Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 7 Security 2012 and Sirefef.DN trojan


  • This topic is locked This topic is locked
34 replies to this topic

#1 volita

volita

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 05 December 2011 - 06:47 PM

Hello there,

First I encountered "Win 7 Security 2012" attack. I took steps for removal, as per http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012
Then, Nod32 5.0 was warning about WIN32\Sirefef.DN trojan and I still have this dialog box appearing at every startup that says:

RunDLL
There was a problem starting
C:\ProgramData\BE887E7A-E821-FAC3-6EEC-E4F9863526FA.avi
The specified module could not be found

Following I will post in chronological order what appeared, disappeared and described any steps I took, if any:

- Got infected with "Win 7 Security 2012"
- Removed, as much as it can be removed with instructions from http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012
- Nod32 sent warning about WIN32\Sirefef.DN trojan found on memory.
- There were URL redirects and new browsers windows being opened when clicking on a link.
- Nod32 had the WEB and MAIL protection disabled. There was no way for me to restore that functionality, either by changing the settings or repairing the installation
- "RunDLL" dialog box appearing at every startup as per above.
- Run Combofix (I know, I shouldn't have, I was trying to avoid opening a case like this one and add to your load. I am sure you are plenty busy)
- When running Combofix, it complained that virus software was active, even though I temporarily disabled protection in Nod32. I saw that the Nod32 services were active, so I uninstalled it before running Combofix, which took over 10 hours overnight.
After that:
- the URL redirects disappeared
- WIN32\Sirefef.DN trojan, I do not know if it is still there as I do not have Nod32 installed
- The "RunDLL" dialog box is still there
- Attempted to reinstall Nod32 unsuccessfully, it rolls back as it approaches the end of the installation.
- When I tried to Turn On Windows Firewall as per the preparation instructions in this site, it gave the following error:
Window Firewall can't change some of your settings.
Error code 0x80070424
- I see in the task manager that about half of the services are stopped. Maybe I should try to restore the computer to an earlier point. I suspect that Combofix left all these services stopped.

To summarize, at the moment I do not have Virus protection or Firewall. Web browsing seems fine.

Here are the logs which happened in the following chronological order:
1. Combofix
2. DDS.txt
3. Attach.txt
4. ark.txt - stopped this after 7 hours

