellOBBtz0y.exe
2011-10-07 03:27 . 2011-10-07 03:27 2412032 ----a-w- c:\windows\SysWow64\uS22oobF3pmGaJ6.exe
2011-10-07 02:58 . 2011-10-07 02:58 2412032 ----a-w- c:\windows\SysWow64\SCCCekkIBrzOyx0.exe
2011-10-07 02:58 . 2011-10-07 02:58 2412032 ----a-w- c:\windows\SysWow64\DiibD3ppnGaQHs.exe
2011-10-07 02:49 . 2011-10-07 02:49 2412032 ----a-w- c:\windows\SysWow64\kUUUCeelIBrzNy.exe
2011-10-07 02:47 . 2011-10-07 02:47 2412032 ----a-w- c:\windows\SysWow64\zttxxP0uuc1ib.exe
2011-10-07 02:44 . 2011-10-07 02:44 2412032 ----a-w- c:\windows\SysWow64\mBBttzPPNcAuvDo.exe
2011-10-07 02:36 . 2011-10-07 02:36 2412032 ----a-w- c:\windows\SysWow64\XYYXXwjjUV.exe
2011-10-07 02:35 . 2011-10-07 02:35 2412032 ----a-w- c:\windows\SysWow64\I3oonnG4amH6sJf.exe
2011-10-07 02:27 . 2011-10-07 02:27 2412032 ----a-w- c:\windows\SysWow64\kyccAA1ivonFpm.exe
2011-10-07 02:26 . 2011-10-07 02:26 2412032 ----a-w- c:\windows\SysWow64\gCCeekIBBrONyAu.exe
2011-10-07 02:24 . 2011-10-07 02:24 2412032 ----a-w- c:\windows\SysWow64\ennGG4aamH6.exe
2011-10-07 02:23 . 2011-10-07 02:23 2412032 ----a-w- c:\windows\SysWow64\T0yyccS1ivD3nFa.exe
2011-10-07 02:21 . 2011-10-07 02:21 2412032 ----a-w- c:\windows\SysWow64\bggTTXqjYCe.exe
2011-10-07 02:13 . 2011-10-07 02:13 2412032 ----a-w- c:\windows\SysWow64\ztzzPycc1iv2oF4.exe
2011-10-07 02:08 . 2011-10-07 02:08 2412032 ----a-w- c:\windows\SysWow64\DeeekIVrzONtx0c.exe
2011-10-07 02:07 . 2011-10-07 02:07 2412032 ----a-w- c:\windows\SysWow64\YvvvS22ibF.exe
2011-10-07 02:05 . 2011-10-07 02:05 2412032 ----a-w- c:\windows\SysWow64\TpppnGG4aQHs.exe
2011-10-07 01:26 . 2011-10-07 16:12 -------- d-----w- c:\programdata\WSTB
2011-10-07 01:10 . 2011-10-07 16:13 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2011-10-07 01:10 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\PC Tools Security
2011-10-07 01:10 . 2011-10-07 01:10 -------- d-----w- c:\users\sam\AppData\Roaming\PC Tools
2011-10-07 00:09 . 2011-10-07 01:10 -------- d-----w- c:\programdata\PC Tools
2011-10-05 02:47 . 2011-10-05 02:47 -------- d-----w- c:\users\sam\AppData\Roaming\Malwarebytes
2011-10-05 02:47 . 2011-10-05 02:47 -------- d-----w- c:\programdata\Malwarebytes
2011-10-05 02:47 . 2011-10-06 00:06 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-05 02:47 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-05 00:21 . 2011-10-07 16:12 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-05 00:21 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-10-05 00:15 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\SpywareBlaster
2011-10-04 02:32 . 2011-10-04 02:32 -------- d-----w- C:\WTablet
2011-10-04 02:29 . 2003-10-16 09:07 12288 ------w- c:\windows\SysWow64\drivers\mtdv2ku2.sys
2011-10-04 02:29 . 2003-10-12 00:39 11648 ------w- c:\windows\SysWow64\drivers\mtdv2ks2.sys
2011-10-04 02:29 . 2011-10-07 16:12 -------- d-----w- C:\Pana_USB
2011-09-30 21:11 . 2011-09-30 21:11 -------- d-----w- c:\windows\Sun
2011-09-24 16:43 . 2011-02-19 06:37 1135104 ----a-w- c:\windows\system32\FntCache.dll
2011-09-24 16:43 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-09-24 16:43 . 2011-02-19 06:37 1540608 ----a-w- c:\windows\system32\DWrite.dll
2011-09-24 16:43 . 2011-02-19 06:36 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-09-24 16:43 . 2011-02-19 05:32 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-09-24 16:42 . 2011-02-18 06:33 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-09-24 16:42 . 2011-02-18 05:33 31232 ----a-w- c:\windows\SysWow64\prevhost.exe
2011-09-24 16:19 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-09-24 16:19 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-09-24 15:49 . 2011-05-04 05:28 2228224 ----a-w- c:\windows\system32\mssrch.dll
2011-09-24 15:48 . 2011-06-11 02:56 3134464 ----a-w- c:\windows\system32\win32k.sys
2011-09-24 15:45 . 2011-06-23 05:29 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-09-24 15:45 . 2011-06-23 04:38 3957120 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-09-24 15:45 . 2011-06-23 04:38 3902336 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-09-24 15:43 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll
2011-09-24 15:43 . 2010-10-16 05:16 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-09-24 15:43 . 2010-10-16 05:16 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-09-24 15:43 . 2010-10-16 05:16 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-09-24 15:43 . 2010-10-16 05:16 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-09-24 15:43 . 2010-10-16 04:34 573440 ----a-w- c:\windows\SysWow64\odbc32.dll
2011-09-24 15:43 . 2010-10-16 04:33 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2011-09-24 15:43 . 2010-10-16 04:33 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2011-09-24 15:43 . 2010-10-16 04:33 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2011-09-24 15:43 . 2010-10-16 04:33 208896 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2011-09-24 15:43 . 2011-02-23 05:15 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-09-23 21:56 . 2011-09-23 21:56 -------- d-----w- C:\PROGRAM FILES (X86) (X86)
2011-09-23 21:55 . 2011-10-07 16:12 -------- d-----w- c:\users\sam\AppData\Roaming\AVG2012
2011-09-23 21:52 . 2011-10-07 16:13 -------- d-----w- c:\programdata\AVG2012
2011-09-23 21:52 . 2011-10-07 16:12 -------- d-----w- c:\windows\system32\drivers\AVG
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-08 13:08 . 2011-08-08 13:08 46672 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2011-07-16 04:32 . 2011-09-24 15:50 44032 ----a-w- c:\windows\apppatch\acwow64.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2011-09-08 2401120]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WLStart"="c:\program files (x86)\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-09-01 5265248]
R2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 136176]
R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-05-23 1030600]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 136176]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-08-14 509192]
R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-09-22 579400]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;d:\test\ECECECEC\WinRing0x64.sys [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S1 funfrm;funfrm; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 DDNIMSGService;DDNIMSGService;c:\program files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2009-06-23 172720]
S2 IGRS;IGRS;c:\program files (x86)\Lenovo\ReadyComm\common\IGRS.exe [2009-07-14 38152]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [x]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-07-15 127272]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 20:31]
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 20:31]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-18 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-18 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-18 365592]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\utility.exe" [2009-09-29 4366704]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2009-08-19 5825536]
"combofix"="c:\combofix\CF16648.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.msn.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\program files (x86)\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SysWOW64\vmnat.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\VMware\VMware Workstation\vmware-authd.exe
c:\windows\SysWOW64\vmnetdhcp.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\program files\Conexant\SAII\SmartAudio.exe
c:\program files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2011-10-09 11:06:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-09 18:06
.
Pre-Run: 14,930,513,920 bytes free
Post-Run: 14,020,911,104 bytes free
.
- - End Of File - - 722B1C04D1478B37925AC85E5ABE84C4

#5 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 17 October 2011 - 07:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/423257 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#6 iixsive

iixsive
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 18 October 2011 - 06:10 PM

as per the help bot instructions, here are the nlogs

Lenovo dual core win 7 64 bit

Thank you OBleepin Investigator, here are the logs
Note when I ran GMER the check box options on the right side of the screen that start at "System" and go down to "show all" were mostly grayed out, only services, registry, files, C:, and ADS were checked and could be checked


DDS Log, on my computer, dds.SCR WOULD ONLY OPEN UP NOTEPAD, i gave it a EXE extention and it ran fine then

do you need the attach.txt ?