Thanks

____________________________________________________________________
Combofix log

ComboFix 11-12-04.04 - USER 12/04/2011 23:34:10.1.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2935.2096 [GMT -8:00]
Running from: c:\users\USER\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\BE887E7A-E821-FAC3-6EEC-E4F9863526FA.ico
c:\windows\$NtUninstallKB9577$\343879958\@
c:\windows\$NtUninstallKB9577$\343879958\bckfg.tmp
c:\windows\$NtUninstallKB9577$\343879958\cfg.ini
c:\windows\$NtUninstallKB9577$\343879958\Desktop.ini
c:\windows\$NtUninstallKB9577$\343879958\keywords
c:\windows\$NtUninstallKB9577$\343879958\kwrd.dll
c:\windows\$NtUninstallKB9577$\343879958\L\selpaeam
c:\windows\$NtUninstallKB9577$\343879958\lsflt7.ver
c:\windows\$NtUninstallKB9577$\343879958\U\00000001.@
c:\windows\$NtUninstallKB9577$\343879958\U\00000002.@
c:\windows\$NtUninstallKB9577$\343879958\U\00000004.@
c:\windows\$NtUninstallKB9577$\343879958\U\80000000.@
c:\windows\$NtUninstallKB9577$\343879958\U\80000004.@
c:\windows\$NtUninstallKB9577$\343879958\U\80000032.@
c:\windows\$NtUninstallKB9577$\45641871
c:\windows\iun6002.exe
c:\windows\system32\cseDVH.dll
c:\windows\system32\drivers\npf.sys
c:\windows\$NtUninstallKB9577$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-11-05 to 2011-12-05 )))))))))))))))))))))))))))))))
.
.
2011-12-05 07:50 . 2011-12-05 13:39 -------- d-----w- c:\users\USER\AppData\Local\temp
2011-12-05 07:50 . 2011-12-05 07:50 -------- d-----w- c:\users\TVersity\AppData\Local\temp
2011-12-05 07:50 . 2011-12-05 07:50 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-12-05 06:33 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-04 16:51 . 2011-12-04 18:53 -------- d-----w- c:\users\USER\AppData\Local\Adobe
2011-12-04 11:50 . 2011-12-04 17:13 -------- d-----w- C:\Windows Home Server Drivers for Restore
2011-12-02 03:57 . 2011-12-02 03:57 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-12-02 03:57 . 2011-12-02 03:57 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-12-02 03:57 . 2011-12-02 03:57 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-12-02 03:57 . 2011-12-02 03:57 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-12-02 03:57 . 2011-12-02 03:57 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-12-02 03:57 . 2011-12-02 03:57 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-12-02 03:57 . 2011-12-02 03:57 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-12-02 03:57 . 2011-12-02 03:57 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-12-01 20:32 . 2011-12-01 20:32 -------- d-----w- c:\users\USER\AppData\Roaming\Malwarebytes
2011-12-01 20:31 . 2011-12-01 20:31 -------- d-----w- c:\programdata\Malwarebytes
2011-11-29 19:18 . 2011-10-18 09:28 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{970859CF-A270-4345-A8B3-17858E910E41}\mpengine.dll
2011-11-28 23:38 . 2011-12-04 17:13 -------- d-----w- c:\users\USER\.swt
2011-11-27 02:13 . 2011-12-04 17:13 -------- d-----w- c:\program files\FontList
2011-11-27 02:13 . 2011-12-04 17:13 -------- d-----w- c:\program files\AMP Font Viewer
2011-11-15 20:15 . 2011-11-15 20:15 -------- d-----w- c:\users\USER\AppData\Local\PackageAware
2011-11-13 14:50 . 2011-11-13 14:53 -------- d-----w- c:\program files\RAT
2011-11-13 14:50 . 2011-11-13 14:50 149411 ----a-w- c:\windows\RAT Uninstaller.exe
2011-11-13 04:49 . 2011-08-15 04:25 6144 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-11-13 04:49 . 2011-09-29 15:43 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 04:49 . 2011-10-01 04:43 708608 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-13 04:49 . 2011-09-29 04:20 2339840 ----a-w- c:\windows\system32\win32k.sys
2011-11-13 01:18 . 2011-11-13 05:12 -------- d-----w- c:\program files\Soulseek
2011-11-12 03:59 . 2011-11-12 03:59 -------- d-----w- c:\users\USER\AppData\Roaming\Creative
2011-11-12 03:59 . 2011-11-12 03:59 -------- d-----w- c:\programdata\Creative
2011-11-11 21:02 . 2011-11-11 21:04 -------- d-----w- c:\users\USER\AppData\Local\Conduit
2011-11-11 20:52 . 2011-11-11 20:53 -------- d-----w- c:\users\USER\AppData\Local\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-19 06:50 . 2011-05-16 23:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-01 02:59 . 2011-10-11 19:13 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-09-23 15:14 . 2011-07-04 04:18 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-09-23 15:14 . 2011-09-07 21:02 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2011-09-23 15:13 . 2011-09-07 21:02 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2011-09-23 15:13 . 2011-07-04 04:17 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-09-18 04:17 . 2011-03-29 01:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-09-09 18:45 . 2011-08-12 03:10 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2011-09-09 18:45 . 2011-07-04 04:18 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-09-09 18:45 . 2011-07-04 04:18 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-09-07 21:02 . 2011-09-07 21:02 539968 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2011-12-02 03:57 . 2011-12-02 03:57 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CuteFTP TE"="c:\program files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe" [2010-11-13 1549824]
"CachemanTray"="c:\program files\Cacheman\CachemanTray.exe" [2009-05-18 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tvncontrol"="c:\program files\TightVNC\tvnserver.exe" [2010-07-08 815704]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-04-07 495708]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-01-08 1602856]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2006-06-05 188416]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-08 170008]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2010-01-08 140520]
"NexusServer"="c:\program files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-27 389120]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-08 136216]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-08 171032]
"Dell Webcam Central"="c:\program files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsWnd"="c:\program files\Brownie\BrstsWnd.exe" [2009-08-19 3618104]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-06-10 2621440]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-10-20 5249024]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-27 1159168]
"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-04-02 75048]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2010-11-08 611712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-23 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-09-03 1406248]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
.
c:\users\USER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Check for TWS Updates.lnk - c:\jts\WiseUpdt.exe [2011-11-28 194775]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BE887E7A-E821-FAC3-6EEC-E4F9863526FA.lnk - c:\windows\System32\rundll32.exe [2009-7-13 44544]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-10-20 795936]
Windows Home Server.lnk - c:\program files\Windows Home Server\WHSTrayApp.exe [2011-1-10 603504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sasnative32
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 5689;5689;c:\windows\TEMP\5689.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 ADASPROT;SYSTWEAKASO;c:\program files\Advanced System Optimizer 3\adasprot32.sys [x]
R3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2010-11-08 288112]
R3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [2010-01-25 245760]
R3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\Drivers\CtAudDrv.sys [2009-05-28 134144]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 PcaSp60;Rawether NDIS 6.X SPR Protocol Driver;c:\windows\system32\DRIVERS\PcaSp60.sys [2010-09-07 28672]
R3 UsbFltr;WayTech USB Filter Driver1;c:\windows\system32\Drivers\UsbFltr.sys [2007-04-09 9600]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-11-02 1343400]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/14 07:22];c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl [2010-04-02 16:11 87536]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_f39a6924a795ad94\aestsrv.exe [2009-03-03 81920]
S2 AMT;Amazon Merchant Transport;c:\amazon\MerchantTransport\service\bin\wrapper.exe [2007-08-13 122880]
S2 AMT_Monitor;AMT Monitor;c:\amazon\MerchantTransport\service\bin\wrapper.exe [2007-08-13 122880]
S2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe [2011-01-10 239472]
S2 CachemanService;Cacheman Service;c:\program files\Cacheman\CachemanServ.exe [2009-05-16 210944]
S2 esClient;Windows Media Center Client Service;c:\program files\Windows Home Server\esClient.exe [2011-01-10 97136]
S2 NAUpdate;Nero Update;c:\program files\Nero\Update\NASvc.exe [2010-05-04 503080]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-07-02 47104]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2009-07-01 49152]
S2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2009-07-05 38400]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 tvnserver;TightVNC Server;c:\program files\TightVNC\tvnserver.exe [2010-07-08 815704]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-11-04 2320920]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\Windows Home Server\WHSConnector.exe [2011-01-10 376688]
S3 BackupReader;BackupReader;c:\windows\system32\DRIVERS\BackupReader.sys [2009-10-07 44776]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2009-06-15 143968]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 132480]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2010-02-03 232960]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2215638300-2899534133-1982733279-1001Core.job
- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-15 21:17]
.
2011-12-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2215638300-2899534133-1982733279-1001UA.job
- c:\users\USER\AppData\Local\Google\Update\GoogleUpdate.exe [2011-11-15 21:17]
.
2010-11-13 c:\windows\Tasks\USER-mediaAgg.job
- c:\program files\Hewlett-Packard\HP MediaSmart Server\MediaManager.exe [2009-04-24 01:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download All by ASUS Download - c:\program files\ASUS\RT-N56U Wireless Router Utilities\ASDownloadAll.htm
IE: Download using ASUS Download - c:\program files\ASUS\RT-N56U Wireless Router Utilities\ASDownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\OFFICE11\EXCEL.EXE/3000
IE: En&queue current page with BID - file://c:\program files\Bulk Image Downloader\iemenu\iebidqueue.htm
IE: Enqueue link tar&get with BID - file://c:\program files\Bulk Image Downloader\iemenu\iebidlinkqueue.htm
IE: Open &link target with BID - file://c:\program files\Bulk Image Downloader\iemenu\iebidlink.htm
IE: Open current page with BI&D - file://c:\program files\Bulk Image Downloader\iemenu\iebid.htm
IE: Open current page with BID Link Explorer - file://c:\program files\Bulk Image Downloader\iemenu\iebidlinkexplorer.htm
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\suo8v7u0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://globalenfant.com https://globalenfant.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess);user_pref(yahoo.homepage.dontask, true
.
.
------- File Associations -------
.
.txt=UltraEdit.txt
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{7aeb3efd-e564-43f1-b658-5058a7c5743b} - (no file)
Toolbar-Locked - (no file)
AddRemove-Port_Detective_2.0 - c:\windows\iun6002.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.032"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.arw"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bay\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bay"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bw\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.bw"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cs1\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.cs1"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dcx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.dcx"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djv\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.djv"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.djvu\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.djvu"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.fff"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.fpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.fpx"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.icn\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.icn"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.iff"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ilbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ilbm"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.int\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.int"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.inta\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.inta"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.iw4\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.iw4"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2c\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.j2c"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.j2k\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.j2k"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jbr"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jif"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jp2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jp2"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpc"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpk\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpk"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.jpx"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kdc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.kdc"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.lbm"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mef\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.mef"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pbr\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pbr"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pct\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pct"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pgm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pgm"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pic\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pic"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pict\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pict"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pix\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pix"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ppm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ppm"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspbrush\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pspbrush"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pspimage\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.pspimage"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ras\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.ras"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rgb"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rgba\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rgba"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rsb\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rsb"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rw2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.rw2"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sgi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.sgi"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.sr2\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.sr2"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.thm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.thm"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11o\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11o"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11p\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11p"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.v11pf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.v11pf"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wbm"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wbmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.wbmp"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xbm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xbm"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xif"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xmp\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xmp"
.
[HKEY_USERS\S-1-5-21-2215638300-2899534133-1982733279-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xpm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="ACDSee Photo Manager 2009.xpm"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\EncryptionInterface*]
"c_encryption_d"="5B53405B4A5A\00_"
"c_encryption_e"="2A2E455F42425F2E0639205F22415C5E47602553313E4142332C7D25365F5F43572732603F26425E43"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(748)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'Explorer.exe'(4484)
c:\program files\WIDCOMM\Bluetooth Software\btmmhook.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_f39a6924a795ad94\STacSV.exe
c:\program files\Dell\DW WLAN Card\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Dell\DW WLAN Card\bcmwltry.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\amazon\MerchantTransport\jre\bin\java.exe
c:\windows\system32\CISVC.EXE
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\amazon\MerchantTransport\jre\bin\java.exe
c:\windows\system32\conhost.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\WIDCOMM\Bluetooth Software\BtStackServer.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-12-05 05:43:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-05 13:43
.
Pre-Run: 24,030,429,184 bytes free
Post-Run: 24,958,181,376 bytes free
.
- - End Of File - - F585BC38C5887AD1B7CC3E526A88E9D4