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_23
Run by sam at 19:43:38 on 2011-10-14
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4029.3015 [GMT -7:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\Program Files\WTouch\WTouchService.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\Pen_Tablet.exe
C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\windows\SysWOW64\vmnat.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe
C:\windows\SysWOW64\vmnetdhcp.exe
C:\windows\system32\taskhost.exe
C:\windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\WTablet\Pen_TabletUser.exe
C:\windows\system32\Pen_Tablet.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
C:\windows\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Microsoft Office\Office\excel.exe
C:\windows\splwow64.exe
C:\windows\system32\taskhost.exe
C:\Program Files\WTouch\WTouchUser.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://lenovo.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
dRunOnce: [WLStart] "C:\Program Files (x86)\Windows Live\Installer\wlstart.exe" /nosearch /nohomepage
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: C:\Program Files (x86)\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1 68.94.156.1
TCP: Interfaces\{E6608602-7B45-452A-BD8F-48C9536012B9} : DhcpNameServer = 192.168.0.1 68.94.156.1
TCP: Interfaces\{E6608602-7B45-452A-BD8F-48C9536012B9}\3716D637D2960586F6E65602D4977596 : DhcpNameServer = 8.8.8.8
TCP: Interfaces\{E6608602-7B45-452A-BD8F-48C9536012B9}\960786F6E6563716D6 : DhcpNameServer = 68.28.114.91
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
BHO-X64: Search Helper - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox\components\avgssff.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\windows\system32\DRIVERS\avgrkx64.sys --> C:\windows\system32\DRIVERS\avgrkx64.sys [?]
R0 PxHlpa64;PxHlpa64;C:\windows\system32\Drivers\PxHlpa64.sys --> C:\windows\system32\Drivers\PxHlpa64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\windows\system32\DRIVERS\avgldx64.sys --> C:\windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\windows\system32\DRIVERS\avgmfx64.sys --> C:\windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\windows\system32\DRIVERS\avgtdia.sys --> C:\windows\system32\DRIVERS\avgtdia.sys [?]
R1 funfrm;funfrm;C:\windows\system32\drivers\funfrm.sys --> C:\windows\system32\drivers\funfrm.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\windows\system32\DRIVERS\vwififlt.sys --> C:\windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 DDNIMSGService;DDNIMSGService;C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2009-6-23 172720]
R2 IGRS;IGRS;C:\Program Files (x86)\Lenovo\ReadyComm\common\IGRS.exe [2009-7-14 38152]
R2 TabletServicePen;TabletServicePen;C:\windows\system32\Pen_Tablet.exe --> C:\windows\system32\Pen_Tablet.exe [?]
R2 VMUSBArbService;VMware USB Arbitration Service;C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760]
R2 WTouchService;WTouch Service;C:\Program Files\WTouch\WTouchService.exe [2010-5-22 127272]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\windows\system32\DRIVERS\AcpiVpc.sys --> C:\windows\system32\DRIVERS\AcpiVpc.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 pnetmdm;PdaNet Modem;C:\windows\system32\DRIVERS\pnetmdm64.sys --> C:\windows\system32\DRIVERS\pnetmdm64.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\windows\system32\DRIVERS\vwifimp.sys --> C:\windows\system32\DRIVERS\vwifimp.sys [?]
R3 wdmirror;wdmirror;C:\windows\system32\DRIVERS\WDMirror.sys --> C:\windows\system32\DRIVERS\WDMirror.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-9-1 5265248]
S2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-27 136176]
S2 ReadyComm.DirectRouter;ReadyComm.DirectRouter;C:\windows\System32\IgrsSvcs.exe -k IgrsSvcs --> C:\windows\System32\IgrsSvcs.exe -k IgrsSvcs [?]
S3 Bridge0;Bridge0;C:\windows\system32\drivers\WDBridge.sys --> C:\windows\system32\drivers\WDBridge.sys [?]
S3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-5-23 1030600]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-27 136176]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\windows\system32\DRIVERS\k57nd60a.sys --> C:\windows\system32\DRIVERS\k57nd60a.sys [?]
S3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;C:\Program Files\Lenovo\ReadyComm\AppSvc.exe [2010-3-7 509192]
S3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;C:\Program Files\Lenovo\ReadyComm\ConnSvc.exe [2010-3-7 579400]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\windows\system32\DRIVERS\netw5v64.sys --> C:\windows\system32\DRIVERS\netw5v64.sys [?]
S3 PS_MDP;ReadyComm Presentation Space Helper Service;C:\windows\System32\IgrsSvcs.exe -k IgrsSvcs --> C:\windows\System32\IgrsSvcs.exe -k IgrsSvcs [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\windows\system32\Drivers\usbaapl64.sys --> C:\windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\windows\system32\Wat\WatAdminSvc.exe --> C:\windows\system32\Wat\WatAdminSvc.exe [?]
S3 wsvd;wsvd;C:\windows\system32\DRIVERS\wsvd.sys --> C:\windows\system32\DRIVERS\wsvd.sys [?]
.
=============== File Associations ===============
.
.scr=AutoCADScriptFile
.
=============== Created Last 30 ================
.
2011-10-09 18:00:15 -------- d-----w- C:\$RECYCLE.BIN
2011-10-09 16:52:18 98816 ----a-w- C:\windows\sed.exe
2011-10-09 16:52:18 518144 ----a-w- C:\windows\SWREG.exe
2011-10-09 16:52:18 256000 ----a-w- C:\windows\PEV.exe
2011-10-09 16:52:18 208896 ----a-w- C:\windows\MBR.exe
2011-10-07 15:59:16 -------- d-----w- C:\Users\sam\AppData\Roaming\z9wezxvbGJK9qkN
2011-10-07 15:59:16 -------- d-----w- C:\Users\sam\AppData\Roaming\tZwlzxv356fTUIN
2011-10-07 15:59:16 -------- d-----w- C:\Users\sam\AppData\Roaming\SomQWLqezx2GWRT
2011-10-07 15:59:16 -------- d-----w- C:\Users\sam\AppData\Roaming\S23adfTUrAipQWL
2011-10-07 15:59:16 -------- d-----w- C:\Users\sam\AppData\Roaming\FZwlzxv356fTUIN
2011-10-07 15:59:15 -------- d-----w- C:\Users\sam\AppData\Roaming\XwezxvbGJK
2011-10-07 15:59:15 -------- d-----w- C:\Users\sam\AppData\Roaming\QUBN1omQWLq
2011-10-07 15:59:15 -------- d-----w- C:\Users\sam\AppData\Roaming\KdZwlzxv356fTUI
2011-10-07 15:57:39 -------- d-----w- C:\Users\sam\AppData\Roaming\xyGhxakb7VD
2011-10-07 15:57:37 -------- d-----w- C:\Users\sam\AppData\Roaming\PDLrvsqBvQYt2J
2011-10-07 15:57:27 -------- d-----w- C:\Users\sam\AppData\Roaming\KKZlcGEw05ZOi5R
2011-10-07 15:57:26 -------- d-----w- C:\Users\sam\AppData\Roaming\eA5LISsCumq
2011-10-07 15:57:26 -------- d-----w- C:\Users\sam\AppData\Roaming\bhrbWqzS4fYNim8
2011-10-07 15:57:23 -------- d-----w- C:\Users\sam\AppData\Roaming\S6jP4TO38On8IvQ
2011-10-07 15:57:17 -------- d-----w- C:\Users\sam\AppData\Roaming\vp7w0GLkcmhcm
2011-10-07 15:57:15 -------- d-----w- C:\Users\sam\AppData\Roaming\UP4gB4ZBphOpLri
2011-10-07 15:57:15 -------- d-----w- C:\Users\sam\AppData\Roaming\oIv5fUypKqOiQ9
2011-10-07 15:57:10 -------- d-----w- C:\Users\sam\AppData\Roaming\ExGTynRkuG
2011-10-07 15:57:08 -------- d-----w- C:\Users\sam\AppData\Roaming\DfI2Zt4Tt4RBoKV
2011-10-07 15:57:07 -------- d-----w- C:\Users\sam\AppData\Roaming\Ikx3KqN1afCy
2011-10-07 15:55:26 -------- d-----w- C:\Users\sam\AppData\Roaming\FkiLIcWhxo7wymg
2011-10-07 15:55:20 -------- d-----w- C:\Users\sam\AppData\Roaming\yjxF6e26gkP3Jql
2011-10-07 15:55:20 -------- d-----w- C:\Users\sam\AppData\Roaming\rv5XNiaLOnLCtbs
2011-10-07 15:55:16 -------- d-----w- C:\Users\sam\AppData\Roaming\nt1mEheP25gV
2011-10-07 15:55:16 -------- d-----w- C:\Users\sam\AppData\Roaming\Fx14Ekz2HKXP
2011-10-07 15:55:16 -------- d-----w- C:\Users\sam\AppData\Roaming\Ft1mEheP25gV
2011-10-07 15:55:16 -------- d-----w- C:\Users\sam\AppData\Roaming\dUx14Ekz2
2011-10-07 15:55:12 -------- d-----w- C:\Users\sam\AppData\Roaming\m8CPos8wClrNxvo
2011-10-07 15:53:57 -------- d-----w- C:\Users\sam\AppData\Roaming\r159r2HTOb6qNDW
2011-10-07 15:53:51 -------- d-----w- C:\Users\sam\AppData\Roaming\Ul1pdhIunWXruG
2011-10-07 15:53:47 -------- d-----w- C:\Users\sam\AppData\Roaming\yk0ba7Yru3HEqIx
2011-10-07 15:53:42 -------- d-----w- C:\Users\sam\AppData\Roaming\PQLjOv3HfXItb69
2011-10-07 15:53:42 -------- d-----w- C:\Users\sam\AppData\Roaming\eOv3HfXItb69COc
2011-10-07 15:53:41 -------- d-----w- C:\Users\sam\AppData\Roaming\JTBumKXI0baKgeO
2011-10-07 15:53:40 -------- d-----w- C:\Users\sam\AppData\Roaming\ZziFQRwzD5fUNoJ
2011-10-07 15:53:40 -------- d-----w- C:\Users\sam\AppData\Roaming\t5dghUIP1F56Rjy
2011-10-07 15:53:39 -------- d-----w- C:\Users\sam\AppData\Roaming\TXkeOzcvF5EqVzi
2011-10-07 04:04:19 2412032 ----a-w- C:\windows\SysWow64\EZZqqjYYCwIVr.exe
2011-10-07 04:03:53 2412032 ----a-w- C:\windows\SysWow64\A999hTTXq.exe
2011-10-07 04:01:00 2412032 ----a-w- C:\windows\SysWow64\BWWWJ77dEL.exe
2011-10-07 04:00:24 2412032 ----a-w- C:\windows\SysWow64\cggTTXqjj.exe
2011-10-07 04:00:14 2412032 ----a-w- C:\windows\SysWow64\U333pnnG5aQ6dK7.exe
2011-10-07 03:58:18 2412032 ----a-w- C:\windows\SysWow64\rIVVrllON.exe
2011-10-07 03:50:45 2412032 ----a-w- C:\windows\SysWow64\OL99hhTXqjUCkBr.exe
2011-10-07 03:45:13 2412032 ----a-w- C:\windows\SysWow64\KDDD2obFF4.exe
2011-10-07 03:41:02 2412032 ----a-w- C:\windows\SysWow64\X22iibFF3paHd.exe
2011-10-07 03:40:36 2412032 ----a-w- C:\windows\SysWow64\KXXwwjUVVeIBt.exe
2011-10-07 03:38:51 2412032 ----a-w- C:\windows\SysWow64\o66ssWK77fL.exe
2011-10-07 03:38:43 2412032 ----a-w- C:\windows\SysWow64\JeellOBBtz0y.exe
2011-10-07 03:27:43 2412032 ----a-w- C:\windows\SysWow64\uS22oobF3pmGaJ6.exe
2011-10-07 02:58:29 2412032 ----a-w- C:\windows\SysWow64\SCCCekkIBrzOyx0.exe
2011-10-07 02:58:10 2412032 ----a-w- C:\windows\SysWow64\DiibD3ppnGaQHs.exe
2011-10-07 02:49:04 2412032 ----a-w- C:\windows\SysWow64\kUUUCeelIBrzNy.exe
2011-10-07 02:47:43 2412032 ----a-w- C:\windows\SysWow64\zttxxP0uuc1ib.exe
2011-10-07 02:44:11 2412032 ----a-w- C:\windows\SysWow64\mBBttzPPNcAuvDo.exe
2011-10-07 02:36:34 2412032 ----a-w- C:\windows\SysWow64\XYYXXwjjUV.exe
2011-10-07 02:35:59 2412032 ----a-w- C:\windows\SysWow64\I3oonnG4amH6sJf.exe
2011-10-07 02:27:00 2412032 ----a-w- C:\windows\SysWow64\kyccAA1ivonFpm.exe
2011-10-07 02:26:33 2412032 ----a-w- C:\windows\SysWow64\gCCeekIBBrONyAu.exe
2011-10-07 02:24:28 2412032 ----a-w- C:\windows\SysWow64\ennGG4aamH6.exe
2011-10-07 02:23:35 2412032 ----a-w- C:\windows\SysWow64\T0yyccS1ivD3nFa.exe
2011-10-07 02:21:12 2412032 ----a-w- C:\windows\SysWow64\bggTTXqjYCe.exe
2011-10-07 02:13:33 2412032 ----a-w- C:\windows\SysWow64\ztzzPycc1iv2oF4.exe
2011-10-07 02:08:00 2412032 ----a-w- C:\windows\SysWow64\DeeekIVrzONtx0c.exe
2011-10-07 02:07:15 2412032 ----a-w- C:\windows\SysWow64\YvvvS22ibF.exe
2011-10-07 02:05:54 2412032 ----a-w- C:\windows\SysWow64\TpppnGG4aQHs.exe
2011-10-07 01:26:28 -------- d-----w- C:\ProgramData\WSTB
2011-10-05 02:47:35 -------- d-----w- C:\Users\sam\AppData\Roaming\Malwarebytes
2011-10-05 02:47:19 -------- d-----w- C:\ProgramData\Malwarebytes
2011-10-05 02:47:16 -------- d-----w- C:\Program Files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-05 02:47:15 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-10-05 00:21:56 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-10-05 00:21:56 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-10-05 00:15:40 -------- d-----w- C:\Program Files (x86)\SpywareBlaster
2011-10-04 02:32:56 -------- d-----w- C:\WTablet
2011-10-04 02:29:32 12288 ------w- C:\windows\SysWow64\drivers\mtdv2ku2.sys
2011-10-04 02:29:32 11648 ------w- C:\windows\SysWow64\drivers\mtdv2ks2.sys
2011-10-04 02:29:31 -------- d-----w- C:\Pana_USB
2011-09-24 16:43:03 1135104 ----a-w- C:\windows\System32\FntCache.dll
2011-09-24 16:43:02 1074176 ----a-w- C:\windows\SysWow64\DWrite.dll
2011-09-24 16:43:00 902656 ----a-w- C:\windows\System32\d2d1.dll
2011-09-24 16:43:00 739840 ----a-w- C:\windows\SysWow64\d2d1.dll
2011-09-24 16:43:00 1540608 ----a-w- C:\windows\System32\DWrite.dll
2011-09-24 16:42:45 31232 ----a-w- C:\windows\SysWow64\prevhost.exe
2011-09-24 16:42:45 31232 ----a-w- C:\windows\System32\prevhost.exe
2011-09-24 16:19:58 367104 ----a-w- C:\windows\System32\wcncsvc.dll
2011-09-24 16:19:58 276992 ----a-w- C:\windows\SysWow64\wcncsvc.dll
2011-09-24 15:49:59 2228224 ----a-w- C:\windows\System32\mssrch.dll
2011-09-24 15:48:59 3134464 ----a-w- C:\windows\System32\win32k.sys
2011-09-24 15:45:25 5507968 ----a-w- C:\windows\System32\ntoskrnl.exe
2011-09-24 15:45:24 3957120 ----a-w- C:\windows\SysWow64\ntkrnlpa.exe
2011-09-24 15:45:24 3902336 ----a-w- C:\windows\SysWow64\ntoskrnl.exe
2011-09-24 15:43:14 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2011-09-24 15:43:14 720896 ----a-w- C:\windows\System32\odbc32.dll
2011-09-24 15:43:14 573440 ----a-w- C:\windows\SysWow64\odbc32.dll
2011-09-24 15:43:14 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2011-09-24 15:43:14 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2011-09-24 15:43:14 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2011-09-24 15:43:14 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2011-09-24 15:43:14 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2011-09-24 15:43:14 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2011-09-24 15:43:14 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2011-09-24 15:43:13 90624 ----a-w- C:\windows\System32\drivers\bowser.sys
2011-09-23 21:56:03 -------- d-----w- C:\PROGRAM FILES (X86) (X86)
2011-09-23 21:55:19 -------- d-----w- C:\Users\sam\AppData\Roaming\AVG2012
2011-09-23 21:52:39 -------- d-----w- C:\windows\System32\drivers\AVG
2011-09-23 21:52:39 -------- d-----w- C:\ProgramData\AVG2012
.
==================== Find3M ====================
.
2011-08-08 13:08:58 46672 ----a-w- C:\windows\System32\drivers\avgmfx64.sys
2011-07-22 05:35:08 1638912 ----a-w- C:\windows\System32\mshtml.tlb
2011-07-22 04:56:17 1638912 ----a-w- C:\windows\SysWow64\mshtml.tlb
.
============= FINISH: 19:45:45.47 ===============


GMER Log

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-14 20:42:10
Windows 6.1.7600
Running: m7jqm1os.exe


---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet)

---- EOF - GMER 1.0.15 ----


Combofix Log

Combofix 11-10-09.01 - sam 10/09/2011 9:54.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4029.2647 [GMT -7:00]
Running from: c:\users\sam\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\sam\AppData\Roaming\jsdfgs.bat
c:\windows\$BLSTUN$
c:\windows\assembly\tmp\U
c:\windows\assembly\tmp\U\00000001.@
c:\windows\assembly\tmp\U\00000002.@
c:\windows\assembly\tmp\U\000000c0.@
c:\windows\assembly\tmp\U\000000cb.@
c:\windows\assembly\tmp\U\000000cf.@
c:\windows\assembly\tmp\U\80000000.@
c:\windows\assembly\tmp\U\80000032.@
c:\windows\assembly\tmp\U\80000064.@
c:\windows\assembly\tmp\U\800000c0.@
c:\windows\assembly\tmp\U\800000cb.@
c:\windows\assembly\tmp\U\800000cf.@
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2011-09-09 to 2011-10-09 )))))))))))))))))))))))))))))))
.
.
2011-10-09 17:02 . 2011-10-09 17:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\z9wezxvbGJK9qkN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\tZwlzxv356fTUIN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\SomQWLqezx2GWRT
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\S23adfTUrAipQWL
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\FZwlzxv356fTUIN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\XwezxvbGJK
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\QUBN1omQWLq
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\KdZwlzxv356fTUI
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\xyGhxakb7VD
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\PDLrvsqBvQYt2J
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\KKZlcGEw05ZOi5R
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\eA5LISsCumq
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\bhrbWqzS4fYNim8
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\S6jP4TO38On8IvQ
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\vp7w0GLkcmhcm
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\UP4gB4ZBphOpLri
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\oIv5fUypKqOiQ9
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\ExGTynRkuG
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\DfI2Zt4Tt4RBoKV
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\Ikx3KqN1afCy
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\FkiLIcWhxo7wymg
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\yjxF6e26gkP3Jql
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\rv5XNiaLOnLCtbs
2011-10-07 15:55 . 2011-10-07 16:12 -------- d-----w- c:\users\sam\AppData\Roaming\dUx14Ekz2
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\nt1mEheP25gV
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\Fx14Ekz2HKXP
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\Ft1mEheP25gV
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\m8CPos8wClrNxvo
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\r159r2HTOb6qNDW
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\Ul1pdhIunWXruG
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\yk0ba7Yru3HEqIx
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\PQLjOv3HfXItb69
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\eOv3HfXItb69COc
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\JTBumKXI0baKgeO
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\ZziFQRwzD5fUNoJ
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\t5dghUIP1F56Rjy
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\TXkeOzcvF5EqVzi
2011-10-07 04:04 . 2011-10-07 04:04 2412032 ----a-w- c:\windows\SysWow64\EZZqqjYYCwIVr.exe
2011-10-07 04:03 . 2011-10-07 04:03 2412032 ----a-w- c:\windows\SysWow64\A999hTTXq.exe
2011-10-07 04:01 . 2011-10-07 04:01 2412032 ----a-w- c:\windows\SysWow64\BWWWJ77dEL.exe
2011-10-07 04:00 . 2011-10-07 04:00 2412032 ----a-w- c:\windows\SysWow64\cggTTXqjj.exe
2011-10-07 04:00 . 2011-10-07 04:00 2412032 ----a-w- c:\windows\SysWow64\U333pnnG5aQ6dK7.exe
2011-10-07 03:58 . 2011-10-07 03:58 2412032 ----a-w- c:\windows\SysWow64\rIVVrllON.exe
2011-10-07 03:50 . 2011-10-07 03:50 2412032 ----a-w- c:\windows\SysWow64\OL99hhTXqjUCkBr.exe
2011-10-07 03:45 . 2011-10-07 03:45 2412032 ----a-w- c:\windows\SysWow64\KDDD2obFF4.exe
2011-10-07 03:41 . 2011-10-07 03:41 2412032 ----a-w- c:\windows\SysWow64\X22iibFF3paHd.exe
2011-10-07 03:40 . 2011-10-07 03:40 2412032 ----a-w- c:\windows\SysWow64\KXXwwjUVVeIBt.exe
2011-10-07 03:38 . 2011-10-07 03:38 2412032 ----a-w- c:\windows\SysWow64\o66ssWK77fL.exe
2011-10-07 03:38 . 2011-10-07 03:38 2412032 ----a-w- c:\windows\SysWow64\JeellOBBtz0y.exe
2011-10-07 03:27 . 2011-10-07 03:27 2412032 ----a-w- c:\windows\SysWow64\uS22oobF3pmGaJ6.exe
2011-10-07 02:58 . 2011-10-07 02:58 2412032 ----a-w- c:\windows\SysWow64\SCCCekkIBrzOyx0.exe
2011-10-07 02:58 . 2011-10-07 02:58 2412032 ----a-w- c:\windows\SysWow64\DiibD3ppnGaQHs.exe
2011-10-07 02:49 . 2011-10-07 02:49 2412032 ----a-w- c:\windows\SysWow64\kUUUCeelIBrzNy.exe
2011-10-07 02:47 . 2011-10-07 02:47 2412032 ----a-w- c:\windows\SysWow64\zttxxP0uuc1ib.exe
2011-10-07 02:44 . 2011-10-07 02:44 2412032 ----a-w- c:\windows\SysWow64\mBBttzPPNcAuvDo.exe
2011-10-07 02:36 . 2011-10-07 02:36 2412032 ----a-w- c:\windows\SysWow64\XYYXXwjjUV.exe
2011-10-07 02:35 . 2011-10-07 02:35 2412032 ----a-w- c:\windows\SysWow64\I3oonnG4amH6sJf.exe
2011-10-07 02:27 . 2011-10-07 02:27 2412032 ----a-w- c:\windows\SysWow64\kyccAA1ivonFpm.exe
2011-10-07 02:26 . 2011-10-07 02:26 2412032 ----a-w- c:\windows\SysWow64\gCCeekIBBrONyAu.exe
2011-10-07 02:24 . 2011-10-07 02:24 2412032 ----a-w- c:\windows\SysWow64\ennGG4aamH6.exe
2011-10-07 02:23 . 2011-10-07 02:23 2412032 ----a-w- c:\windows\SysWow64\T0yyccS1ivD3nFa.exe
2011-10-07 02:21 . 2011-10-07 02:21 2412032 ----a-w- c:\windows\SysWow64\bggTTXqjYCe.exe
2011-10-07 02:13 . 2011-10-07 02:13 2412032 ----a-w- c:\windows\SysWow64\ztzzPycc1iv2oF4.exe
2011-10-07 02:08 . 2011-10-07 02:08 2412032 ----a-w- c:\windows\SysWow64\DeeekIVrzONtx0c.exe
2011-10-07 02:07 . 2011-10-07 02:07 2412032 ----a-w- c:\windows\SysWow64\YvvvS22ibF.exe
2011-10-07 02:05 . 2011-10-07 02:05 2412032 ----a-w- c:\windows\SysWow64\TpppnGG4aQHs.exe
2011-10-07 01:26 . 2011-10-07 16:12 -------- d-----w- c:\programdata\WSTB
2011-10-07 01:10 . 2011-10-07 16:13 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2011-10-07 01:10 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\PC Tools Security
2011-10-07 01:10 . 2011-10-07 01:10 -------- d-----w- c:\users\sam\AppData\Roaming\PC Tools
2011-10-07 00:09 . 2011-10-07 01:10 -------- d-----w- c:\programdata\PC Tools
2011-10-05 02:47 . 2011-10-05 02:47 -------- d-----w- c:\users\sam\AppData\Roaming\Malwarebytes
2011-10-05 02:47 . 2011-10-05 02:47 -------- d-----w- c:\programdata\Malwarebytes
2011-10-05 02:47 . 2011-10-06 00:06 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-05 02:47 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-05 00:21 . 2011-10-07 16:12 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-05 00:21 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-10-05 00:15 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\SpywareBlaster
2011-10-04 02:32 . 2011-10-04 02:32 -------- d-----w- C:\WTablet
2011-10-04 02:29 . 2003-10-16 09:07 12288 ------w- c:\windows\SysWow64\drivers\mtdv2ku2.sys
2011-10-04 02:29 . 2003-10-12 00:39 11648 ------w- c:\windows\SysWow64\drivers\mtdv2ks2.sys
2011-10-04 02:29 . 2011-10-07 16:12 -------- d-----w- C:\Pana_USB
2011-09-30 21:11 . 2011-09-30 21:11 -------- d-----w- c:\windows\Sun
2011-09-24 16:43 . 2011-02-19 06:37 1135104 ----a-w- c:\windows\system32\FntCache.dll
2011-09-24 16:43 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-09-24 16:43 . 2011-02-19 06:37 1540608 ----a-w- c:\windows\system32\DWrite.dll
2011-09-24 16:43 . 2011-02-19 06:36 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-09-24 16:43 . 2011-02-19 05:32 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-09-24 16:42 . 2011-02-18 06:33 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-09-24 16:42 . 2011-02-18 05:33 31232 ----a-w- c:\windows\SysWow64\prevhost.exe
2011-09-24 16:19 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-09-24 16:19 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-09-24 15:49 . 2011-05-04 05:28 2228224 ----a-w- c:\windows\system32\mssrch.dll
2011-09-24 15:48 . 2011-06-11 02:56 3134464 ----a-w- c:\windows\system32\win32k.sys
2011-09-24 15:45 . 2011-06-23 05:29 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-09-24 15:45 . 2011-06-23 04:38 3957120 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-09-24 15:45 . 2011-06-23 04:38 3902336 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-09-24 15:43 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll
2011-09-24 15:43 . 2010-10-16 05:16 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-09-24 15:43 . 2010-10-16 05:16 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-09-24 15:43 . 2010-10-16 05:16 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-09-24 15:43 . 2010-10-16 05:16 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-09-24 15:43 . 2010-10-16 04:34 573440 ----a-w- c:\windows\SysWow64\odbc32.dll
2011-09-24 15:43 . 2010-10-16 04:33 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2011-09-24 15:43 . 2010-10-16 04:33 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2011-09-24 15:43 . 2010-10-16 04:33 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2011-09-24 15:43 . 2010-10-16 04:33 208896 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2011-09-24 15:43 . 2011-02-23 05:15 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-09-23 21:56 . 2011-09-23 21:56 -------- d-----w- C:\PROGRAM FILES (X86) (X86)
2011-09-23 21:55 . 2011-10-07 16:12 -------- d-----w- c:\users\sam\AppData\Roaming\AVG2012
2011-09-23 21:52 . 2011-10-07 16:13 -------- d-----w- c:\programdata\AVG2012
2011-09-23 21:52 . 2011-10-07 16:12 -------- d-----w- c:\windows\system32\drivers\AVG
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-08 13:08 . 2011-08-08 13:08 46672 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2011-07-16 04:32 . 2011-09-24 15:50 44032 ----a-w- c:\windows\apppatch\acwow64.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2011-09-08 2401120]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WLStart"="c:\program files (x86)\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-09-01 5265248]
R2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 136176]
R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-05-23 1030600]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 136176]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-08-14 509192]
R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-09-22 579400]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;d:\test\ECECECEC\WinRing0x64.sys [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S1 funfrm;funfrm; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 DDNIMSGService;DDNIMSGService;c:\program files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2009-06-23 172720]
S2 IGRS;IGRS;c:\program files (x86)\Lenovo\ReadyComm\common\IGRS.exe [2009-07-14 38152]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [x]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-07-15 127272]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 20:31]
.
2011-10-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 20:31]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-18 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-18 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-18 365592]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\utility.exe" [2009-09-29 4366704]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2009-08-19 5825536]
"ComboFix"="c:\ComboFix\CF16648.3XE" [2009-07-14 344576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.msn.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\program files (x86)\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-mcmscsvc
SafeBoot-MCODS
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\SysWOW64\vmnat.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\VMware\VMware Workstation\vmware-authd.exe
c:\windows\SysWOW64\vmnetdhcp.exe
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
c:\program files\Conexant\SAII\SmartAudio.exe
c:\program files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2011-10-09 11:06:57 - machine was rebooted
Combofix-quarantined-files.txt 2011-10-09 18:06
.
Pre-Run: 14,930,513,920 bytes free
Post-Run: 14,020,911,104 bytes free
.
- - End Of File - - 722B1C04D1478B37925AC85E5ABE84C4