____________________________________________

DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Run by USER at 6:41:22 on 2011-12-05
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2935.1562 [GMT -8:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_f39a6924a795ad94\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_f39a6924a795ad94\aestsrv.exe
C:\Amazon\MerchantTransport\service\bin\wrapper.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Amazon\MerchantTransport\jre\bin\java.exe
C:\Program Files\Cacheman\CachemanServ.exe
C:\Windows\system32\CISVC.EXE
C:\Windows\system32\conhost.exe
C:\Program Files\Windows Home Server\esClient.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TightVNC\tvnserver.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Amazon\MerchantTransport\service\bin\wrapper.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Amazon\MerchantTransport\jre\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TightVNC\tvnserver.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe
C:\Program Files\Cacheman\CachemanTray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
C:\Windows\system32\SearchIndexer.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Users\USER\Desktop\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [CuteFTP TE] "c:\program files\globalscape\cuteftp 8 professional\ftpte.exe"
uRun: [CachemanTray] c:\program files\cacheman\CachemanTray.exe
mRun: [tvncontrol] "c:\program files\tightvnc\tvnserver.exe" -controlservice -slave
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RemoteControl10] "c:\program files\cyberlink\powerdvd10\PDVD10Serv.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [NexusServer] "c:\program files\common files\grass valley\procoder 3\kernel\PNXSERVR.exe" -SelfLaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [NBAgent] "c:\program files\nero\nero 10\nero backitup\NBAgent.exe" /WinStart
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\johny\appdata\roaming\micros~1\windows\startm~1\programs\startup\checkf~1.lnk - c:\jts\WiseUpdt.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\be887e~1.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\program files\windows home server\WHSTrayApp.exe
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download All by ASUS Download - c:\program files\asus\rt-n56u wireless router utilities\ASDownloadAll.htm
IE: Download using ASUS Download - c:\program files\asus\rt-n56u wireless router utilities\ASDownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office11\EXCEL.EXE/3000
IE: En&queue current page with BID - file://c:\program files\bulk image downloader\iemenu\iebidqueue.htm
IE: Enqueue link tar&get with BID - file://c:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
IE: Open &link target with BID - file://c:\program files\bulk image downloader\iemenu\iebidlink.htm
IE: Open current page with BI&D - file://c:\program files\bulk image downloader\iemenu\iebid.htm
IE: Open current page with BID Link Explorer - file://c:\program files\bulk image downloader\iemenu\iebidlinkexplorer.htm
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6FF3C6D5-50F9-41C4-88F9-B0D6CA6EB1F2} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6FF3C6D5-50F9-41C4-88F9-B0D6CA6EB1F2}\34F6C6964716 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6FF3C6D5-50F9-41C4-88F9-B0D6CA6EB1F2}\34F6E656A6F60234F666665656 : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\johny\appdata\roaming\mozilla\firefox\profiles\suo8v7u0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPEltr32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\johny\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://globalenfant.com https://globalenfant.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess);user_pref(yahoo.homepage.dontask, true
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/14 07:22:24];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-4-2 87536]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_f39a6924a795ad94\AEstSrv.exe [2010-10-20 81920]
R2 AMT;Amazon Merchant Transport;c:\amazon\merchanttransport\service\bin\wrapper.exe -s ..\conf\amt.conf --> c:\amazon\merchanttransport\service\bin\wrapper.exe -s ..\conf\amt.conf [?]
R2 AMT_Monitor;AMT Monitor;c:\amazon\merchanttransport\service\bin\wrapper.exe -s ..\conf\monitor.conf --> c:\amazon\merchanttransport\service\bin\wrapper.exe -s ..\conf\monitor.conf [?]
R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\windows home server\Microsoft.HomeServer.Archive.TransferService.exe [2011-1-10 239472]
R2 CachemanService;Cacheman Service;c:\program files\cacheman\CachemanServ.exe [2009-5-16 210944]
R2 esClient;Windows Media Center Client Service;c:\program files\windows home server\esClient.exe [2011-1-10 97136]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-10-20 47104]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-10-20 49152]
R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-10-20 38400]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-10 1153368]
R2 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-10-19 2320920]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]
R3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2009-10-7 44776]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-10-19 29472]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-10-20 143968]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-10-20 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-10-20 232960]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2010-12-11 245760]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-10-20 134144]
S3 PcaSp60;Rawether NDIS 6.X SPR Protocol Driver;c:\windows\system32\drivers\PcaSp60.sys [2011-7-31 28672]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 UsbFltr;WayTech USB Filter Driver1;c:\windows\system32\drivers\UsbFltr.sys [2007-4-9 9600]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-2 1343400]
.
=============== File Associations ===============
.
.txt=UltraEdit.txt
.
=============== Created Last 30 ================
.
2011-12-05 14:13:36 -------- d-----w- c:\program files\ESET
2011-12-05 13:41:45 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-05 07:50:40 -------- d-----w- c:\users\johny\appdata\local\temp
2011-12-05 06:33:20 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-05 00:13:32 98816 ----a-w- c:\windows\sed.exe
2011-12-05 00:13:32 518144 ----a-w- c:\windows\SWREG.exe
2011-12-05 00:13:32 256000 ----a-w- c:\windows\PEV.exe
2011-12-05 00:13:32 208896 ----a-w- c:\windows\MBR.exe
2011-12-04 16:51:41 -------- d-----w- c:\users\johny\appdata\local\Adobe
2011-12-04 11:50:31 -------- d-----w- C:\Windows Home Server Drivers for Restore
2011-12-02 03:57:31 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-02 03:57:31 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-02 03:57:27 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-02 03:57:26 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-02 03:57:26 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-02 03:57:26 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-02 03:57:26 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-12-02 03:57:26 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-01 20:32:09 -------- d-----w- c:\users\johny\appdata\roaming\Malwarebytes
2011-12-01 20:31:59 -------- d-----w- c:\programdata\Malwarebytes
2011-11-29 19:18:27 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{970859cf-a270-4345-a8b3-17858e910e41}\mpengine.dll
2011-11-28 23:38:04 -------- d-----w- c:\users\johny\.swt
2011-11-27 02:13:31 -------- d-----w- c:\program files\FontList
2011-11-27 02:13:10 -------- d-----w- c:\program files\AMP Font Viewer
2011-11-15 20:15:24 -------- d-----w- c:\users\johny\appdata\local\PackageAware
2011-11-13 14:50:43 149411 ----a-w- c:\windows\RAT Uninstaller.exe
2011-11-13 14:50:43 -------- d-----w- c:\program files\RAT
2011-11-13 04:49:39 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-11-13 04:49:37 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 04:49:35 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-13 04:49:19 2339840 ----a-w- c:\windows\system32\win32k.sys
2011-11-13 01:18:41 -------- d-----w- c:\program files\Soulseek
2011-11-11 21:02:37 -------- d-----w- c:\users\johny\appdata\local\Conduit
2011-11-11 20:52:57 -------- d-----w- c:\users\johny\appdata\local\Google
.
==================== Find3M ====================
.
2011-11-19 06:50:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 22:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-01 02:59:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 6:42:21.41 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:25 PM

Posted 10 December 2011 - 06:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430934 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 volita

volita
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 10 December 2011 - 09:13 PM

1. Clear description of the problem included in the original post.
2. DDS and GMER log pasted and attached. GMER was stopped after 3 hours, what was capture in the first 5 minutes and no additions after that for the next 3 hours.
3. Yes, original Windows CD/DVD available.

Thanks so much in advance for your help!