#7 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:03 AM

Posted 19 October 2011 - 09:13 AM

Hello iixsive,

I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy and as you can see the logs we ask for are very extensive and take a lot of time to investigate.

Please subscribe to this topic.

  • Click on the Watch Topic button
  • Select Immediate Notification
  • Click on Proceed.

Make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box. Do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.

If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.

Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.

Please read carefully all directions and instructions. If you are instructed to save a tool to the desktop please save it to the desktop. If you have since resolved the original problem you were having, we would appreciate you letting us know.


Yes, please post Attach.txt :thumbup2:


Step 1.

Next please right click and delete the copy of Combofix from your desktop.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Close/disable all anti virus, (AVG), and anti malware programs so they do not interfere with the running of ComboFix. <---- Important

How to temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs. http://www.bleepingcomputer.com/forums/topic114351.html

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



In your next reply please include the following:

ComboFix.txt
Attach.txt



Thanks!!
PW

#8 iixsive

iixsive
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 19 October 2011 - 09:27 PM

The combo fix I used was downloaded last week the day before my first post
Did you need new updated logs? Is that the reason for downloading combo fix again or is it a win7 version you are directing me to?

#9 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:03 AM

Posted 20 October 2011 - 04:28 AM

Hi ixsive,

ComboFix is updated frequently and I also need new to see a new Combofix log.



Thanks!!
PW

#10 iixsive

iixsive
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 20 October 2011 - 09:11 PM

A couple notes:
I removed AVG completely, yet combofix says it is still running! ran it anyway
Word wrap is not o in my notepad program, it only wraps the lines once it is posted to the BLEEPING COMPUTER, attaching txt files as well



ComboFix 11-10-20.03 - sam 10/20/2011 18:51:36.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4029.2839 [GMT -7:00]
Running from: c:\users\sam\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\KeyboardProfileBackup.dll
c:\users\sam\AppData\Local\Ahead\AheadUpdate\Aheadupdt32.DLL
c:\users\sam\AppData\Local\Autodesk\AutodeskUpdate\Autodeskupdt32.dll
c:\users\sam\AppData\Local\ServiceWin32.dll
c:\users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\extensions\{3b562681-5e0d-4f1d-860c-7cffcd9f243b}
c:\users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\extensions\{3b562681-5e0d-4f1d-860c-7cffcd9f243b}\chrome.manifest
c:\users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\extensions\{3b562681-5e0d-4f1d-860c-7cffcd9f243b}\chrome\xulcache.jar
c:\users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\extensions\{3b562681-5e0d-4f1d-860c-7cffcd9f243b}\defaults\preferences\xulcache.js
c:\users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\extensions\{3b562681-5e0d-4f1d-860c-7cffcd9f243b}\install.rdf
c:\windows\assembly\tmp\U
.
.
((((((((((((((((((((((((( Files Created from 2011-09-21 to 2011-10-21 )))))))))))))))))))))))))))))))
.
.
2011-10-21 01:59 . 2011-10-21 01:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-20 00:23 . 2011-10-20 00:23 200192 ----a-w- c:\windows\SysWow64\srrstr.dll
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\z9wezxvbGJK9qkN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\tZwlzxv356fTUIN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\SomQWLqezx2GWRT
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\S23adfTUrAipQWL
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\FZwlzxv356fTUIN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\XwezxvbGJK
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\QUBN1omQWLq
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\KdZwlzxv356fTUI
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\xyGhxakb7VD
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\PDLrvsqBvQYt2J
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\KKZlcGEw05ZOi5R
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\eA5LISsCumq
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\bhrbWqzS4fYNim8
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\S6jP4TO38On8IvQ
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\vp7w0GLkcmhcm
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\UP4gB4ZBphOpLri
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\oIv5fUypKqOiQ9
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\ExGTynRkuG
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\DfI2Zt4Tt4RBoKV
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\Ikx3KqN1afCy
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\FkiLIcWhxo7wymg
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\yjxF6e26gkP3Jql
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\rv5XNiaLOnLCtbs
2011-10-07 15:55 . 2011-10-07 16:12 -------- d-----w- c:\users\sam\AppData\Roaming\dUx14Ekz2
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\nt1mEheP25gV
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\Fx14Ekz2HKXP
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\Ft1mEheP25gV
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\m8CPos8wClrNxvo
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\r159r2HTOb6qNDW
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\Ul1pdhIunWXruG
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\yk0ba7Yru3HEqIx
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\PQLjOv3HfXItb69
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\eOv3HfXItb69COc
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\JTBumKXI0baKgeO
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\ZziFQRwzD5fUNoJ
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\t5dghUIP1F56Rjy
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\TXkeOzcvF5EqVzi
2011-10-07 04:04 . 2011-10-07 04:04 2412032 ----a-w- c:\windows\SysWow64\EZZqqjYYCwIVr.exe
2011-10-07 04:03 . 2011-10-07 04:03 2412032 ----a-w- c:\windows\SysWow64\A999hTTXq.exe
2011-10-07 04:01 . 2011-10-07 04:01 2412032 ----a-w- c:\windows\SysWow64\BWWWJ77dEL.exe
2011-10-07 04:00 . 2011-10-07 04:00 2412032 ----a-w- c:\windows\SysWow64\cggTTXqjj.exe
2011-10-07 04:00 . 2011-10-07 04:00 2412032 ----a-w- c:\windows\SysWow64\U333pnnG5aQ6dK7.exe
2011-10-07 03:58 . 2011-10-07 03:58 2412032 ----a-w- c:\windows\SysWow64\rIVVrllON.exe
2011-10-07 03:50 . 2011-10-07 03:50 2412032 ----a-w- c:\windows\SysWow64\OL99hhTXqjUCkBr.exe
2011-10-07 03:45 . 2011-10-07 03:45 2412032 ----a-w- c:\windows\SysWow64\KDDD2obFF4.exe
2011-10-07 03:41 . 2011-10-07 03:41 2412032 ----a-w- c:\windows\SysWow64\X22iibFF3paHd.exe
2011-10-07 03:40 . 2011-10-07 03:40 2412032 ----a-w- c:\windows\SysWow64\KXXwwjUVVeIBt.exe
2011-10-07 03:38 . 2011-10-07 03:38 2412032 ----a-w- c:\windows\SysWow64\o66ssWK77fL.exe
2011-10-07 03:38 . 2011-10-07 03:38 2412032 ----a-w- c:\windows\SysWow64\JeellOBBtz0y.exe
2011-10-07 03:27 . 2011-10-07 03:27 2412032 ----a-w- c:\windows\SysWow64\uS22oobF3pmGaJ6.exe
2011-10-07 02:58 . 2011-10-07 02:58 2412032 ----a-w- c:\windows\SysWow64\SCCCekkIBrzOyx0.exe
2011-10-07 02:58 . 2011-10-07 02:58 2412032 ----a-w- c:\windows\SysWow64\DiibD3ppnGaQHs.exe
2011-10-07 02:49 . 2011-10-07 02:49 2412032 ----a-w- c:\windows\SysWow64\kUUUCeelIBrzNy.exe
2011-10-07 02:47 . 2011-10-07 02:47 2412032 ----a-w- c:\windows\SysWow64\zttxxP0uuc1ib.exe
2011-10-07 02:44 . 2011-10-07 02:44 2412032 ----a-w- c:\windows\SysWow64\mBBttzPPNcAuvDo.exe
2011-10-07 02:36 . 2011-10-07 02:36 2412032 ----a-w- c:\windows\SysWow64\XYYXXwjjUV.exe
2011-10-07 02:35 . 2011-10-07 02:35 2412032 ----a-w- c:\windows\SysWow64\I3oonnG4amH6sJf.exe
2011-10-07 02:27 . 2011-10-07 02:27 2412032 ----a-w- c:\windows\SysWow64\kyccAA1ivonFpm.exe
2011-10-07 02:26 . 2011-10-07 02:26 2412032 ----a-w- c:\windows\SysWow64\gCCeekIBBrONyAu.exe
2011-10-07 02:24 . 2011-10-07 02:24 2412032 ----a-w- c:\windows\SysWow64\ennGG4aamH6.exe
2011-10-07 02:23 . 2011-10-07 02:23 2412032 ----a-w- c:\windows\SysWow64\T0yyccS1ivD3nFa.exe
2011-10-07 02:21 . 2011-10-07 02:21 2412032 ----a-w- c:\windows\SysWow64\bggTTXqjYCe.exe
2011-10-07 02:13 . 2011-10-07 02:13 2412032 ----a-w- c:\windows\SysWow64\ztzzPycc1iv2oF4.exe
2011-10-07 02:08 . 2011-10-07 02:08 2412032 ----a-w- c:\windows\SysWow64\DeeekIVrzONtx0c.exe
2011-10-07 02:07 . 2011-10-07 02:07 2412032 ----a-w- c:\windows\SysWow64\YvvvS22ibF.exe
2011-10-07 02:05 . 2011-10-07 02:05 2412032 ----a-w- c:\windows\SysWow64\TpppnGG4aQHs.exe
2011-10-07 01:26 . 2011-10-07 16:12 -------- d-----w- c:\programdata\WSTB
2011-10-07 01:10 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\PC Tools Security
2011-10-07 01:10 . 2011-10-07 01:10 -------- d-----w- c:\users\sam\AppData\Roaming\PC Tools
2011-10-07 00:09 . 2011-10-07 01:10 -------- d-----w- c:\programdata\PC Tools
2011-10-05 02:47 . 2011-10-05 02:47 -------- d-----w- c:\users\sam\AppData\Roaming\Malwarebytes
2011-10-05 02:47 . 2011-10-05 02:47 -------- d-----w- c:\programdata\Malwarebytes
2011-10-05 02:47 . 2011-10-06 00:06 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-05 02:47 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-05 00:21 . 2011-10-07 16:12 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-05 00:21 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-10-05 00:15 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\SpywareBlaster
2011-10-04 02:32 . 2011-10-04 02:32 -------- d-----w- C:\WTablet
2011-09-30 21:11 . 2011-09-30 21:11 -------- d-----w- c:\windows\Sun
2011-09-24 16:43 . 2011-02-19 06:37 1135104 ----a-w- c:\windows\system32\FntCache.dll
2011-09-24 16:43 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-09-24 16:43 . 2011-02-19 06:37 1540608 ----a-w- c:\windows\system32\DWrite.dll
2011-09-24 16:43 . 2011-02-19 06:36 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-09-24 16:43 . 2011-02-19 05:32 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-09-24 16:42 . 2011-02-18 06:33 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-09-24 16:42 . 2011-02-18 05:33 31232 ----a-w- c:\windows\SysWow64\prevhost.exe
2011-09-24 16:19 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-09-24 16:19 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-09-24 15:49 . 2011-05-04 05:28 2228224 ----a-w- c:\windows\system32\mssrch.dll
2011-09-24 15:48 . 2011-06-11 02:56 3134464 ----a-w- c:\windows\system32\win32k.sys
2011-09-24 15:45 . 2011-06-23 05:29 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-09-24 15:45 . 2011-06-23 04:38 3957120 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-09-24 15:45 . 2011-06-23 04:38 3902336 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-09-24 15:43 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll
2011-09-24 15:43 . 2010-10-16 05:16 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-09-24 15:43 . 2010-10-16 05:16 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-09-24 15:43 . 2010-10-16 05:16 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-09-24 15:43 . 2010-10-16 05:16 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-09-24 15:43 . 2010-10-16 04:34 573440 ----a-w- c:\windows\SysWow64\odbc32.dll
2011-09-24 15:43 . 2010-10-16 04:33 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2011-09-24 15:43 . 2010-10-16 04:33 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2011-09-24 15:43 . 2010-10-16 04:33 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2011-09-24 15:43 . 2010-10-16 04:33 208896 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2011-09-24 15:43 . 2011-02-23 05:15 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-09-23 21:56 . 2011-09-23 21:56 -------- d-----w- C:\PROGRAM FILES (X86) (X86)
2011-09-23 21:55 . 2011-10-07 16:12 -------- d-----w- c:\users\sam\AppData\Roaming\AVG2012
2011-09-23 21:52 . 2011-10-07 16:13 -------- d-----w- c:\programdata\AVG2012
2011-09-23 21:52 . 2011-10-07 16:12 -------- d-----w- c:\windows\system32\drivers\AVG
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-08-08 13:08 . 2011-08-08 13:08 46672 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-09_18.00.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-12 14:42 . 2011-10-21 01:48 41764 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-10-21 01:48 48430 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-04-30 15:08 . 2011-10-21 01:48 13410 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1647630610-1250919632-3244903647-1003_UserData.bin
+ 2011-10-07 01:29 . 2011-10-21 01:03 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2011-10-07 01:29 . 2011-10-07 00:13 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2010-04-30 02:36 . 2011-10-21 01:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-30 02:36 . 2011-10-09 16:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-30 02:36 . 2011-10-09 16:43 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-30 02:36 . 2011-10-21 01:51 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-30 02:36 . 2011-10-09 16:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-30 02:36 . 2011-10-21 01:51 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-30 00:09 . 2011-10-21 01:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-30 00:09 . 2011-10-09 16:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-30 00:09 . 2011-10-21 01:51 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-30 00:09 . 2011-10-09 16:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-10-07 16:14 . 2011-10-09 17:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-10-21 01:46 . 2011-10-21 01:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-10-21 01:46 . 2011-10-21 01:46 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-10-07 16:14 . 2011-10-09 17:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:54 . 2011-10-16 16:47 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-10-09 16:51 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-30 02:30 . 2011-10-21 00:26 330884 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
- 2009-07-14 02:36 . 2011-10-09 16:45 644692 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-10-21 01:52 644692 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-10-09 16:45 115076 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-10-21 01:52 115076 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-10-07 00:03 460472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-10-21 01:45 460472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:54 . 2011-10-09 16:51 3424256 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-16 16:47 3424256 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-16 16:47 1081344 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-10-09 16:51 1081344 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-05 21:15 . 2011-10-21 01:45 1068088 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-05-05 21:15 . 2011-10-07 00:48 1068088 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 02:34 . 2011-10-09 17:39 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-10-15 04:54 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WLStart"="c:\program files (x86)\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [x]
R2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 136176]
R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-05-23 1030600]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 136176]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-08-14 509192]
R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-09-22 579400]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;d:\test\ECECECEC\WinRing0x64.sys [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S1 funfrm;funfrm; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 DDNIMSGService;DDNIMSGService;c:\program files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2009-06-23 172720]
S2 IGRS;IGRS;c:\program files (x86)\Lenovo\ReadyComm\common\IGRS.exe [2009-07-14 38152]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [x]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-07-15 127272]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 20:31]
.
2011-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 20:31]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-18 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-18 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-18 365592]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\utility.exe" [2009-09-29 4366704]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2009-08-19 5825536]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.msn.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\program files (x86)\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKCU-Run-KeyboardProfileBackup - c:\programdata\KeyboardProfileBackup.dll
Wow6432Node-HKCU-Run-7-Zip Update - c:\users\sam\AppData\Local\Autodesk\AutodeskUpdate\Autodeskupdt32.DLL
Wow6432Node-HKCU-Run-Bitberry Update - c:\users\sam\AppData\Local\Ahead\AheadUpdate\Aheadupdt32.DLL
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-20 19:02:22
ComboFix-quarantined-files.txt 2011-10-21 02:02
.
Pre-Run: 12,350,160,896 bytes free
Post-Run: 12,183,687,168 bytes free
.
- - End Of File - - 3D6D492748A60C27DF2F188BD642151B