______________________________________________________________
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_24
Run by Ricardo at 17:05:21 on 2011-12-10
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2935.1780 [GMT -8:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_f39a6924a795ad94\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_f39a6924a795ad94\aestsrv.exe
C:\Amazon\MerchantTransport\service\bin\wrapper.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Amazon\MerchantTransport\jre\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Cacheman\CachemanServ.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files\Windows Home Server\esClient.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\taskhost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TightVNC\tvnserver.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Amazon\MerchantTransport\service\bin\wrapper.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Windows Home Server\WHSConnector.exe
C:\Amazon\MerchantTransport\jre\bin\java.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\TightVNC\tvnserver.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\CyberLink\Shared Files\brs.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\GlobalSCAPE\CuteFTP 8 Professional\ftpte.exe
C:\Program Files\Cacheman\CachemanTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Home Server\WHSTrayApp.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Windows Home Server\Microsoft.HomeServer.Archive.TransferService.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [CuteFTP TE] "c:\program files\globalscape\cuteftp 8 professional\ftpte.exe"
uRun: [CachemanTray] c:\program files\cacheman\CachemanTray.exe
mRun: [tvncontrol] "c:\program files\tightvnc\tvnserver.exe" -controlservice -slave
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RemoteControl10] "c:\program files\cyberlink\powerdvd10\PDVD10Serv.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [NexusServer] "c:\program files\common files\grass valley\procoder 3\kernel\PNXSERVR.exe" -SelfLaunch
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Dell Webcam Central] "c:\program files\dell webcam\dell webcam central\WebcamDell2.exe" /mode2
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrStsWnd] c:\program files\brownie\BrstsWnd.exe Autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [NBAgent] "c:\program files\nero\nero 10\nero backitup\NBAgent.exe" /WinStart
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\Ricardo\appdata\roaming\micros~1\windows\startm~1\programs\startup\checkf~1.lnk - c:\jts\WiseUpdt.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\be887e~1.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\window~1.lnk - c:\program files\windows home server\WHSTrayApp.exe
uPolicies-explorer: NoSMBalloonTip = 0 (0x0)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: SoftwareSASGeneration = 1 (0x1)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download All by ASUS Download - c:\program files\asus\rt-n56u wireless router utilities\ASDownloadAll.htm
IE: Download using ASUS Download - c:\program files\asus\rt-n56u wireless router utilities\ASDownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office11\EXCEL.EXE/3000
IE: En&queue current page with BID - file://c:\program files\bulk image downloader\iemenu\iebidqueue.htm
IE: Enqueue link tar&get with BID - file://c:\program files\bulk image downloader\iemenu\iebidlinkqueue.htm
IE: Open &link target with BID - file://c:\program files\bulk image downloader\iemenu\iebidlink.htm
IE: Open current page with BI&D - file://c:\program files\bulk image downloader\iemenu\iebid.htm
IE: Open current page with BID Link Explorer - file://c:\program files\bulk image downloader\iemenu\iebidlinkexplorer.htm
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6FF3C6D5-50F9-41C4-88F9-B0D6CA6EB1F2} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6FF3C6D5-50F9-41C4-88F9-B0D6CA6EB1F2}\34F6C6964716 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{6FF3C6D5-50F9-41C4-88F9-B0D6CA6EB1F2}\34F6E656A6F60234F666665656 : DhcpNameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\Ricardo\appdata\roaming\mozilla\firefox\profiles\suo8v7u0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnG=Google+Search&q=
FF - plugin: c:\program files\canon\mycamera download plugin\NPCIG.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPEltr32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\Ricardo\appdata\local\google\update\1.3.21.79\npGoogleUpdate3.dll
.
---- FIREFOX POLICIES ----
FF - user.js: capability.policy.policynames - allowclipboard
FF - user.js: capability.policy.allowclipboard.sites - hxxp://globalenfant.com https://globalenfant.com
FF - user.js: capability.policy.allowclipboard.Clipboard.cutcopy - allAccess
FF - user.js: capability.policy.allowclipboard.Clipboard.paste - allAccess);user_pref(yahoo.homepage.dontask, true
.
============= SERVICES / DRIVERS ===============
.
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/14 07:22:24];c:\program files\cyberlink\powerdvd10\navfilter\000.fcl [2010-4-2 87536]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_f39a6924a795ad94\AEstSrv.exe [2010-10-20 81920]
R2 AMT;Amazon Merchant Transport;c:\amazon\merchanttransport\service\bin\wrapper.exe -s ..\conf\amt.conf --> c:\amazon\merchanttransport\service\bin\wrapper.exe -s ..\conf\amt.conf [?]
R2 AMT_Monitor;AMT Monitor;c:\amazon\merchanttransport\service\bin\wrapper.exe -s ..\conf\monitor.conf --> c:\amazon\merchanttransport\service\bin\wrapper.exe -s ..\conf\monitor.conf [?]
R2 arXfrSvc;Windows Media Center TV Archive Transfer Service;c:\program files\windows home server\Microsoft.HomeServer.Archive.TransferService.exe [2011-1-10 239472]
R2 CachemanService;Cacheman Service;c:\program files\cacheman\CachemanServ.exe [2009-5-16 210944]
R2 esClient;Windows Media Center Client Service;c:\program files\windows home server\esClient.exe [2011-1-10 97136]
R2 NAUpdate;Nero Update;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-10-20 47104]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-10-20 49152]
R2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-10-20 38400]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-10 1153368]
R2 tvnserver;TightVNC Server;c:\program files\tightvnc\tvnserver.exe [2010-7-8 815704]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-10-19 2320920]
R2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2011-1-10 376688]
R3 BackupReader;BackupReader;c:\windows\system32\drivers\BackupReader.sys [2009-10-7 44776]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-10-19 29472]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2010-10-20 143968]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-10-20 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-10-20 232960]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2010-12-11 245760]
S3 CtAudDrv;Provides advanced audio effects for audio devices.;c:\windows\system32\drivers\CtAudDrv.sys [2010-10-20 134144]
S3 PcaSp60;Rawether NDIS 6.X SPR Protocol Driver;c:\windows\system32\drivers\PcaSp60.sys [2011-7-31 28672]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 UsbFltr;WayTech USB Filter Driver1;c:\windows\system32\drivers\UsbFltr.sys [2007-4-9 9600]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-11-2 1343400]
.
=============== File Associations ===============
.
.txt=UltraEdit.txt
.
=============== Created Last 30 ================
.
2011-12-10 16:47:52 -------- d-----w- c:\users\Ricardo\appdata\local\Apple
2011-12-08 07:45:03 -------- d-----w- c:\users\Ricardo\appdata\local\ACD Systems
2011-12-05 14:13:36 -------- d-----w- c:\program files\ESET
2011-12-05 13:41:45 -------- d-sh--w- C:\$RECYCLE.BIN
2011-12-05 07:50:40 -------- d-----w- c:\users\Ricardo\appdata\local\temp
2011-12-05 06:33:20 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys
2011-12-05 00:13:32 98816 ----a-w- c:\windows\sed.exe
2011-12-05 00:13:32 518144 ----a-w- c:\windows\SWREG.exe
2011-12-05 00:13:32 256000 ----a-w- c:\windows\PEV.exe
2011-12-05 00:13:32 208896 ----a-w- c:\windows\MBR.exe
2011-12-04 16:51:41 -------- d-----w- c:\users\Ricardo\appdata\local\Adobe
2011-12-02 03:57:31 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-12-02 03:57:31 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-12-02 03:57:27 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-12-02 03:57:26 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-12-02 03:57:26 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-12-02 03:57:26 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-12-02 03:57:26 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-12-02 03:57:26 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-12-01 20:32:09 -------- d-----w- c:\users\Ricardo\appdata\roaming\Malwarebytes
2011-12-01 20:31:59 -------- d-----w- c:\programdata\Malwarebytes
2011-11-29 19:18:27 6668624 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{970859cf-a270-4345-a8b3-17858e910e41}\mpengine.dll
2011-11-28 23:38:04 -------- d-----w- c:\users\Ricardo\.swt
2011-11-27 02:13:31 -------- d-----w- c:\program files\FontList
2011-11-27 02:13:10 -------- d-----w- c:\program files\AMP Font Viewer
2011-11-15 20:15:24 -------- d-----w- c:\users\Ricardo\appdata\local\PackageAware
2011-11-13 14:50:43 149411 ----a-w- c:\windows\RAT Uninstaller.exe
2011-11-13 14:50:43 -------- d-----w- c:\program files\RAT
2011-11-13 04:49:39 6144 ----a-w- c:\program files\internet explorer\iecompat.dll
2011-11-13 04:49:37 1285488 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-13 04:49:35 708608 ----a-w- c:\program files\common files\system\wab32.dll
2011-11-13 04:49:19 2339840 ----a-w- c:\windows\system32\win32k.sys
2011-11-13 01:18:41 -------- d-----w- c:\program files\Soulseek
2011-11-11 21:02:37 -------- d-----w- c:\users\Ricardo\appdata\local\Conduit
2011-11-11 20:52:57 -------- d-----w- c:\users\Ricardo\appdata\local\Google
.
==================== Find3M ====================
.
2011-12-08 06:51:19 111 ----a-w- c:\windows\Printdir.bat
2011-11-19 06:50:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 22:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-01 02:59:14 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 17:07:13.46 ===============

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 AM

Posted 12 December 2011 - 09:28 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#5 volita

volita
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 13 December 2011 - 07:56 AM

Hello m0le and thanks for your help.

I run aswMBR twice and the program hung both times before finishing.
However I managed to get the following log.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-12 19:02:32
-----------------------------
19:02:32.437 OS Version: Windows 6.1.7600
19:02:32.437 Number of processors: 4 586 0x2505
19:02:32.437 ComputerName: LAPTOP17 UserName: Ricardo
19:02:59.821 Initialize success
19:04:00.911 AVAST engine defs: 11121201
19:04:19.132 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
19:04:19.132 Disk 0 Vendor: ST925041 D005 Size: 238475MB BusType: 3
19:04:19.148 Disk 0 MBR read successfully
19:04:19.163 Disk 0 MBR scan
19:04:19.179 Disk 0 Windows 7 default MBR code
19:04:19.210 Disk 0 scanning sectors +488394752
19:04:19.335 Disk 0 scanning C:\Windows\system32\drivers
19:04:24.764 File: C:\Windows\system32\drivers\csc.sys **INFECTED** Win32:Aluroot [Rtk]
19:04:44.810 Service scanning
19:04:50.270 Modules scanning
19:05:07.320 Disk 0 trace - called modules:
19:05:07.352 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys
19:05:07.352 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87d8a030]
19:05:07.352 3 CLASSPNP.SYS[8b59b59e] -> nt!IofCallDriver -> [0x861d5a60]
19:05:07.367 5 ACPI.sys[8ae413b2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x861ea028]
19:05:11.969 AVAST engine scan C:\Windows
19:05:30.767 AVAST engine scan C:\Windows\system32
19:07:38.875 AVAST engine scan C:\Windows\system32\drivers
19:07:41.246 File: C:\Windows\system32\drivers\csc.sys **INFECTED** Win32:Aluroot [Rtk]
19:07:51.901 AVAST engine scan C:\Users\Ricardo
19:35:48.716 Disk 0 MBR has been saved successfully to "C:\Users\Ricardo\Desktop\MBR.dat"
19:35:48.716 The log file has been saved successfully to "C:\Users\Ricardo\Desktop\aswMBR.txt"

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 AM

Posted 13 December 2011 - 05:52 PM

The aswMBR log shows TDL4, a variant of the prolific TDSS rootkit.

Please run TDSSKiller, this may not work but let's check it

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#7 volita

volita
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 14 December 2011 - 01:22 AM