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 4/29/2010 1:49:58 PM
System Uptime: 10/13/2011 3:05:51 PM (28 hours ago)
.
Motherboard: LENOVO | | NITU1
Processor: Pentium® Dual-Core CPU T4400 @ 2.20GHz | U2E1 | 2200/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 188 GiB total, 12.84 GiB free.
D: is FIXED (NTFS) - 30 GiB total, 8.414 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Photosmart C309a series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C309a series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP120: 10/9/2011 9:52:21 AM - ComboFix created restore point
.
==== Installed Programs ======================
.
Address Book
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Elements 7.0
Adobe Reader 9.4.2
Apple Application Support
Apple Software Update
Bamboo
Broadcom 802.11 Wireless Driver
CCleaner
DiskAid 1.5
Documents To Go Desktop for iPhone
DVD Decrypter (Remove Only)
EasyCapture
Energy Management
EPSON Scan
Express Rip
FinalTorrent 2010
Free Accounting 2.0.0
Free Ultra Video Editor 3.2.0.2
Google Earth
Google Update Helper
Java Auto Updater
Java™ 6 Update 23
Junk Mail filter update
Lenovo EasyCamera
Lenovo First Boot
Lenovo Idea Notes
Lenovo OneKey Recovery
Lenovo ReadyComm 5
Lenovo ReadyComm 5.0 Service
LightScribe System Software 1.14.17.1
Malcode Analyst Pack v0.21
Microsoft Choice Guard
Microsoft Excel 97
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Desktop Engine
Microsoft SQL Server Setup Support Files (English)
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Word 97
Mozilla Firefox (3.0.15)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Essentials
neroxml
PdaNet Desktop (64 bit) for iPhone 1.54
Power2Go
PS_AIO_05_C309_Software_Min
QuickTime
Realtek USB 2.0 Card Reader
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Spelling Dictionaries Support For Adobe Reader 9
Switch Sound File Converter
The Free Bible
Toolbox
tools-freebsd
tools-linux
tools-netware
tools-solaris
tools-windows
tools-winPre2k
TurboTax 2010
TurboTax 2010 wcaiper
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wrapper
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
USB Driver for Panasonic DVC
Visual C++ 8.0 Runtime Setup Package (x64)
Visual Studio 2008 x64 Redistributables
VMware Workstation
WavePad Sound Editor
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
WinZip
YouTube Downloader 2.7.2
.
==== Event Viewer Messages From Past Week ========
.
10/9/2011 9:47:58 AM, Error: Service Control Manager [7034] - The EPSON V3 Service4(01) service terminated unexpectedly. It has done this 1 time(s).
10/9/2011 9:47:43 AM, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
10/9/2011 9:41:15 AM, Error: Microsoft-Windows-DNS-Client [1012] - There was an error while attempting to read the local hosts file.
10/9/2011 9:41:04 AM, Error: Service Control Manager [7001] - The Windows Firewall service depends on the Windows Firewall Authorization Driver service which failed to start because of the following error: Cannot create a file when that file already exists.
10/9/2011 9:41:04 AM, Error: Service Control Manager [7000] - The Windows Firewall Authorization Driver service failed to start due to the following error: Cannot create a file when that file already exists.
10/9/2011 11:01:18 AM, Error: Service Control Manager [7000] - The Windows Presentation Foundation Font Cache 3.0.0.0 service failed to start due to the following error: A device attached to the system is not functioning.
10/9/2011 10:59:43 AM, Error: Service Control Manager [7024] - The AVG WatchDog service terminated with service-specific error %%-536805315.
10/9/2011 10:59:43 AM, Error: Service Control Manager [7000] - The ReadyComm.DirectRouter service failed to start due to the following error: The system cannot find the file specified.
10/9/2011 10:02:45 AM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
10/9/2011 10:02:01 AM, Error: Application Popup [1060] - \??\C:\ComboFix\catchme.sys has been blocked from loading due to incompatibility with this system. Please contact your software vendor for a compatible version of the driver.
10/7/2011 9:06:22 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
10/7/2011 9:05:17 AM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
10/7/2011 9:05:16 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
10/7/2011 9:05:15 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
10/7/2011 9:05:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
10/7/2011 9:05:12 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/7/2011 9:05:10 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/7/2011 9:05:03 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
10/7/2011 9:04:46 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC discache NetBIOS NetBT nsiproxy Psched rdbss spldr Tcpip tdx vwififlt Wanarpv6 WfpLwf ws2ifsl
10/7/2011 9:04:46 AM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service driver. service which failed to start because of the following error: A device attached to the system is not functioning.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The Network Connections service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancillary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/7/2011 9:04:46 AM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/7/2011 9:01:24 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
10/7/2011 8:58:08 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Intuit Update Service service to connect.
10/7/2011 8:58:08 AM, Error: Service Control Manager [7000] - The Intuit Update Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/7/2011 5:58:06 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
10/7/2011 11:35:57 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the lmhosts service.
10/11/2011 4:58:40 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the IPBusEnum service.
.
==== End Of File ===========================

Attached Files



#11 iixsive

iixsive
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 20 October 2011 - 09:34 PM

On another note, any clue what antivirus would have caught this bug before it jacked me up

#12 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:03 AM

Posted 21 October 2011 - 08:48 AM

Hi iixsive,

On another note, any clue what antivirus would have caught this bug before it jacked me up

Not really. Malware writers/distibutors are continously changing/adding code to their applications to foil anti-virus/anti-malware vendors who are always playing catch up. After all, they can not write a definition for specific malware until it is seen in the wild. Some companies use heuristic detection which analyzes a file’s characteristics and behavior to determine if it is malware but even this is not 100% accurate.

Infections are spread various ways from the user visiting an infected web site to opening an e-mail attachment. Some malware exploit vulnerabilities in legitimate programs such as Windows hence all the "hotfixes" and updates. Those that spread malware love P2P programs as it provides an open door to a system to propigate their malware. (See the warning below).

For more in depth information please read quietman7's excellent article How Malware Spreads - How did I get infected

I removed AVG completely, yet combofix says it is still running! ran it anyway

AVG Removal Tool

Please install Microsoft Security Essentials. When we are through you can uninstall Microsoft Security Essentials and reinstall AVG 2012.

Remember You should never have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.


I noticed that you have FinalTorrent 2010 installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall FinalTorrent 2010, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


The following is referring to PC Tools which contains a registry cleaner function.
Please be aware that Bleeping Computer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

I also see CCleaner installed. This is an excellent utility which I recommend but it does contain a registry cleaner application. I reccomend that you do not use the CCleaner registry cleaner.

More information about registry cleaners can be found at Miekiemoes Blog



I need you to disable or temporarily uninstall PC Tools Security as it will interfere with our fix. To disable right click on the tray icon and choose Shutdown. <----Important!!



Step 1.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



Step 2.

We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

Folder::
c:\users\sam\AppData\Roaming\z9wezxvbGJK9qkN
c:\users\sam\AppData\Roaming\tZwlzxv356fTUIN
c:\users\sam\AppData\Roaming\SomQWLqezx2GWRT
c:\users\sam\AppData\Roaming\S23adfTUrAipQWL
c:\users\sam\AppData\Roaming\FZwlzxv356fTUIN
c:\users\sam\AppData\Roaming\XwezxvbGJK
c:\users\sam\AppData\Roaming\QUBN1omQWLq
c:\users\sam\AppData\Roaming\KdZwlzxv356fTUI
c:\users\sam\AppData\Roaming\xyGhxakb7VD
c:\users\sam\AppData\Roaming\PDLrvsqBvQYt2J
c:\users\sam\AppData\Roaming\KKZlcGEw05ZOi5R
c:\users\sam\AppData\Roaming\eA5LISsCumq
c:\users\sam\AppData\Roaming\bhrbWqzS4fYNim8
c:\users\sam\AppData\Roaming\S6jP4TO38On8IvQ
c:\users\sam\AppData\Roaming\vp7w0GLkcmhcm
c:\users\sam\AppData\Roaming\UP4gB4ZBphOpLri
c:\users\sam\AppData\Roaming\oIv5fUypKqOiQ9
c:\users\sam\AppData\Roaming\ExGTynRkuG
c:\users\sam\AppData\Roaming\DfI2Zt4Tt4RBoKV
c:\users\sam\AppData\Roaming\Ikx3KqN1afCy
c:\users\sam\AppData\Roaming\FkiLIcWhxo7wymg
c:\users\sam\AppData\Roaming\yjxF6e26gkP3Jql
c:\users\sam\AppData\Roaming\rv5XNiaLOnLCtbs
c:\users\sam\AppData\Roaming\dUx14Ekz2
c:\users\sam\AppData\Roaming\nt1mEheP25gV
c:\users\sam\AppData\Roaming\Fx14Ekz2HKXP
c:\users\sam\AppData\Roaming\Ft1mEheP25gV
c:\users\sam\AppData\Roaming\m8CPos8wClrNxvo
c:\users\sam\AppData\Roaming\r159r2HTOb6qNDW
c:\users\sam\AppData\Roaming\Ul1pdhIunWXruG
c:\users\sam\AppData\Roaming\yk0ba7Yru3HEqIx
c:\users\sam\AppData\Roaming\PQLjOv3HfXItb69
c:\users\sam\AppData\Roaming\eOv3HfXItb69COc
c:\users\sam\AppData\Roaming\JTBumKXI0baKgeO
c:\users\sam\AppData\Roaming\ZziFQRwzD5fUNoJ
c:\users\sam\AppData\Roaming\t5dghUIP1F56Rjy
c:\users\sam\AppData\Roaming\TXkeOzcvF5EqVzi

File::
c:\windows\SysWow64\EZZqqjYYCwIVr.exe
c:\windows\SysWow64\A999hTTXq.exe
c:\windows\SysWow64\BWWWJ77dEL.exe
c:\windows\SysWow64\cggTTXqjj.exe
c:\windows\SysWow64\U333pnnG5aQ6dK7.exe
c:\windows\SysWow64\rIVVrllON.exe
c:\windows\SysWow64\OL99hhTXqjUCkBr.exe
c:\windows\SysWow64\KDDD2obFF4.exe
c:\windows\SysWow64\X22iibFF3paHd.exe
c:\windows\SysWow64\KXXwwjUVVeIBt.exe
c:\windows\SysWow64\o66ssWK77fL.exe
c:\windows\SysWow64\JeellOBBtz0y.exe
c:\windows\SysWow64\uS22oobF3pmGaJ6.exe
c:\windows\SysWow64\SCCCekkIBrzOyx0.exe
c:\windows\SysWow64\DiibD3ppnGaQHs.exe
c:\windows\SysWow64\kUUUCeelIBrzNy.exe
c:\windows\SysWow64\zttxxP0uuc1ib.exe
c:\windows\SysWow64\mBBttzPPNcAuvDo.exe
c:\windows\SysWow64\XYYXXwjjUV.exe
c:\windows\SysWow64\I3oonnG4amH6sJf.exe
c:\windows\SysWow64\kyccAA1ivonFpm.exe
c:\windows\SysWow64\gCCeekIBBrONyAu.exe
c:\windows\SysWow64\ennGG4aamH6.exe
c:\windows\SysWow64\T0yyccS1ivD3nFa.exe
c:\windows\SysWow64\bggTTXqjYCe.exe
c:\windows\SysWow64\ztzzPycc1iv2oF4.exe
c:\windows\SysWow64\DeeekIVrzONtx0c.exe
c:\windows\SysWow64\YvvvS22ibF.exe
c:\windows\SysWow64\TpppnGG4aQHs.exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 3.