22:15:20.0973 5612 TDSS rootkit removing tool 2.6.23.0 Dec 13 2011 10:39:31
22:15:21.0332 5612 ============================================================
22:15:21.0332 5612 Current date / time: 2011/12/13 22:15:21.0332
22:15:21.0332 5612 SystemInfo:
22:15:21.0332 5612
22:15:21.0332 5612 OS Version: 6.1.7600 ServicePack: 0.0
22:15:21.0332 5612 Product type: Workstation
22:15:21.0332 5612 ComputerName: LAPTOP17
22:15:21.0332 5612 UserName: Ricardo
22:15:21.0332 5612 Windows directory: C:\Windows
22:15:21.0332 5612 System windows directory: C:\Windows
22:15:21.0332 5612 Processor architecture: Intel x86
22:15:21.0332 5612 Number of processors: 4
22:15:21.0332 5612 Page size: 0x1000
22:15:21.0332 5612 Boot type: Normal boot
22:15:21.0332 5612 ============================================================
22:15:25.0029 5612 Initialize success
22:15:59.0052 3204 ============================================================
22:15:59.0052 3204 Scan started
22:15:59.0052 3204 Mode: Manual;
22:15:59.0052 3204 ============================================================
22:16:01.0751 3204 1394ohci (d01e0b1cef9ee82100c2bb07294880ef) C:\Windows\system32\DRIVERS\1394ohci.sys
22:16:01.0751 3204 1394ohci - ok
22:16:01.0907 3204 5689 - ok
22:16:02.0032 3204 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
22:16:02.0032 3204 ACPI - ok
22:16:02.0048 3204 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
22:16:02.0048 3204 AcpiPmi - ok
22:16:02.0235 3204 ADASPROT - ok
22:16:02.0328 3204 adfs (73685e15ef8b0bd9c30f1af413f13d49) C:\Windows\system32\drivers\adfs.sys
22:16:02.0328 3204 adfs - ok
22:16:02.0438 3204 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
22:16:02.0438 3204 adp94xx - ok
22:16:02.0531 3204 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
22:16:02.0531 3204 adpahci - ok
22:16:02.0609 3204 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
22:16:02.0609 3204 adpu320 - ok
22:16:02.0718 3204 AFD (0db7a48388d54d154ebec120461a0fcd) C:\Windows\system32\drivers\afd.sys
22:16:02.0718 3204 AFD - ok
22:16:02.0812 3204 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
22:16:02.0828 3204 agp440 - ok
22:16:02.0874 3204 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
22:16:02.0874 3204 aic78xx - ok
22:16:02.0968 3204 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
22:16:02.0968 3204 aliide - ok
22:16:02.0999 3204 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
22:16:02.0999 3204 amdagp - ok
22:16:03.0030 3204 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
22:16:03.0030 3204 amdide - ok
22:16:03.0077 3204 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
22:16:03.0077 3204 AmdK8 - ok
22:16:03.0093 3204 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
22:16:03.0108 3204 AmdPPM - ok
22:16:03.0233 3204 amdsata (19ce906b4cdc11fc4fef5745f33a63b6) C:\Windows\system32\drivers\amdsata.sys
22:16:03.0233 3204 amdsata - ok
22:16:03.0296 3204 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
22:16:03.0311 3204 amdsbs - ok
22:16:03.0327 3204 amdxata (869e67d66be326a5a9159fba8746fa70) C:\Windows\system32\drivers\amdxata.sys
22:16:03.0327 3204 amdxata - ok
22:16:03.0405 3204 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
22:16:03.0405 3204 AppID - ok
22:16:03.0498 3204 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
22:16:03.0498 3204 arc - ok
22:16:03.0530 3204 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
22:16:03.0545 3204 arcsas - ok
22:16:03.0623 3204 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
22:16:03.0623 3204 AsyncMac - ok
22:16:03.0701 3204 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
22:16:03.0701 3204 atapi - ok
22:16:03.0810 3204 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
22:16:03.0826 3204 b06bdrv - ok
22:16:03.0857 3204 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
22:16:03.0857 3204 b57nd60x - ok
22:16:03.0935 3204 BackupReader (22f769c67cb88ef32a985132041a6169) C:\Windows\system32\DRIVERS\BackupReader.sys
22:16:03.0935 3204 BackupReader - ok
22:16:03.0982 3204 BCM42RLY (94f2dc372163d520d7b1dad78ae40b5e) C:\Windows\system32\drivers\BCM42RLY.sys
22:16:03.0982 3204 BCM42RLY - ok
22:16:04.0091 3204 BCM43XX (f689c5965cefad780a2948546703bd5d) C:\Windows\system32\DRIVERS\bcmwl6.sys
22:16:04.0107 3204 BCM43XX - ok
22:16:04.0185 3204 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
22:16:04.0185 3204 Beep - ok
22:16:04.0200 3204 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
22:16:04.0200 3204 blbdrive - ok
22:16:04.0325 3204 bowser (9a5c671b7fbae4865149bb11f59b91b2) C:\Windows\system32\DRIVERS\bowser.sys
22:16:04.0325 3204 bowser - ok
22:16:04.0372 3204 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
22:16:04.0372 3204 BrFiltLo - ok
22:16:04.0388 3204 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
22:16:04.0403 3204 BrFiltUp - ok
22:16:04.0419 3204 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
22:16:04.0434 3204 Brserid - ok
22:16:04.0450 3204 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
22:16:04.0450 3204 BrSerWdm - ok
22:16:04.0481 3204 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
22:16:04.0481 3204 BrUsbMdm - ok
22:16:04.0497 3204 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
22:16:04.0497 3204 BrUsbSer - ok
22:16:04.0575 3204 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\DRIVERS\BthEnum.sys
22:16:04.0575 3204 BthEnum - ok
22:16:04.0606 3204 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
22:16:04.0606 3204 BTHMODEM - ok
22:16:04.0684 3204 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
22:16:04.0684 3204 BthPan - ok
22:16:04.0715 3204 BTHPORT (88059ff1ded4472acd17eebabd393069) C:\Windows\system32\Drivers\BTHport.sys
22:16:04.0731 3204 BTHPORT - ok
22:16:04.0778 3204 BTHUSB (80e6384beec03b8bd45edea29802d657) C:\Windows\system32\Drivers\BTHUSB.sys
22:16:04.0793 3204 BTHUSB - ok
22:16:04.0824 3204 btwaudio (7e826be3b3558208d5c9b00034e51be5) C:\Windows\system32\drivers\btwaudio.sys
22:16:04.0824 3204 btwaudio - ok
22:16:04.0856 3204 btwavdt (af9148c3e844131ac954cb53ff43d971) C:\Windows\system32\DRIVERS\btwavdt.sys
22:16:04.0856 3204 btwavdt - ok
22:16:04.0887 3204 btwl2cap (aafd7cb76ba61fbb08e302da208c974a) C:\Windows\system32\DRIVERS\btwl2cap.sys
22:16:04.0887 3204 btwl2cap - ok
22:16:04.0918 3204 btwrchid (480b3d195854b2e55299cddddc50bcf9) C:\Windows\system32\DRIVERS\btwrchid.sys
22:16:04.0918 3204 btwrchid - ok
22:16:05.0136 3204 catchme - ok
22:16:05.0261 3204 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
22:16:05.0324 3204 cdfs - ok
22:16:05.0402 3204 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
22:16:05.0402 3204 cdrom - ok
22:16:05.0480 3204 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
22:16:05.0480 3204 circlass - ok
22:16:05.0573 3204 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
22:16:05.0573 3204 CLFS - ok
22:16:05.0636 3204 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
22:16:05.0636 3204 CmBatt - ok
22:16:05.0667 3204 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
22:16:05.0667 3204 cmdide - ok
22:16:05.0698 3204 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
22:16:05.0698 3204 CNG - ok
22:16:05.0760 3204 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
22:16:05.0760 3204 Compbatt - ok
22:16:05.0823 3204 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
22:16:05.0823 3204 CompositeBus - ok
22:16:05.0901 3204 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
22:16:05.0901 3204 crcdisk - ok
22:16:05.0979 3204 CSC (1bf22eb302b9232207f10670a8676106) C:\Windows\system32\drivers\csc.sys
22:16:05.0979 3204 CSC ( Rootkit.Win32.ZAccess.k ) - infected
22:16:05.0979 3204 CSC - detected Rootkit.Win32.ZAccess.k (0)
22:16:06.0072 3204 CtAudDrv (0f538df1673e5216f3baacb6911d9d0f) C:\Windows\system32\Drivers\CtAudDrv.sys
22:16:06.0088 3204 CtAudDrv - ok
22:16:06.0119 3204 CtClsFlt (9a6ca307151505730dbfc91d97f01c7e) C:\Windows\system32\DRIVERS\CtClsFlt.sys
22:16:06.0119 3204 CtClsFlt - ok
22:16:06.0182 3204 DfsC (83d1ecea8faae75604c0fa49ac7ad996) C:\Windows\system32\Drivers\dfsc.sys
22:16:06.0182 3204 DfsC - ok
22:16:06.0244 3204 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
22:16:06.0244 3204 discache - ok
22:16:06.0322 3204 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
22:16:06.0322 3204 Disk - ok
22:16:06.0400 3204 Dot4 (b5e479eb83707dd698f66953e922042c) C:\Windows\system32\DRIVERS\Dot4.sys
22:16:06.0400 3204 Dot4 - ok
22:16:06.0416 3204 Dot4Print (c25fea07a8e7767e8b89ab96a3b96519) C:\Windows\system32\DRIVERS\Dot4Prt.sys
22:16:06.0431 3204 Dot4Print - ok
22:16:06.0447 3204 dot4usb (cf491ff38d62143203c065260567e2f7) C:\Windows\system32\DRIVERS\dot4usb.sys
22:16:06.0447 3204 dot4usb - ok
22:16:06.0525 3204 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