Please rerun MBAM that appears to already be installed on your computer.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
    • Update Malwarebytes' Anti-Malware <--- Important!!
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply please include the following:

TDSSKiller log
Combofix.txt
MBAM log


How is your computer running now?


Thanks!!

Edited by pwgib, 21 October 2011 - 08:50 AM.

PW

#13 iixsive

iixsive
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 21 October 2011 - 07:45 PM

The computer is just running slow, I will perform the processes you listed tonight, final torrent was used once and I will remove it.
PC tools was an attempt at fixing this problem and has already been removed
I know how I got the virus now, it was from the fraudulent Microsoft update, I was using firefox and it randomly upgraded itself. Then i decided to do the Microsoft updates. I clicked on the little flag that said to solve PC issues and clicked Microsoft update, firefox restarted and did the update, I thought that was odd but didn't think much of it... Ugh!

Cleaner I use to clean up the mess windows and web leave behind I am a very careful person, usually...

The combo fix script looks like a list of files to delete, what else does it do, is there more info on the program?


Will send the logs when done
And thank you for your help

#14 iixsive

iixsive
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 21 October 2011 - 10:11 PM

What a pain, AVG Still reported as running even after running the removal tool, guess i will need to dig further into the os to kill that bug!

Microsoft security essentials installed, it found what appeared to be the same list from the combofix log

Ran MBAM it found a virus in the registry

Here are the logs:
tdskiller

18:39:23.0402 2748 TDSS rootkit removing tool 2.6.12.0 Oct 21 2011 11:23:48
18:39:23.0932 2748 ============================================================
18:39:23.0932 2748 Current date / time: 2011/10/21 18:39:23.0932
18:39:23.0932 2748 SystemInfo:
18:39:23.0932 2748
18:39:23.0932 2748 OS Version: 6.1.7600 ServicePack: 0.0
18:39:23.0932 2748 Product type: Workstation
18:39:23.0932 2748 ComputerName: SAM-PC
18:39:23.0932 2748 UserName: sam
18:39:23.0932 2748 Windows directory: C:\windows
18:39:23.0932 2748 System windows directory: C:\windows
18:39:23.0932 2748 Running under WOW64
18:39:23.0932 2748 Processor architecture: Intel x64
18:39:23.0932 2748 Number of processors: 2
18:39:23.0932 2748 Page size: 0x1000
18:39:23.0932 2748 Boot type: Normal boot
18:39:23.0932 2748 ============================================================
18:39:24.0697 2748 Initialize success
18:39:29.0486 4948 ============================================================
18:39:29.0486 4948 Scan started
18:39:29.0486 4948 Mode: Manual;
18:39:29.0486 4948 ============================================================
18:39:30.0328 4948 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\windows\system32\DRIVERS\1394ohci.sys
18:39:30.0328 4948 1394ohci - ok
18:39:30.0734 4948 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\windows\system32\DRIVERS\ACPI.sys
18:39:30.0734 4948 ACPI - ok
18:39:30.0874 4948 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\windows\system32\DRIVERS\acpipmi.sys
18:39:30.0874 4948 AcpiPmi - ok
18:39:30.0921 4948 ACPIVPC (2e68544bce94de6677f700cf1d582b6d) C:\windows\system32\DRIVERS\AcpiVpc.sys
18:39:30.0937 4948 ACPIVPC - ok
18:39:31.0296 4948 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\windows\system32\DRIVERS\adp94xx.sys
18:39:31.0296 4948 adp94xx - ok
18:39:31.0670 4948 adpahci (597f78224ee9224ea1a13d6350ced962) C:\windows\system32\DRIVERS\adpahci.sys
18:39:31.0686 4948 adpahci - ok
18:39:31.0966 4948 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\windows\system32\DRIVERS\adpu320.sys
18:39:31.0982 4948 adpu320 - ok
18:39:32.0466 4948 AFD (6ef20ddf3172e97d69f596fb90602f29) C:\windows\system32\drivers\afd.sys
18:39:32.0466 4948 AFD - ok
18:39:32.0809 4948 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\windows\system32\DRIVERS\agp440.sys
18:39:32.0824 4948 agp440 - ok
18:39:33.0012 4948 aliide (5812713a477a3ad7363c7438ca2ee038) C:\windows\system32\DRIVERS\aliide.sys
18:39:33.0012 4948 aliide - ok
18:39:33.0121 4948 amdide (1ff8b4431c353ce385c875f194924c0c) C:\windows\system32\DRIVERS\amdide.sys
18:39:33.0121 4948 amdide - ok
18:39:33.0339 4948 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\windows\system32\DRIVERS\amdk8.sys
18:39:33.0339 4948 AmdK8 - ok
18:39:33.0433 4948 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\windows\system32\DRIVERS\amdppm.sys
18:39:33.0433 4948 AmdPPM - ok
18:39:33.0526 4948 amdsata (7a4b413614c055935567cf88a9734d38) C:\windows\system32\DRIVERS\amdsata.sys
18:39:33.0542 4948 amdsata - ok
18:39:34.0447 4948 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\windows\system32\DRIVERS\amdsbs.sys
18:39:34.0462 4948 amdsbs - ok
18:39:35.0211 4948 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\windows\system32\DRIVERS\amdxata.sys
18:39:35.0211 4948 amdxata - ok
18:39:35.0898 4948 ApfiltrService (da27258bc70c6924d60fca7a5827e9ef) C:\windows\system32\DRIVERS\Apfiltr.sys
18:39:35.0976 4948 ApfiltrService - ok
18:39:36.0709 4948 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\windows\system32\drivers\appid.sys
18:39:36.0709 4948 AppID - ok
18:39:37.0177 4948 arc (c484f8ceb1717c540242531db7845c4e) C:\windows\system32\DRIVERS\arc.sys
18:39:37.0192 4948 arc - ok
18:39:37.0536 4948 arcsas (019af6924aefe7839f61c830227fe79c) C:\windows\system32\DRIVERS\arcsas.sys
18:39:37.0536 4948 arcsas - ok
18:39:37.0660 4948 AsyncMac (769765ce2cc62867468cea93969b2242) C:\windows\system32\DRIVERS\asyncmac.sys
18:39:37.0660 4948 AsyncMac - ok
18:39:38.0113 4948 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\windows\system32\DRIVERS\atapi.sys
18:39:38.0113 4948 atapi - ok
18:39:38.0487 4948 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\windows\system32\DRIVERS\bxvbda.sys
18:39:38.0503 4948 b06bdrv - ok
18:39:38.0674 4948 b57nd60a (93af5ccce5145aa3c2f0a41e7f65149a) C:\windows\system32\DRIVERS\b57nd60a.sys
18:39:38.0674 4948 b57nd60a - ok
18:39:38.0924 4948 BCM43XX (fb4fda64f2e8552eaeb5986c3f34462c) C:\windows\system32\DRIVERS\bcmwl664.sys
18:39:39.0018 4948 BCM43XX - ok
18:39:39.0423 4948 Beep (16a47ce2decc9b099349a5f840654746) C:\windows\system32\drivers\Beep.sys
18:39:39.0423 4948 Beep - ok
18:39:39.0657 4948 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\windows\system32\DRIVERS\blbdrive.sys
18:39:39.0657 4948 blbdrive - ok
18:39:39.0954 4948 bowser (19d20159708e152267e53b66677a4995) C:\windows\system32\DRIVERS\bowser.sys
18:39:39.0954 4948 bowser - ok
18:39:40.0390 4948 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\windows\system32\DRIVERS\BrFiltLo.sys
18:39:40.0406 4948 BrFiltLo - ok
18:39:40.0437 4948 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\windows\system32\DRIVERS\BrFiltUp.sys
18:39:40.0437 4948 BrFiltUp - ok
18:39:40.0983 4948 Bridge0 (34f786535f9245e4028c57b28248c9d8) C:\windows\system32\drivers\WDBridge.sys
18:39:40.0983 4948 Bridge0 - ok
18:39:41.0280 4948 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\windows\System32\Drivers\Brserid.sys
18:39:41.0295 4948 Brserid - ok
18:39:41.0342 4948 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\windows\System32\Drivers\BrSerWdm.sys
18:39:41.0342 4948 BrSerWdm - ok
18:39:41.0373 4948 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\windows\System32\Drivers\BrUsbMdm.sys
18:39:41.0373 4948 BrUsbMdm - ok
18:39:41.0404 4948 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\windows\System32\Drivers\BrUsbSer.sys
18:39:41.0404 4948 BrUsbSer - ok
18:39:41.0451 4948 BthEnum (cf98190a94f62e405c8cb255018b2315) C:\windows\system32\DRIVERS\BthEnum.sys
18:39:41.0451 4948 BthEnum - ok
18:39:41.0950 4948 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\windows\system32\DRIVERS\bthmodem.sys
18:39:41.0950 4948 BTHMODEM - ok
18:39:42.0418 4948 BthPan (02dd601b708dd0667e1331fa8518e9ff) C:\windows\system32\DRIVERS\bthpan.sys
18:39:42.0418 4948 BthPan - ok
18:39:42.0902 4948 BTHPORT (a51fa9d0e85d5adabef72e67f386309c) C:\windows\system32\Drivers\BTHport.sys
18:39:42.0902 4948 BTHPORT - ok
18:39:43.0230 4948 BTHUSB (f740b9a16b2c06700f2130e19986bf3b) C:\windows\system32\Drivers\BTHUSB.sys
18:39:43.0230 4948 BTHUSB - ok
18:39:43.0822 4948 Cam5607 (42ad38b129d018369de443cf67d82852) C:\windows\system32\Drivers\BisonC07.sys
18:39:43.0869 4948 Cam5607 - ok
18:39:43.0916 4948 catchme - ok
18:39:44.0275 4948 cdfs (b8bd2bb284668c84865658c77574381a) C:\windows\system32\DRIVERS\cdfs.sys
18:39:44.0290 4948 cdfs - ok
18:39:44.0821 4948 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\windows\system32\DRIVERS\cdrom.sys
18:39:44.0821 4948 cdrom - ok
18:39:45.0632 4948 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\windows\system32\DRIVERS\circlass.sys
18:39:45.0632 4948 circlass - ok
18:39:46.0287 4948 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\windows\system32\CLFS.sys
18:39:46.0334 4948 CLFS - ok
18:39:47.0629 4948 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\windows\system32\DRIVERS\CmBatt.sys
18:39:47.0629 4948 CmBatt - ok
18:39:48.0050 4948 cmdide (e19d3f095812725d88f9001985b94edd) C:\windows\system32\DRIVERS\cmdide.sys
18:39:48.0050 4948 cmdide - ok
18:39:48.0580 4948 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\windows\system32\Drivers\cng.sys
18:39:48.0674 4948 CNG - ok
18:39:49.0532 4948 CnxtHdAudService (0d23c3312838eea1ed55d5f135bca613) C:\windows\system32\drivers\CHDRT64.sys
18:39:49.0594 4948 CnxtHdAudService - ok
18:39:50.0250 4948 Compbatt (102de219c3f61415f964c88e9085ad14) C:\windows\system32\DRIVERS\compbatt.sys
18:39:50.0250 4948 Compbatt - ok
18:39:50.0827 4948 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\windows\system32\DRIVERS\CompositeBus.sys
18:39:50.0842 4948 CompositeBus - ok
18:39:51.0279 4948 crcdisk (1c827878a998c18847245fe1f34ee597) C:\windows\system32\DRIVERS\crcdisk.sys
18:39:51.0279 4948 crcdisk - ok
18:39:51.0981 4948 DfsC (9c253ce7311ca60fc11c774692a13208) C:\windows\system32\Drivers\dfsc.sys
18:39:51.0981 4948 DfsC - ok
18:39:52.0512 4948 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\windows\system32\drivers\discache.sys
18:39:52.0512 4948 discache - ok
18:39:53.0182 4948 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\windows\system32\DRIVERS\disk.sys
18:39:53.0182 4948 Disk - ok
18:39:53.0697 4948 drmkaud (9b19f34400d24df84c858a421c205754) C:\windows\system32\drivers\drmkaud.sys
18:39:53.0713 4948 drmkaud - ok
18:39:54.0259 4948 DXGKrnl (1633b9abf52784a1331476397a48cbef) C:\windows\System32\drivers\dxgkrnl.sys
18:39:54.0446 4948 DXGKrnl - ok
18:39:55.0538 4948 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\windows\system32\DRIVERS\evbda.sys
18:39:55.0616 4948 ebdrv - ok
18:39:56.0271 4948 elxstor (0e5da5369a0fcaea12456dd852545184) C:\windows\system32\DRIVERS\elxstor.sys
18:39:56.0271 4948 elxstor - ok
18:39:57.0956 4948 ErrDev (34a3c54752046e79a126e15c51db409b) C:\windows\system32\DRIVERS\errdev.sys
18:39:57.0972 4948 ErrDev - ok
18:39:59.0079 4948 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\windows\system32\drivers\exfat.sys
18:39:59.0079 4948 exfat - ok
18:39:59.0906 4948 fastfat (0adc83218b66a6db380c330836f3e36d) C:\windows\system32\drivers\fastfat.sys
18:39:59.0906 4948 fastfat - ok
18:40:00.0358 4948 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\windows\system32\DRIVERS\fdc.sys
18:40:00.0358 4948 fdc - ok
18:40:00.0608 4948 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\windows\system32\drivers\fileinfo.sys
18:40:00.0608 4948 FileInfo - ok
18:40:00.0873 4948 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\windows\system32\drivers\filetrace.sys
18:40:00.0873 4948 Filetrace - ok
18:40:02.0043 4948 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\windows\system32\DRIVERS\flpydisk.sys
18:40:02.0043 4948 flpydisk - ok
18:40:02.0808 4948 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\windows\system32\drivers\fltmgr.sys
18:40:02.0808 4948 FltMgr - ok
18:40:03.0619 4948 FsDepends (d43703496149971890703b4b1b723eac) C:\windows\system32\drivers\FsDepends.sys
18:40:03.0619 4948 FsDepends - ok
18:40:03.0853 4948 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\windows\system32\drivers\Fs_Rec.sys
18:40:03.0853 4948 Fs_Rec - ok
18:40:04.0134 4948 funfrm (6ccf66bca3d24146cb8b0930dba1448f) C:\windows\system32\drivers\funfrm.sys
18:40:04.0134 4948 funfrm - ok
18:40:05.0101 4948 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\windows\system32\DRIVERS\fvevol.sys
18:40:05.0101 4948 fvevol - ok
18:40:05.0538 4948 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\windows\system32\DRIVERS\gagp30kx.sys
18:40:05.0538 4948 gagp30kx - ok
18:40:06.0318 4948 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
18:40:06.0333 4948 GEARAspiWDM - ok
18:40:07.0581 4948 hcmon (8cdad7b707ddd77d45588f74d59c9aff) C:\windows\system32\drivers\hcmon.sys
18:40:07.0581 4948 hcmon - ok
18:40:07.0893 4948 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\windows\system32\drivers\hcw85cir.sys
18:40:07.0893 4948 hcw85cir - ok
18:40:08.0439 4948 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\windows\system32\drivers\HdAudio.sys
18:40:08.0439 4948 HdAudAddService - ok
18:40:09.0235 4948 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\windows\system32\DRIVERS\HDAudBus.sys
18:40:09.0235 4948 HDAudBus - ok
18:40:09.0656 4948 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\windows\system32\DRIVERS\HidBatt.sys
18:40:09.0656 4948 HidBatt - ok
18:40:09.0906 4948 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\windows\system32\DRIVERS\hidbth.sys
18:40:09.0906 4948 HidBth - ok
18:40:10.0420 4948 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\windows\system32\DRIVERS\hidir.sys
18:40:10.0420 4948 HidIr - ok
18:40:10.0826 4948 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\windows\system32\DRIVERS\hidusb.sys
18:40:10.0826 4948 HidUsb - ok
18:40:11.0388 4948 HpSAMD (0886d440058f203eba0e1825e4355914) C:\windows\system32\DRIVERS\HpSAMD.sys
18:40:11.0388 4948 HpSAMD - ok
18:40:11.0965 4948 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\windows\system32\drivers\HTTP.sys
18:40:11.0980 4948 HTTP - ok
18:40:12.0308 4948 hwpolicy (f17766a19145f111856378df337a5d79) C:\windows\system32\drivers\hwpolicy.sys
18:40:12.0324 4948 hwpolicy - ok
18:40:12.0604 4948 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\windows\system32\DRIVERS\i8042prt.sys
18:40:12.0604 4948 i8042prt - ok
18:40:13.0104 4948 iaStor (1d004cb1da6323b1f55caef7f94b61d9) C:\windows\system32\DRIVERS\iaStor.sys
18:40:13.0104 4948 iaStor - ok
18:40:13.0431 4948 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\windows\system32\DRIVERS\iaStorV.sys
18:40:13.0447 4948 iaStorV - ok
18:40:14.0913 4948 igfx (ac4b14e985b2bb19386cc8203fe49bcd) C:\windows\system32\DRIVERS\igdkmd64.sys
18:40:15.0132 4948 igfx - ok
18:40:16.0489 4948 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\windows\system32\DRIVERS\iirsp.sys
18:40:16.0489 4948 iirsp - ok
18:40:17.0784 4948 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\windows\system32\DRIVERS\intelide.sys
18:40:17.0784 4948 intelide - ok
18:40:19.0000 4948 intelppm (ada036632c664caa754079041cf1f8c1) C:\windows\system32\DRIVERS\intelppm.sys
18:40:19.0000 4948 intelppm - ok
18:40:20.0623 4948 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\windows\system32\DRIVERS\ipfltdrv.sys
18:40:20.0623 4948 IpFilterDriver - ok
18:40:21.0777 4948 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\windows\system32\DRIVERS\IPMIDrv.sys
18:40:21.0777 4948 IPMIDRV - ok
18:40:22.0947 4948 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\windows\system32\drivers\ipnat.sys
18:40:22.0947 4948 IPNAT - ok
18:40:23.0977 4948 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\windows\system32\drivers\irenum.sys
18:40:23.0977 4948 IRENUM - ok
18:40:24.0772 4948 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\windows\system32\DRIVERS\isapnp.sys
18:40:24.0772 4948 isapnp - ok
18:40:25.0896 4948 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\windows\system32\DRIVERS\msiscsi.sys
18:40:26.0052 4948 iScsiPrt - ok
18:40:26.0738 4948 k57nd60a (7dbafe10c1b777305c80bea42fbda710) C:\windows\system32\DRIVERS\k57nd60a.sys
18:40:26.0738 4948 k57nd60a - ok
18:40:28.0111 4948 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\windows\system32\DRIVERS\kbdclass.sys
18:40:28.0111 4948 kbdclass - ok
18:40:28.0688 4948 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\windows\system32\DRIVERS\kbdhid.sys
18:40:28.0719 4948 kbdhid - ok
18:40:29.0562 4948 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\windows\system32\Drivers\ksecdd.sys
18:40:29.0562 4948 KSecDD - ok
18:40:31.0075 4948 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\windows\system32\Drivers\ksecpkg.sys
18:40:31.0137 4948 KSecPkg - ok
18:40:31.0418 4948 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\windows\system32\drivers\ksthunk.sys
18:40:31.0418 4948 ksthunk - ok
18:40:32.0588 4948 lltdio (1538831cf8ad2979a04c423779465827) C:\windows\system32\DRIVERS\lltdio.sys
18:40:32.0588 4948 lltdio - ok
18:40:33.0290 4948 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\windows\system32\DRIVERS\lsi_fc.sys
18:40:33.0290 4948 LSI_FC - ok
18:40:34.0398 4948 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\windows\system32\DRIVERS\lsi_sas.sys
18:40:34.0398 4948 LSI_SAS - ok
18:40:35.0614 4948 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\windows\system32\DRIVERS\lsi_sas2.sys
18:40:35.0661 4948 LSI_SAS2 - ok
18:40:36.0613 4948 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\windows\system32\DRIVERS\lsi_scsi.sys
18:40:36.0660 4948 LSI_SCSI - ok
18:40:37.0736 4948 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\windows\system32\drivers\luafv.sys
18:40:37.0752 4948 luafv - ok
18:40:38.0656 4948 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\windows\system32\DRIVERS\megasas.sys
18:40:38.0656 4948 megasas - ok
18:40:39.0686 4948 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\windows\system32\DRIVERS\MegaSR.sys
18:40:39.0702 4948 MegaSR - ok
18:40:40.0934 4948 Modem (800ba92f7010378b09f9ed9270f07137) C:\windows\system32\drivers\modem.sys
18:40:40.0950 4948 Modem - ok
18:40:41.0948 4948 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\windows\system32\DRIVERS\monitor.sys
18:40:41.0948 4948 monitor - ok
18:40:42.0915 4948 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\windows\system32\DRIVERS\mouclass.sys
18:40:42.0931 4948 mouclass - ok
18:40:43.0929 4948 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\windows\system32\DRIVERS\mouhid.sys
18:40:43.0929 4948 mouhid - ok
18:40:44.0725 4948 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\windows\system32\drivers\mountmgr.sys
18:40:44.0725 4948 mountmgr - ok
18:40:45.0458 4948 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\windows\system32\DRIVERS\MpFilter.sys
18:40:45.0458 4948 MpFilter - ok
18:40:46.0082 4948 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\windows\system32\DRIVERS\mpio.sys
18:40:46.0082 4948 mpio - ok
18:40:47.0205 4948 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\windows\system32\DRIVERS\MpNWMon.sys
18:40:47.0205 4948 MpNWMon - ok
18:40:48.0126 4948 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\windows\system32\drivers\mpsdrv.sys
18:40:48.0126 4948 mpsdrv - ok
18:40:48.0687 4948 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\windows\system32\drivers\mrxdav.sys
18:40:48.0687 4948 MRxDAV - ok
18:40:49.0483 4948 mrxsmb (040d62a9d8ad28922632137acdd984f2) C:\windows\system32\DRIVERS\mrxsmb.sys
18:40:49.0764 4948 mrxsmb - ok
18:40:50.0668 4948 mrxsmb10 (f0067552f8f9b33d7c59403ab808a3cb) C:\windows\system32\DRIVERS\mrxsmb10.sys
18:40:50.0668 4948 mrxsmb10 - ok
18:40:50.0934 4948 mrxsmb20 (3c142d31de9f2f193218a53fe2632051) C:\windows\system32\DRIVERS\mrxsmb20.sys
18:40:50.0934 4948 mrxsmb20 - ok
18:40:51.0932 4948 msahci (5c37497276e3b3a5488b23a326a754b7) C:\windows\system32\DRIVERS\msahci.sys
18:40:51.0979 4948 msahci - ok
18:40:52.0993 4948 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\windows\system32\DRIVERS\msdsm.sys
18:40:52.0993 4948 msdsm - ok
18:40:54.0241 4948 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\windows\system32\drivers\Msfs.sys
18:40:54.0241 4948 Msfs - ok
18:40:54.0896 4948 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\windows\System32\drivers\mshidkmdf.sys
18:40:54.0896 4948 mshidkmdf - ok
18:40:55.0551 4948 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\windows\system32\DRIVERS\msisadrv.sys
18:40:55.0551 4948 msisadrv - ok
18:40:56.0331 4948 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\windows\system32\drivers\MSKSSRV.sys
18:40:56.0347 4948 MSKSSRV - ok
18:40:57.0423 4948 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\windows\system32\drivers\MSPCLOCK.sys
18:40:57.0423 4948 MSPCLOCK - ok
18:40:57.0954 4948 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\windows\system32\drivers\MSPQM.sys
18:40:57.0954 4948 MSPQM - ok
18:40:58.0422 4948 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\windows\system32\drivers\MsRPC.sys
18:40:58.0422 4948 MsRPC - ok
18:40:58.0671 4948 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\windows\system32\DRIVERS\mssmbios.sys
18:40:58.0671 4948 mssmbios - ok
18:40:59.0607 4948 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\windows\system32\drivers\MSTEE.sys
18:40:59.0607 4948 MSTEE - ok