22:16:06.0525 3204 drmkaud - ok
22:16:06.0556 3204 DXGKrnl (1679a4669326cb1a67cc95658d273234) C:\Windows\System32\drivers\dxgkrnl.sys
22:16:06.0572 3204 DXGKrnl - ok
22:16:06.0650 3204 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
22:16:06.0696 3204 ebdrv - ok
22:16:06.0743 3204 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
22:16:06.0743 3204 elxstor - ok
22:16:06.0774 3204 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
22:16:06.0774 3204 ErrDev - ok
22:16:06.0837 3204 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
22:16:06.0852 3204 exfat - ok
22:16:06.0915 3204 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
22:16:06.0915 3204 fastfat - ok
22:16:06.0946 3204 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
22:16:06.0946 3204 fdc - ok
22:16:06.0962 3204 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
22:16:06.0962 3204 FileInfo - ok
22:16:06.0977 3204 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
22:16:06.0977 3204 Filetrace - ok
22:16:07.0071 3204 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
22:16:07.0071 3204 flpydisk - ok
22:16:07.0102 3204 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
22:16:07.0118 3204 FltMgr - ok
22:16:07.0133 3204 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
22:16:07.0133 3204 FsDepends - ok
22:16:07.0149 3204 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
22:16:07.0149 3204 Fs_Rec - ok
22:16:07.0196 3204 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
22:16:07.0196 3204 fvevol - ok
22:16:07.0227 3204 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
22:16:07.0227 3204 gagp30kx - ok
22:16:07.0258 3204 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
22:16:07.0258 3204 GEARAspiWDM - ok
22:16:07.0383 3204 Hardlock (c1cc0c9742b881c42f1cc628e6f9ebd1) C:\Windows\system32\drivers\hardlock.sys
22:16:07.0398 3204 Hardlock - ok
22:16:07.0430 3204 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
22:16:07.0430 3204 hcw85cir - ok
22:16:07.0523 3204 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
22:16:07.0523 3204 HDAudBus - ok
22:16:07.0554 3204 HECI (a88485dc6a7136c10d9a6c7e38fdfe3c) C:\Windows\system32\DRIVERS\HECI.sys
22:16:07.0554 3204 HECI - ok
22:16:07.0586 3204 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
22:16:07.0586 3204 HidBatt - ok
22:16:07.0601 3204 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
22:16:07.0601 3204 HidBth - ok
22:16:07.0617 3204 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
22:16:07.0617 3204 HidIr - ok
22:16:07.0710 3204 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
22:16:07.0710 3204 HidUsb - ok
22:16:07.0835 3204 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
22:16:07.0835 3204 HpSAMD - ok
22:16:07.0913 3204 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
22:16:07.0929 3204 HTTP - ok
22:16:08.0022 3204 hwdatacard (19e6885a061011d8dabe8f64498423fa) C:\Windows\system32\DRIVERS\ewusbmdm.sys
22:16:08.0022 3204 hwdatacard - ok
22:16:08.0038 3204 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
22:16:08.0054 3204 hwpolicy - ok
22:16:08.0147 3204 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
22:16:08.0147 3204 i8042prt - ok
22:16:08.0225 3204 iaStor (26541a068572f650a2fa490726fe81be) C:\Windows\system32\DRIVERS\iaStor.sys
22:16:08.0225 3204 iaStor - ok
22:16:08.0319 3204 iaStorV (71f1a494fedf4b33c02c4a6a28d6d9e9) C:\Windows\system32\drivers\iaStorV.sys
22:16:08.0334 3204 iaStorV - ok
22:16:08.0490 3204 igfx (8e9da2e49347af49901526dcd4d0f397) C:\Windows\system32\DRIVERS\igdkmd32.sys
22:16:08.0631 3204 igfx - ok
22:16:08.0678 3204 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
22:16:08.0678 3204 iirsp - ok
22:16:08.0709 3204 Impcd (e3c36ac5ae87ec970ae8ea2a93d59ae1) C:\Windows\system32\DRIVERS\Impcd.sys
22:16:08.0709 3204 Impcd - ok
22:16:08.0787 3204 IntcDAud (bf31740828a26ab451803e3b35432651) C:\Windows\system32\DRIVERS\IntcDAud.sys
22:16:08.0802 3204 IntcDAud - ok
22:16:08.0818 3204 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
22:16:08.0818 3204 intelide - ok
22:16:08.0849 3204 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
22:16:08.0849 3204 intelppm - ok
22:16:08.0865 3204 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
22:16:08.0880 3204 IpFilterDriver - ok
22:16:08.0896 3204 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
22:16:08.0896 3204 IPMIDRV - ok
22:16:08.0912 3204 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
22:16:08.0912 3204 IPNAT - ok
22:16:08.0974 3204 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
22:16:08.0974 3204 IRENUM - ok
22:16:09.0052 3204 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
22:16:09.0052 3204 isapnp - ok
22:16:09.0068 3204 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
22:16:09.0083 3204 iScsiPrt - ok
22:16:09.0161 3204 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
22:16:09.0161 3204 kbdclass - ok
22:16:09.0177 3204 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
22:16:09.0177 3204 kbdhid - ok
22:16:09.0255 3204 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
22:16:09.0255 3204 KSecDD - ok
22:16:09.0302 3204 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
22:16:09.0302 3204 KSecPkg - ok
22:16:09.0395 3204 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
22:16:09.0395 3204 lltdio - ok
22:16:09.0551 3204 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
22:16:09.0551 3204 LSI_FC - ok
22:16:09.0582 3204 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
22:16:09.0582 3204 LSI_SAS - ok
22:16:09.0614 3204 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
22:16:09.0614 3204 LSI_SAS2 - ok
22:16:09.0645 3204 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
22:16:09.0645 3204 LSI_SCSI - ok
22:16:09.0676 3204 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
22:16:09.0692 3204 luafv - ok
22:16:09.0754 3204 MBAMSwissArmy - ok
22:16:09.0801 3204 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
22:16:09.0801 3204 megasas - ok
22:16:09.0832 3204 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
22:16:09.0832 3204 MegaSR - ok
22:16:09.0879 3204 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
22:16:09.0879 3204 Modem - ok
22:16:09.0972 3204 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
22:16:09.0972 3204 monitor - ok
22:16:10.0066 3204 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
22:16:10.0066 3204 mouclass - ok
22:16:10.0144 3204 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
22:16:10.0144 3204 mouhid - ok
22:16:10.0206 3204 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
22:16:10.0206 3204 mountmgr - ok
22:16:10.0238 3204 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
22:16:10.0238 3204 mpio - ok
22:16:10.0269 3204 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
22:16:10.0269 3204 mpsdrv - ok
22:16:10.0300 3204 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
22:16:10.0300 3204 MRxDAV - ok
22:16:10.0409 3204 mrxsmb (ca7570e42522e24324a12161db14ec02) C:\Windows\system32\DRIVERS\mrxsmb.sys
22:16:10.0409 3204 mrxsmb - ok
22:16:10.0487 3204 mrxsmb10 (f965c3ab2b2ae5c378f4562486e35051) C:\Windows\system32\DRIVERS\mrxsmb10.sys
22:16:10.0487 3204 mrxsmb10 - ok
22:16:10.0550 3204 mrxsmb20 (25c38264a3c72594dd21d355d70d7a5d) C:\Windows\system32\DRIVERS\mrxsmb20.sys
22:16:10.0550 3204 mrxsmb20 - ok
22:16:10.0612 3204 msahci (cb5d37e91135b0f15cee64d1f1ba5de5) C:\Windows\system32\DRIVERS\msahci.sys
22:16:10.0612 3204 msahci - ok
22:16:10.0659 3204 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
22:16:10.0659 3204 msdsm - ok
22:16:10.0752 3204 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
22:16:10.0752 3204 Msfs - ok
22:16:10.0784 3204 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
22:16:10.0784 3204 mshidkmdf - ok
22:16:10.0815 3204 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
22:16:10.0815 3204 msisadrv - ok
22:16:10.0908 3204 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
22:16:10.0908 3204 MSKSSRV - ok
22:16:10.0924 3204 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
22:16:10.0924 3204 MSPCLOCK - ok
22:16:10.0955 3204 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
22:16:10.0955 3204 MSPQM - ok
22:16:10.0986 3204 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
22:16:10.0986 3204 MsRPC - ok
22:16:11.0033 3204 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
22:16:11.0033 3204 mssmbios - ok
22:16:11.0064 3204 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
22:16:11.0064 3204 MSTEE - ok
22:16:11.0096 3204 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
22:16:11.0096 3204 MTConfig - ok
22:16:11.0111 3204 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
22:16:11.0111 3204 Mup - ok
22:16:11.0205 3204 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