18:41:00.0122 4948 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\windows\system32\DRIVERS\MTConfig.sys
18:41:00.0122 4948 MTConfig - ok
18:41:00.0590 4948 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\windows\system32\Drivers\mup.sys
18:41:00.0590 4948 Mup - ok
18:41:01.0089 4948 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\windows\system32\DRIVERS\nwifi.sys
18:41:01.0105 4948 NativeWifiP - ok
18:41:01.0807 4948 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\windows\system32\drivers\ndis.sys
18:41:01.0854 4948 NDIS - ok
18:41:02.0135 4948 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\windows\system32\DRIVERS\ndiscap.sys
18:41:02.0135 4948 NdisCap - ok
18:41:02.0634 4948 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\windows\system32\DRIVERS\ndistapi.sys
18:41:02.0634 4948 NdisTapi - ok
18:41:04.0007 4948 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\windows\system32\DRIVERS\ndisuio.sys
18:41:04.0038 4948 Ndisuio - ok
18:41:04.0615 4948 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\windows\system32\DRIVERS\ndiswan.sys
18:41:04.0615 4948 NdisWan - ok
18:41:05.0489 4948 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\windows\system32\drivers\NDProxy.sys
18:41:05.0504 4948 NDProxy - ok
18:41:06.0659 4948 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\windows\system32\DRIVERS\netbios.sys
18:41:06.0659 4948 NetBIOS - ok
18:41:07.0470 4948 NetBT (9162b273a44ab9dce5b44362731d062a) C:\windows\system32\DRIVERS\netbt.sys
18:41:07.0470 4948 NetBT - ok
18:41:08.0609 4948 netw5v64 (64428dfdaf6e88366cb51f45a79c5f69) C:\windows\system32\DRIVERS\netw5v64.sys
18:41:08.0858 4948 netw5v64 - ok
18:41:10.0184 4948 nfrd960 (77889813be4d166cdab78ddba990da92) C:\windows\system32\DRIVERS\nfrd960.sys
18:41:10.0200 4948 nfrd960 - ok
18:41:10.0637 4948 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\windows\system32\DRIVERS\NisDrvWFP.sys
18:41:10.0652 4948 NisDrv - ok
18:41:11.0573 4948 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\windows\system32\drivers\Npfs.sys
18:41:11.0573 4948 Npfs - ok
18:41:12.0009 4948 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\windows\system32\drivers\nsiproxy.sys
18:41:12.0009 4948 nsiproxy - ok
18:41:12.0353 4948 Ntfs (356698a13c4630d5b31c37378d469196) C:\windows\system32\drivers\Ntfs.sys
18:41:12.0555 4948 Ntfs - ok
18:41:12.0899 4948 Null (9899284589f75fa8724ff3d16aed75c1) C:\windows\system32\drivers\Null.sys
18:41:12.0899 4948 Null - ok
18:41:13.0663 4948 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\windows\system32\DRIVERS\nvraid.sys
18:41:13.0679 4948 nvraid - ok
18:41:14.0240 4948 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\windows\system32\DRIVERS\nvstor.sys
18:41:14.0256 4948 nvstor - ok
18:41:14.0724 4948 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\windows\system32\DRIVERS\nv_agp.sys
18:41:14.0724 4948 nv_agp - ok
18:41:15.0878 4948 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\windows\system32\DRIVERS\ohci1394.sys
18:41:15.0878 4948 ohci1394 - ok
18:41:16.0190 4948 Parport (0086431c29c35be1dbc43f52cc273887) C:\windows\system32\DRIVERS\parport.sys
18:41:16.0190 4948 Parport - ok
18:41:16.0814 4948 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\windows\system32\drivers\partmgr.sys
18:41:16.0814 4948 partmgr - ok
18:41:17.0969 4948 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\windows\system32\DRIVERS\pci.sys
18:41:17.0969 4948 pci - ok
18:41:18.0764 4948 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\windows\system32\DRIVERS\pciide.sys
18:41:18.0764 4948 pciide - ok
18:41:20.0059 4948 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\windows\system32\DRIVERS\pcmcia.sys
18:41:20.0059 4948 pcmcia - ok
18:41:20.0917 4948 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\windows\system32\drivers\pcw.sys
18:41:20.0917 4948 pcw - ok
18:41:22.0493 4948 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\windows\system32\drivers\peauth.sys
18:41:22.0493 4948 PEAUTH - ok
18:41:23.0397 4948 pnetmdm (06841f5cd8410b6bdc0b5a631b8f8787) C:\windows\system32\DRIVERS\pnetmdm64.sys
18:41:23.0413 4948 pnetmdm - ok
18:41:24.0053 4948 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\windows\system32\DRIVERS\raspptp.sys
18:41:24.0053 4948 PptpMiniport - ok
18:41:24.0318 4948 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\windows\system32\DRIVERS\processr.sys
18:41:24.0318 4948 Processor - ok
18:41:24.0833 4948 Psched (ee992183bd8eaefd9973f352e587a299) C:\windows\system32\DRIVERS\pacer.sys
18:41:24.0833 4948 Psched - ok
18:41:26.0845 4948 PxHlpa64 (a6bf0a9b5a30d743623ca0d3be35df05) C:\windows\system32\Drivers\PxHlpa64.sys
18:41:26.0845 4948 PxHlpa64 - ok
18:41:28.0514 4948 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\windows\system32\DRIVERS\ql2300.sys
18:41:28.0935 4948 ql2300 - ok
18:41:30.0152 4948 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\windows\system32\DRIVERS\ql40xx.sys
18:41:30.0152 4948 ql40xx - ok
18:41:30.0792 4948 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\windows\system32\drivers\qwavedrv.sys
18:41:30.0792 4948 QWAVEdrv - ok
18:41:32.0149 4948 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\windows\system32\DRIVERS\rasacd.sys
18:41:32.0196 4948 RasAcd - ok
18:41:33.0974 4948 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\windows\system32\DRIVERS\AgileVpn.sys
18:41:34.0021 4948 RasAgileVpn - ok
18:41:34.0739 4948 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\windows\system32\DRIVERS\rasl2tp.sys
18:41:34.0739 4948 Rasl2tp - ok
18:41:35.0737 4948 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\windows\system32\DRIVERS\raspppoe.sys
18:41:35.0737 4948 RasPppoe - ok
18:41:36.0330 4948 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\windows\system32\DRIVERS\rassstp.sys
18:41:36.0330 4948 RasSstp - ok
18:41:37.0157 4948 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\windows\system32\DRIVERS\rdbss.sys
18:41:37.0172 4948 rdbss - ok
18:41:37.0718 4948 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\windows\system32\DRIVERS\rdpbus.sys
18:41:37.0718 4948 rdpbus - ok
18:41:38.0264 4948 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\windows\system32\DRIVERS\RDPCDD.sys
18:41:38.0280 4948 RDPCDD - ok
18:41:39.0606 4948 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\windows\system32\drivers\rdpencdd.sys
18:41:39.0606 4948 RDPENCDD - ok
18:41:40.0682 4948 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\windows\system32\drivers\rdprefmp.sys
18:41:40.0682 4948 RDPREFMP - ok
18:41:42.0102 4948 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\windows\system32\drivers\RDPWD.sys
18:41:42.0117 4948 RDPWD - ok
18:41:43.0646 4948 rdyboost (634b9a2181d98f15941236886164ec8b) C:\windows\system32\drivers\rdyboost.sys
18:41:43.0646 4948 rdyboost - ok
18:41:44.0645 4948 RFCOMM (3dd798846e2c28102b922c56e71b7932) C:\windows\system32\DRIVERS\rfcomm.sys
18:41:44.0660 4948 RFCOMM - ok
18:41:45.0347 4948 ROOTMODEM (388d3dd1a6457280f3badba9f3acd6b1) C:\windows\system32\Drivers\RootMdm.sys
18:41:45.0456 4948 ROOTMODEM - ok
18:41:46.0626 4948 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\windows\system32\DRIVERS\rspndr.sys
18:41:46.0641 4948 rspndr - ok
18:41:47.0796 4948 RSUSBSTOR - ok
18:41:48.0326 4948 RtsUIR - ok
18:41:48.0794 4948 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\windows\system32\DRIVERS\sbp2port.sys
18:41:48.0919 4948 sbp2port - ok
18:41:50.0354 4948 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\windows\system32\DRIVERS\scfilter.sys
18:41:50.0354 4948 scfilter - ok
18:41:50.0978 4948 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\windows\system32\drivers\secdrv.sys
18:41:50.0978 4948 secdrv - ok
18:41:51.0961 4948 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\windows\system32\DRIVERS\serenum.sys
18:41:51.0992 4948 Serenum - ok
18:41:54.0005 4948 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\windows\system32\DRIVERS\serial.sys
18:41:54.0005 4948 Serial - ok
18:41:54.0613 4948 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\windows\system32\DRIVERS\sermouse.sys
18:41:54.0613 4948 sermouse - ok
18:41:55.0767 4948 sffdisk (a554811bcd09279536440c964ae35bbf) C:\windows\system32\DRIVERS\sffdisk.sys
18:41:55.0767 4948 sffdisk - ok
18:41:56.0204 4948 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\windows\system32\DRIVERS\sffp_mmc.sys
18:41:56.0204 4948 sffp_mmc - ok
18:41:56.0922 4948 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\windows\system32\DRIVERS\sffp_sd.sys
18:41:56.0922 4948 sffp_sd - ok
18:41:58.0310 4948 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\windows\system32\DRIVERS\sfloppy.sys
18:41:58.0310 4948 sfloppy - ok
18:41:59.0324 4948 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\windows\system32\DRIVERS\SiSRaid2.sys
18:41:59.0340 4948 SiSRaid2 - ok
18:42:00.0135 4948 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\windows\system32\DRIVERS\sisraid4.sys
18:42:00.0135 4948 SiSRaid4 - ok
18:42:00.0806 4948 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\windows\system32\DRIVERS\smb.sys
18:42:00.0806 4948 Smb - ok
18:42:01.0649 4948 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\windows\system32\drivers\spldr.sys
18:42:01.0649 4948 spldr - ok
18:42:02.0631 4948 srv (2408c0366d96bcdf63e8f1c78e4a29c5) C:\windows\system32\DRIVERS\srv.sys
18:42:02.0631 4948 srv - ok
18:42:04.0410 4948 srv2 (76548f7b818881b47d8d1ae1be9c11f8) C:\windows\system32\DRIVERS\srv2.sys
18:42:04.0425 4948 srv2 - ok
18:42:04.0925 4948 srvnet (0af6e19d39c70844c5caa8fb0183c36e) C:\windows\system32\DRIVERS\srvnet.sys
18:42:04.0940 4948 srvnet - ok
18:42:05.0720 4948 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\windows\system32\DRIVERS\stexstor.sys
18:42:05.0720 4948 stexstor - ok
18:42:06.0469 4948 StillCam (decacb6921ded1a38642642685d77dac) C:\windows\system32\DRIVERS\serscan.sys
18:42:06.0469 4948 StillCam - ok
18:42:07.0405 4948 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\windows\system32\DRIVERS\swenum.sys
18:42:07.0405 4948 swenum - ok
18:42:08.0123 4948 Tcpip (b9d87c7707f058ac652a398cd28de14b) C:\windows\system32\drivers\tcpip.sys
18:42:08.0513 4948 Tcpip - ok
18:42:09.0511 4948 TCPIP6 (b9d87c7707f058ac652a398cd28de14b) C:\windows\system32\DRIVERS\tcpip.sys
18:42:09.0527 4948 TCPIP6 - ok
18:42:10.0525 4948 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\windows\system32\drivers\tcpipreg.sys
18:42:10.0525 4948 tcpipreg - ok
18:42:11.0477 4948 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\windows\system32\drivers\tdpipe.sys
18:42:11.0477 4948 TDPIPE - ok
18:42:12.0023 4948 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\windows\system32\drivers\tdtcp.sys
18:42:12.0038 4948 TDTCP - ok
18:42:12.0600 4948 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\windows\system32\DRIVERS\tdx.sys
18:42:12.0600 4948 tdx - ok
18:42:13.0037 4948 TermDD (c448651339196c0e869a355171875522) C:\windows\system32\DRIVERS\termdd.sys
18:42:13.0037 4948 TermDD - ok
18:42:14.0409 4948 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\windows\system32\DRIVERS\tssecsrv.sys
18:42:14.0409 4948 tssecsrv - ok
18:42:15.0299 4948 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\windows\system32\DRIVERS\tunnel.sys
18:42:15.0533 4948 tunnel - ok
18:42:16.0656 4948 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\windows\system32\DRIVERS\uagp35.sys
18:42:16.0656 4948 uagp35 - ok
18:42:17.0623 4948 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\windows\system32\DRIVERS\udfs.sys
18:42:17.0639 4948 udfs - ok
18:42:18.0029 4948 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\windows\system32\DRIVERS\uliagpkx.sys
18:42:18.0044 4948 uliagpkx - ok
18:42:18.0419 4948 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\windows\system32\DRIVERS\umbus.sys
18:42:18.0419 4948 umbus - ok
18:42:18.0777 4948 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\windows\system32\DRIVERS\umpass.sys
18:42:18.0777 4948 UmPass - ok
18:42:19.0526 4948 USBAAPL64 (54d4b48d443e7228bf64cf7cdc3118ac) C:\windows\system32\Drivers\usbaapl64.sys
18:42:19.0526 4948 USBAAPL64 - ok
18:42:19.0620 4948 usbaudio (77b01bc848298223a95d4ec23e1785a1) C:\windows\system32\drivers\usbaudio.sys
18:42:19.0620 4948 usbaudio - ok
18:42:20.0743 4948 usbccgp (b26afb54a534d634523c4fb66765b026) C:\windows\system32\DRIVERS\usbccgp.sys
18:42:20.0743 4948 usbccgp - ok
18:42:20.0837 4948 USBCCID - ok
18:42:21.0383 4948 usbcir (af0892a803fdda7492f595368e3b68e7) C:\windows\system32\DRIVERS\usbcir.sys
18:42:21.0383 4948 usbcir - ok
18:42:21.0539 4948 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\windows\system32\DRIVERS\usbehci.sys
18:42:21.0539 4948 usbehci - ok
18:42:21.0835 4948 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\windows\system32\DRIVERS\usbhub.sys
18:42:21.0835 4948 usbhub - ok
18:42:22.0287 4948 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\windows\system32\DRIVERS\usbohci.sys
18:42:22.0287 4948 usbohci - ok
18:42:22.0584 4948 usbprint (73188f58fb384e75c4063d29413cee3d) C:\windows\system32\DRIVERS\usbprint.sys
18:42:22.0584 4948 usbprint - ok
18:42:22.0958 4948 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\windows\system32\DRIVERS\usbscan.sys
18:42:22.0958 4948 usbscan - ok
18:42:23.0879 4948 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\windows\system32\DRIVERS\USBSTOR.SYS
18:42:23.0879 4948 USBSTOR - ok
18:42:24.0035 4948 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\windows\system32\DRIVERS\usbuhci.sys
18:42:24.0035 4948 usbuhci - ok
18:42:24.0315 4948 usbvideo (7cb8c573c6e4a2714402cc0a36eab4fe) C:\windows\system32\Drivers\usbvideo.sys
18:42:24.0315 4948 usbvideo - ok
18:42:24.0705 4948 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\windows\system32\DRIVERS\vdrvroot.sys
18:42:24.0705 4948 vdrvroot - ok
18:42:24.0815 4948 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\windows\system32\DRIVERS\vgapnp.sys
18:42:24.0815 4948 vga - ok
18:42:25.0345 4948 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\windows\System32\drivers\vga.sys
18:42:25.0345 4948 VgaSave - ok
18:42:25.0891 4948 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\windows\system32\DRIVERS\vhdmp.sys
18:42:25.0891 4948 vhdmp - ok
18:42:25.0969 4948 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\windows\system32\DRIVERS\viaide.sys
18:42:25.0969 4948 viaide - ok
18:42:26.0733 4948 vmci (cdaa992c18f3f3612444c818a478cf57) C:\windows\system32\drivers\vmci.sys
18:42:26.0733 4948 vmci - ok
18:42:27.0233 4948 vmkbd (ea9c266cd4b4bb7c7d818c1c27461959) C:\windows\system32\drivers\VMkbd.sys
18:42:27.0233 4948 vmkbd - ok
18:42:27.0607 4948 VMnetAdapter (9d54f1339e78c95bf3d9939ebcb66378) C:\windows\system32\DRIVERS\vmnetadapter.sys
18:42:27.0607 4948 VMnetAdapter - ok
18:42:28.0184 4948 VMnetBridge (fb54ef3aa613d2832fd3812e7cb2fc75) C:\windows\system32\DRIVERS\vmnetbridge.sys
18:42:28.0387 4948 VMnetBridge - ok
18:42:29.0323 4948 VMnetuserif (479948eb42e189c076b45ebaf2d12bbc) C:\windows\system32\drivers\vmnetuserif.sys
18:42:29.0323 4948 VMnetuserif - ok
18:42:30.0867 4948 vmx86 (05645d6651ca7a02298aae475bbcad6e) C:\windows\system32\drivers\vmx86.sys
18:42:30.0867 4948 vmx86 - ok
18:42:32.0162 4948 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\windows\system32\DRIVERS\volmgr.sys
18:42:32.0178 4948 volmgr - ok
18:42:33.0426 4948 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\windows\system32\drivers\volmgrx.sys
18:42:33.0426 4948 volmgrx - ok
18:42:34.0393 4948 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\windows\system32\DRIVERS\volsnap.sys
18:42:34.0393 4948 volsnap - ok
18:42:35.0111 4948 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\windows\system32\DRIVERS\vsmraid.sys
18:42:35.0111 4948 vsmraid - ok
18:42:35.0657 4948 vstor2-ws60 (69f57e89e6ebc5012d210527af005a70) C:\Program Files (x86)\VMware\VMware Workstation\vstor2-ws60.sys
18:42:35.0672 4948 vstor2-ws60 - ok
18:42:36.0780 4948 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\windows\system32\DRIVERS\vwifibus.sys
18:42:36.0780 4948 vwifibus - ok
18:42:37.0981 4948 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\windows\system32\DRIVERS\vwififlt.sys
18:42:37.0981 4948 vwififlt - ok
18:42:38.0714 4948 vwifimp (6a638fc4bfddc4d9b186c28c91bd1a01) C:\windows\system32\DRIVERS\vwifimp.sys
18:42:38.0714 4948 vwifimp - ok
18:42:39.0635 4948 wacommousefilter (e04d43c7d1641e95d35cae6086c7e350) C:\windows\system32\DRIVERS\wacommousefilter.sys
18:42:39.0635 4948 wacommousefilter - ok
18:42:40.0695 4948 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\windows\system32\DRIVERS\wacompen.sys
18:42:40.0695 4948 WacomPen - ok
18:42:41.0647 4948 wacomvhid (26b430e7c5f598fe7353e3bc4b261321) C:\windows\system32\DRIVERS\wacomvhid.sys
18:42:41.0647 4948 wacomvhid - ok
18:42:42.0443 4948 WacomVKHid (8b4255329edfba3ecfbd0714476fad38) C:\windows\system32\DRIVERS\WacomVKHid.sys
18:42:42.0458 4948 WacomVKHid - ok
18:42:43.0628 4948 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\windows\system32\DRIVERS\wanarp.sys
18:42:43.0628 4948 WANARP - ok
18:42:43.0675 4948 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\windows\system32\DRIVERS\wanarp.sys
18:42:43.0675 4948 Wanarpv6 - ok
18:42:44.0767 4948 Wd (72889e16ff12ba0f235467d6091b17dc) C:\windows\system32\DRIVERS\wd.sys
18:42:44.0767 4948 Wd - ok
18:42:45.0812 4948 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\windows\system32\drivers\Wdf01000.sys
18:42:45.0828 4948 Wdf01000 - ok
18:42:46.0795 4948 wdmirror (2a444acf7dd446505bcc801f8f6ae5fd) C:\windows\system32\DRIVERS\WDMirror.sys
18:42:46.0795 4948 wdmirror - ok
18:42:47.0669 4948 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\windows\system32\DRIVERS\wfplwf.sys
18:42:47.0669 4948 WfpLwf - ok
18:42:49.0166 4948 WimFltr (b14ef15bd757fa488f9c970eee9c0d35) C:\windows\system32\DRIVERS\wimfltr.sys
18:42:49.0229 4948 WimFltr - ok
18:42:50.0071 4948 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\windows\system32\drivers\wimmount.sys
18:42:50.0071 4948 WIMMount - ok
18:42:50.0087 4948 WinRing0_1_2_0 - ok
18:42:50.0929 4948 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\windows\system32\DRIVERS\WinUsb.sys
18:42:50.0929 4948 WinUsb - ok
18:42:51.0959 4948 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\windows\system32\DRIVERS\wmiacpi.sys
18:42:51.0959 4948 WmiAcpi - ok
18:42:52.0692 4948 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\windows\system32\drivers\ws2ifsl.sys
18:42:52.0692 4948 ws2ifsl - ok
18:42:53.0456 4948 wsvd (83575c43b2bfe9ab0661a7f957e843c0) C:\windows\system32\DRIVERS\wsvd.sys
18:42:53.0456 4948 wsvd - ok
18:42:53.0956 4948 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\windows\system32\drivers\WudfPf.sys
18:42:53.0971 4948 WudfPf - ok
18:42:54.0595 4948 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\windows\system32\DRIVERS\WUDFRd.sys
18:42:54.0595 4948 WUDFRd - ok
18:42:54.0673 4948 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
18:42:54.0689 4948 \Device\Harddisk0\DR0 - ok
18:42:54.0689 4948 Boot (0x1200) (d616f3bae803db5fec0c70e9aba9d1f8) \Device\Harddisk0\DR0\Partition0
18:42:54.0689 4948 \Device\Harddisk0\DR0\Partition0 - ok
18:42:54.0923 4948 Boot (0x1200) (950ac2ceb1af732589206880aacf3f0b) \Device\Harddisk0\DR0\Partition1
18:42:54.0923 4948 \Device\Harddisk0\DR0\Partition1 - ok
18:42:54.0954 4948 Boot (0x1200) (433427dc3520bdf30d1419dbc861d52b) \Device\Harddisk0\DR0\Partition2
18:42:54.0954 4948 \Device\Harddisk0\DR0\Partition2 - ok
18:42:54.0954 4948 ============================================================
18:42:54.0954 4948 Scan finished
18:42:54.0954 4948 ============================================================
18:42:54.0970 3320 Detected object count: 0
18:42:54.0985 3320 Actual detected object count: 0
18:43:06.0014 3156 Deinitialize success


Combofix

ComboFix 11-10-21.06 - sam 10/21/2011 18:50:50.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4029.2227 [GMT -7:00]
Running from: c:\users\sam\Desktop\ComboFix.exe
Command switches used :: c:\users\sam\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\SysWow64\A999hTTXq.exe"
"c:\windows\SysWow64\bggTTXqjYCe.exe"
"c:\windows\SysWow64\BWWWJ77dEL.exe"
"c:\windows\SysWow64\cggTTXqjj.exe"
"c:\windows\SysWow64\DeeekIVrzONtx0c.exe"
"c:\windows\SysWow64\DiibD3ppnGaQHs.exe"
"c:\windows\SysWow64\ennGG4aamH6.exe"
"c:\windows\SysWow64\EZZqqjYYCwIVr.exe"
"c:\windows\SysWow64\gCCeekIBBrONyAu.exe"
"c:\windows\SysWow64\I3oonnG4amH6sJf.exe"
"c:\windows\SysWow64\JeellOBBtz0y.exe"
"c:\windows\SysWow64\KDDD2obFF4.exe"
"c:\windows\SysWow64\kUUUCeelIBrzNy.exe"
"c:\windows\SysWow64\KXXwwjUVVeIBt.exe"
"c:\windows\SysWow64\kyccAA1ivonFpm.exe"
"c:\windows\SysWow64\mBBttzPPNcAuvDo.exe"
"c:\windows\SysWow64\o66ssWK77fL.exe"
"c:\windows\SysWow64\OL99hhTXqjUCkBr.exe"
"c:\windows\SysWow64\rIVVrllON.exe"
"c:\windows\SysWow64\SCCCekkIBrzOyx0.exe"
"c:\windows\SysWow64\T0yyccS1ivD3nFa.exe"
"c:\windows\SysWow64\TpppnGG4aQHs.exe"
"c:\windows\SysWow64\U333pnnG5aQ6dK7.exe"
"c:\windows\SysWow64\uS22oobF3pmGaJ6.exe"
"c:\windows\SysWow64\X22iibFF3paHd.exe"
"c:\windows\SysWow64\XYYXXwjjUV.exe"
"c:\windows\SysWow64\YvvvS22ibF.exe"
"c:\windows\SysWow64\zttxxP0uuc1ib.exe"
"c:\windows\SysWow64\ztzzPycc1iv2oF4.exe"
.
.
((((((((((((((((((((((((( Files Created from 2011-09-22 to 2011-10-22 )))))))))))))))))))))))))))))))
.
.
2011-10-22 02:04 . 2011-10-22 02:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-22 01:17 . 2010-10-19 20:51 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-10-22 01:00 . 2011-10-05 00:22 917840 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1EDD686C-8560-43C8-852D-F26DEDC929C6}\gapaengine.dll
2011-10-22 01:00 . 2011-10-22 01:00 69000 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4E577B13-79E6-4D57-8FE4-1DCD6EA78036}\offreg.dll
2011-10-22 01:00 . 2011-10-18 09:27 8570192 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4E577B13-79E6-4D57-8FE4-1DCD6EA78036}\mpengine.dll
2011-10-22 00:53 . 2011-10-22 00:53 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2011-10-22 00:53 . 2011-10-22 00:54 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-22 00:53 . 2010-04-09 11:06 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2011-10-20 00:23 . 2011-10-20 00:23 200192 ----a-w- c:\windows\SysWow64\srrstr.dll
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\z9wezxvbGJK9qkN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\tZwlzxv356fTUIN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\SomQWLqezx2GWRT
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\S23adfTUrAipQWL
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\FZwlzxv356fTUIN
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\XwezxvbGJK
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\QUBN1omQWLq
2011-10-07 15:59 . 2011-10-07 15:59 -------- d-----w- c:\users\sam\AppData\Roaming\KdZwlzxv356fTUI
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\xyGhxakb7VD
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\PDLrvsqBvQYt2J
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\KKZlcGEw05ZOi5R
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\eA5LISsCumq
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\bhrbWqzS4fYNim8
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\S6jP4TO38On8IvQ
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\vp7w0GLkcmhcm
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\UP4gB4ZBphOpLri
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\oIv5fUypKqOiQ9
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\ExGTynRkuG
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\DfI2Zt4Tt4RBoKV
2011-10-07 15:57 . 2011-10-07 15:57 -------- d-----w- c:\users\sam\AppData\Roaming\Ikx3KqN1afCy
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\FkiLIcWhxo7wymg
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\yjxF6e26gkP3Jql
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\rv5XNiaLOnLCtbs
2011-10-07 15:55 . 2011-10-07 16:12 -------- d-----w- c:\users\sam\AppData\Roaming\dUx14Ekz2
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\nt1mEheP25gV
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\Fx14Ekz2HKXP
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\Ft1mEheP25gV
2011-10-07 15:55 . 2011-10-07 15:55 -------- d-----w- c:\users\sam\AppData\Roaming\m8CPos8wClrNxvo
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\r159r2HTOb6qNDW
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\Ul1pdhIunWXruG
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\yk0ba7Yru3HEqIx
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\PQLjOv3HfXItb69
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\eOv3HfXItb69COc
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\JTBumKXI0baKgeO
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\ZziFQRwzD5fUNoJ
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\t5dghUIP1F56Rjy
2011-10-07 15:53 . 2011-10-07 15:53 -------- d-----w- c:\users\sam\AppData\Roaming\TXkeOzcvF5EqVzi
2011-10-07 01:26 . 2011-10-07 16:12 -------- d-----w- c:\programdata\WSTB
2011-10-07 01:10 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\PC Tools Security
2011-10-07 01:10 . 2011-10-07 01:10 -------- d-----w- c:\users\sam\AppData\Roaming\PC Tools
2011-10-07 00:09 . 2011-10-07 01:10 -------- d-----w- c:\programdata\PC Tools
2011-10-05 02:47 . 2011-10-05 02:47 -------- d-----w- c:\users\sam\AppData\Roaming\Malwarebytes
2011-10-05 02:47 . 2011-10-05 02:47 -------- d-----w- c:\programdata\Malwarebytes
2011-10-05 02:47 . 2011-10-06 00:06 -------- d-----w- c:\program files (x86)\MALWAREBYTES ANTI-MALWARE
2011-10-05 02:47 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-10-05 00:21 . 2011-10-07 16:12 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-05 00:21 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2011-10-05 00:15 . 2011-10-07 16:12 -------- d-----w- c:\program files (x86)\SpywareBlaster
2011-10-04 02:32 . 2011-10-04 02:32 -------- d-----w- C:\WTablet
2011-09-30 21:11 . 2011-09-30 21:11 -------- d-----w- c:\windows\Sun
2011-09-24 16:43 . 2011-02-19 06:37 1135104 ----a-w- c:\windows\system32\FntCache.dll
2011-09-24 16:43 . 2011-02-19 05:32 1074176 ----a-w- c:\windows\SysWow64\DWrite.dll
2011-09-24 16:43 . 2011-02-19 06:37 1540608 ----a-w- c:\windows\system32\DWrite.dll
2011-09-24 16:43 . 2011-02-19 06:36 902656 ----a-w- c:\windows\system32\d2d1.dll
2011-09-24 16:43 . 2011-02-19 05:32 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2011-09-24 16:42 . 2011-02-18 06:33 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-09-24 16:42 . 2011-02-18 05:33 31232 ----a-w- c:\windows\SysWow64\prevhost.exe
2011-09-24 16:19 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-09-24 16:19 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-09-24 15:49 . 2011-05-04 05:28 2228224 ----a-w- c:\windows\system32\mssrch.dll
2011-09-24 15:48 . 2011-06-11 02:56 3134464 ----a-w- c:\windows\system32\win32k.sys
2011-09-24 15:45 . 2011-06-23 05:29 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-09-24 15:45 . 2011-06-23 04:38 3957120 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2011-09-24 15:45 . 2011-06-23 04:38 3902336 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2011-09-24 15:43 . 2010-10-16 05:17 720896 ----a-w- c:\windows\system32\odbc32.dll
2011-09-24 15:43 . 2010-10-16 05:16 495616 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-09-24 15:43 . 2010-10-16 05:16 466944 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-09-24 15:43 . 2010-10-16 05:16 1425408 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-09-24 15:43 . 2010-10-16 05:16 258048 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-09-24 15:43 . 2010-10-16 04:34 573440 ----a-w- c:\windows\SysWow64\odbc32.dll
2011-09-24 15:43 . 2010-10-16 04:33 372736 ----a-w- c:\program files (x86)\Common Files\System\ado\msadox.dll
2011-09-24 15:43 . 2010-10-16 04:33 352256 ----a-w- c:\program files (x86)\Common Files\System\ado\msadomd.dll
2011-09-24 15:43 . 2010-10-16 04:33 987136 ----a-w- c:\program files (x86)\Common Files\System\ado\msado15.dll
2011-09-24 15:43 . 2010-10-16 04:33 208896 ----a-w- c:\program files (x86)\Common Files\System\msadc\msadco.dll
2011-09-24 15:43 . 2011-02-23 05:15 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-09-23 21:56 . 2011-09-23 21:56 -------- d-----w- C:\PROGRAM FILES (X86) (X86)
2011-09-23 21:55 . 2011-10-07 16:12 -------- d-----w- c:\users\sam\AppData\Roaming\AVG2012
2011-09-23 21:52 . 2011-10-22 00:30 -------- d-----w- c:\programdata\AVG2012
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-09_18.00.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-12 14:42 . 2011-10-22 00:59 42630 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-10-22 00:59 48484 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-04-30 15:08 . 2011-10-22 00:59 14168 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1647630610-1250919632-3244903647-1003_UserData.bin
+ 2011-10-07 01:29 . 2011-10-21 01:03 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2011-10-07 01:29 . 2011-10-07 00:13 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2011-04-27 22:25 . 2011-04-27 22:25 84864 c:\windows\system32\drivers\NisDrvWFP.sys
+ 2011-04-18 20:18 . 2011-04-18 20:18 40832 c:\windows\system32\drivers\MpNWMon.sys
- 2010-04-29 04:43 . 2011-10-09 16:41 81920 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-29 04:43 . 2011-10-22 00:55 81920 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-10-22 00:55 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-10-09 16:41 65536 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-30 02:36 . 2011-10-09 16:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-30 02:36 . 2011-10-22 00:58 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2011-10-22 00:57 82160 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2010-04-30 02:36 . 2011-10-22 00:58 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-30 02:36 . 2011-10-09 16:43 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-04-30 02:36 . 2011-10-09 16:43 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-30 02:36 . 2011-10-22 00:58 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-04-30 00:09 . 2011-10-22 01:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-04-30 00:09 . 2011-10-09 16:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-30 00:09 . 2011-10-22 01:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-04-30 00:09 . 2011-10-09 16:42 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-10-22 00:55 . 2011-10-22 00:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-10-07 16:14 . 2011-10-09 17:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-10-22 00:55 . 2011-10-22 00:55 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-10-07 16:14 . 2011-10-09 17:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 04:54 . 2011-10-09 16:51 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2011-10-22 00:55 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-04-30 02:30 . 2011-10-22 00:28 330884 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S4.bin
+ 2010-04-30 04:00 . 2011-10-21 15:47 264928 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2011-10-22 01:02 646792 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-10-22 01:02 116076 c:\windows\system32\perfc009.dat
+ 2011-04-18 20:18 . 2011-04-18 20:18 189440 c:\windows\system32\drivers\MpFilter.sys
- 2010-04-29 04:43 . 2011-10-09 16:41 901120 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-04-29 04:43 . 2011-10-22 00:55 901120 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 05:01 . 2011-10-07 00:03 460472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-10-22 00:54 460472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 04:54 . 2011-10-09 16:51 3424256 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-22 00:55 3424256 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-10-22 00:55 1081344 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2011-10-09 16:51 1081344 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:45 . 2011-10-22 00:56 3860019 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2011-09-24 17:19 3860019 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-05-05 21:15 . 2011-10-22 00:54 1068088 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-05-05 21:15 . 2011-10-07 00:48 1068088 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-05-20 00:23 . 2011-05-20 00:23 2708992 c:\windows\Installer\1506df.msi
+ 2011-06-15 21:51 . 2011-06-15 21:51 1911808 c:\windows\Installer\1506d8.msi
+ 2009-07-14 02:34 . 2011-10-22 01:06 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2011-10-09 17:39 10485760 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2011-10-22 01:49 . 2011-10-22 01:49 10256384 c:\windows\ERDNT\Hiv-backup\schema.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-28 152872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WLStart"="c:\program files (x86)\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 136176]
R3 Bridge0;Bridge0;c:\windows\system32\drivers\WDBridge.sys [x]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-05-23 1030600]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 136176]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
R3 Lenovo ReadyComm AppSvc;Lenovo ReadyComm AppSvc;c:\program files\Lenovo\ReadyComm\AppSvc.exe [2009-08-14 509192]
R3 Lenovo ReadyComm ConnSvc;Lenovo ReadyComm ConnSvc;c:\program files\Lenovo\ReadyComm\ConnSvc.exe [2009-09-22 579400]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;d:\test\ECECECEC\WinRing0x64.sys [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 funfrm;funfrm; [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 DDNIMSGService;DDNIMSGService;c:\program files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2009-06-23 172720]
S2 IGRS;IGRS;c:\program files (x86)\Lenovo\ReadyComm\common\IGRS.exe [2009-07-14 38152]
S2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [x]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [x]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe [2009-10-22 563760]
S2 WTouchService;WTouch Service;c:\program files\WTouch\WTouchService.exe [2009-07-15 127272]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [x]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
S3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-28 288272]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm64.sys [x]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
S3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 78943855
*NewlyCreated* - MPNWMON
*NewlyCreated* - NISDRV
*Deregistered* - 78943855
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
IgrsSvcs REG_MULTI_SZ ReadyComm.DirectRouter PS_MDP
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 20:31]
.
2011-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-27 20:31]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-18 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-18 387608]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-18 365592]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-07-16 307768]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\utility.exe" [2009-09-29 4366704]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2009-08-19 5825536]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://lenovo.msn.com
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\program files (x86)\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.0.1 68.94.156.1
FF - ProfilePath - c:\users\sam\AppData\Roaming\Mozilla\Firefox\Profiles\f7jzs3vd.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-10-21 19:27:51
ComboFix-quarantined-files.txt 2011-10-22 02:27
.
Pre-Run: 11,584,765,952 bytes free
Post-Run: 11,575,255,040 bytes free
.
- - End Of File - - 1FE7472829B72F3A7BA00530AFFDCB2E



MBAM

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7996

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

10/21/2011 7:52:09 PM
mbam-log-2011-10-21 (19-52-09).txt

Scan type: Quick scan
Objects scanned: 179599
Time elapsed: 2 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Users\sam\AppData\Local\jux.exe" -a "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





tdskiller

#15 pwgib

pwgib

  • Malware Response Team
  • 2,956 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:God's Country
  • Local time:08:03 AM

Posted 22 October 2011 - 04:23 AM

Hi iixsive,

The combo fix script looks like a list of files to delete, what else does it do, is there more info on the program?


ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


We need to run a Combofix Script

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <<----Important
3. Open notepad and copy/paste the text in the codebox below into it:

SecCenter:: 
{5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
{E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

Folder::
c:\programdata\AVG2012
c:\users\sam\AppData\Roaming\AVG2012
c:\program files (x86)\PC Tools Security
c:\users\sam\AppData\Roaming\PC Tools
c:\programdata\PC Tools
c:\users\sam\AppData\Roaming\z9wezxvbGJK9qkN
c:\users\sam\AppData\Roaming\tZwlzxv356fTUIN
c:\users\sam\AppData\Roaming\SomQWLqezx2GWRT
c:\users\sam\AppData\Roaming\S23adfTUrAipQWL
c:\users\sam\AppData\Roaming\FZwlzxv356fTUIN
c:\users\sam\AppData\Roaming\XwezxvbGJK
c:\users\sam\AppData\Roaming\QUBN1omQWLq
c:\users\sam\AppData\Roaming\KdZwlzxv356fTUI
c:\users\sam\AppData\Roaming\xyGhxakb7VD
c:\users\sam\AppData\Roaming\PDLrvsqBvQYt2J
c:\users\sam\AppData\Roaming\KKZlcGEw05ZOi5R
c:\users\sam\AppData\Roaming\eA5LISsCumq
c:\users\sam\AppData\Roaming\bhrbWqzS4fYNim8
c:\users\sam\AppData\Roaming\S6jP4TO38On8IvQ
c:\users\sam\AppData\Roaming\vp7w0GLkcmhcm
c:\users\sam\AppData\Roaming\UP4gB4ZBphOpLri
c:\users\sam\AppData\Roaming\oIv5fUypKqOiQ9
c:\users\sam\AppData\Roaming\ExGTynRkuG
c:\users\sam\AppData\Roaming\DfI2Zt4Tt4RBoKV
c:\users\sam\AppData\Roaming\Ikx3KqN1afCy
c:\users\sam\AppData\Roaming\FkiLIcWhxo7wymg
c:\users\sam\AppData\Roaming\yjxF6e26gkP3Jql
c:\users\sam\AppData\Roaming\rv5XNiaLOnLCtbs
c:\users\sam\AppData\Roaming\dUx14Ekz2
c:\users\sam\AppData\Roaming\nt1mEheP25gV
c:\users\sam\AppData\Roaming\Fx14Ekz2HKXP
c:\users\sam\AppData\Roaming\Ft1mEheP25gV
c:\users\sam\AppData\Roaming\m8CPos8wClrNxvo
c:\users\sam\AppData\Roaming\r159r2HTOb6qNDW
c:\users\sam\AppData\Roaming\Ul1pdhIunWXruG
c:\users\sam\AppData\Roaming\yk0ba7Yru3HEqIx
c:\users\sam\AppData\Roaming\PQLjOv3HfXItb69
c:\users\sam\AppData\Roaming\eOv3HfXItb69COc
c:\users\sam\AppData\Roaming\JTBumKXI0baKgeO
c:\users\sam\AppData\Roaming\ZziFQRwzD5fUNoJ

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If Combofix prompts you to update the program please allow it to do so.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


In your next reply please include the following:

ComboFix.txt



Thanks!!

Edited by pwgib, 22 October 2011 - 04:28 AM.

PW




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users