22:16:11.0205 3204 NativeWifiP - ok
22:16:11.0298 3204 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
22:16:11.0330 3204 NDIS - ok
22:16:11.0361 3204 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
22:16:11.0361 3204 NdisCap - ok
22:16:11.0439 3204 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
22:16:11.0454 3204 NdisTapi - ok
22:16:11.0486 3204 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
22:16:11.0486 3204 Ndisuio - ok
22:16:11.0517 3204 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
22:16:11.0517 3204 NdisWan - ok
22:16:11.0595 3204 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
22:16:11.0595 3204 NDProxy - ok
22:16:11.0673 3204 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
22:16:11.0688 3204 NetBIOS - ok
22:16:11.0720 3204 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
22:16:11.0720 3204 NetBT - ok
22:16:11.0813 3204 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
22:16:11.0813 3204 nfrd960 - ok
22:16:11.0891 3204 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
22:16:11.0891 3204 Npfs - ok
22:16:11.0922 3204 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
22:16:11.0922 3204 nsiproxy - ok
22:16:12.0000 3204 Ntfs (187002ce05693c306f43c873f821381f) C:\Windows\system32\drivers\Ntfs.sys
22:16:12.0016 3204 Ntfs - ok
22:16:12.0063 3204 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
22:16:12.0078 3204 Null - ok
22:16:12.0156 3204 nvraid (f1b0bed906f97e16f6d0c3629d2f21c6) C:\Windows\system32\drivers\nvraid.sys
22:16:12.0156 3204 nvraid - ok
22:16:12.0234 3204 nvstor (4520b63899e867f354ee012d34e11536) C:\Windows\system32\drivers\nvstor.sys
22:16:12.0250 3204 nvstor - ok
22:16:12.0328 3204 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
22:16:12.0328 3204 nv_agp - ok
22:16:12.0359 3204 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
22:16:12.0359 3204 ohci1394 - ok
22:16:12.0453 3204 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
22:16:12.0468 3204 Parport - ok
22:16:12.0500 3204 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
22:16:12.0500 3204 partmgr - ok
22:16:12.0531 3204 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
22:16:12.0531 3204 Parvdm - ok
22:16:12.0640 3204 PcaSp60 (dd74552152055a8493872930a64e70dc) C:\Windows\system32\DRIVERS\PcaSp60.sys
22:16:12.0640 3204 PcaSp60 - ok
22:16:12.0702 3204 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
22:16:12.0702 3204 pci - ok
22:16:12.0734 3204 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
22:16:12.0734 3204 pciide - ok
22:16:12.0780 3204 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
22:16:12.0780 3204 pcmcia - ok
22:16:12.0796 3204 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
22:16:12.0812 3204 pcw - ok
22:16:12.0843 3204 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
22:16:12.0858 3204 PEAUTH - ok
22:16:12.0999 3204 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
22:16:12.0999 3204 PptpMiniport - ok
22:16:13.0030 3204 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
22:16:13.0030 3204 Processor - ok
22:16:13.0077 3204 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
22:16:13.0077 3204 Psched - ok
22:16:13.0155 3204 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\Windows\system32\Drivers\PxHelp20.sys
22:16:13.0170 3204 PxHelp20 - ok
22:16:13.0217 3204 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
22:16:13.0248 3204 ql2300 - ok
22:16:13.0264 3204 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
22:16:13.0280 3204 ql40xx - ok
22:16:13.0295 3204 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
22:16:13.0311 3204 QWAVEdrv - ok
22:16:13.0389 3204 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
22:16:13.0389 3204 RasAcd - ok
22:16:13.0420 3204 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
22:16:13.0420 3204 RasAgileVpn - ok
22:16:13.0451 3204 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
22:16:13.0451 3204 Rasl2tp - ok
22:16:13.0482 3204 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
22:16:13.0482 3204 RasPppoe - ok
22:16:13.0514 3204 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
22:16:13.0514 3204 RasSstp - ok
22:16:13.0545 3204 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
22:16:13.0545 3204 rdbss - ok
22:16:13.0623 3204 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
22:16:13.0623 3204 rdpbus - ok
22:16:13.0654 3204 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
22:16:13.0670 3204 RDPCDD - ok
22:16:13.0716 3204 RDPDR (c5ff95883ffef704d50c40d21cfb3ab5) C:\Windows\system32\drivers\rdpdr.sys
22:16:13.0716 3204 RDPDR - ok
22:16:13.0779 3204 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
22:16:13.0794 3204 RDPENCDD - ok
22:16:13.0826 3204 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
22:16:13.0826 3204 RDPREFMP - ok
22:16:13.0857 3204 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
22:16:13.0872 3204 RDPWD - ok
22:16:13.0904 3204 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
22:16:13.0904 3204 rdyboost - ok
22:16:13.0997 3204 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
22:16:13.0997 3204 RFCOMM - ok
22:16:14.0028 3204 rimspci (af213955c4d952c914620e8db0cd0cf7) C:\Windows\system32\DRIVERS\rimspe86.sys
22:16:14.0044 3204 rimspci - ok
22:16:14.0075 3204 risdpcie (6978decc2c38c5ce10a8b0f2b12f4451) C:\Windows\system32\DRIVERS\risdpe86.sys
22:16:14.0075 3204 risdpcie - ok
22:16:14.0106 3204 rixdpcie (764c1f3453e779724ba647327de7ddd4) C:\Windows\system32\DRIVERS\rixdpe86.sys
22:16:14.0106 3204 rixdpcie - ok
22:16:14.0184 3204 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
22:16:14.0200 3204 rspndr - ok
22:16:14.0309 3204 RTL8167 (5283b9a27ff230f2ff70d92451ff409a) C:\Windows\system32\DRIVERS\Rt86win7.sys
22:16:14.0325 3204 RTL8167 - ok
22:16:14.0372 3204 s3cap (5423d8437051e89dd34749f242c98648) C:\Windows\system32\DRIVERS\vms3cap.sys
22:16:14.0372 3204 s3cap - ok
22:16:14.0450 3204 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
22:16:14.0450 3204 sbp2port - ok
22:16:14.0559 3204 SCDEmu (64a5841a6c8942ebe9621ed4fed66869) C:\Windows\system32\drivers\SCDEmu.sys
22:16:14.0574 3204 SCDEmu - ok
22:16:14.0590 3204 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
22:16:14.0606 3204 scfilter - ok
22:16:14.0684 3204 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
22:16:14.0684 3204 secdrv - ok
22:16:14.0762 3204 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
22:16:14.0762 3204 Serenum - ok
22:16:14.0793 3204 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
22:16:14.0793 3204 Serial - ok
22:16:14.0855 3204 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
22:16:14.0871 3204 sermouse - ok
22:16:14.0902 3204 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
22:16:14.0918 3204 sffdisk - ok
22:16:14.0949 3204 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
22:16:14.0949 3204 sffp_mmc - ok
22:16:14.0980 3204 sffp_sd (a0708bbd07d245c06ff9de549ca47185) C:\Windows\system32\DRIVERS\sffp_sd.sys
22:16:14.0980 3204 sffp_sd - ok
22:16:15.0011 3204 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
22:16:15.0011 3204 sfloppy - ok
22:16:15.0105 3204 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
22:16:15.0105 3204 sisagp - ok
22:16:15.0152 3204 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
22:16:15.0152 3204 SiSRaid2 - ok
22:16:15.0183 3204 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
22:16:15.0183 3204 SiSRaid4 - ok
22:16:15.0245 3204 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
22:16:15.0245 3204 Smb - ok
22:16:15.0292 3204 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
22:16:15.0292 3204 spldr - ok
22:16:15.0370 3204 srv (c4a027b8c0bd3fc0699f41fa5e9e0c87) C:\Windows\system32\DRIVERS\srv.sys
22:16:15.0386 3204 srv - ok
22:16:15.0448 3204 srv2 (414bb592cad8a79649d01f9d94318fb3) C:\Windows\system32\DRIVERS\srv2.sys
22:16:15.0448 3204 srv2 - ok
22:16:15.0510 3204 srvnet (ff207d67700aa18242aaf985d3e7d8f4) C:\Windows\system32\DRIVERS\srvnet.sys
22:16:15.0510 3204 srvnet - ok
22:16:15.0604 3204 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
22:16:15.0604 3204 stexstor - ok
22:16:15.0682 3204 STHDA (06cbb271f42ef70fb6ef372c491ba9aa) C:\Windows\system32\DRIVERS\stwrt.sys
22:16:15.0698 3204 STHDA - ok
22:16:15.0744 3204 StillCam (edb05bd63148796f23ea78506404a538) C:\Windows\system32\DRIVERS\serscan.sys
22:16:15.0744 3204 StillCam - ok
22:16:15.0822 3204 storflt (957e346ca948668f2496a6ccf6ff82cc) C:\Windows\system32\DRIVERS\vmstorfl.sys
22:16:15.0822 3204 storflt - ok
22:16:15.0869 3204 storvsc (d5751969dc3e4b88bf482ac8ec9fe019) C:\Windows\system32\DRIVERS\storvsc.sys
22:16:15.0869 3204 storvsc - ok
22:16:15.0900 3204 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
22:16:15.0900 3204 swenum - ok
22:16:15.0978 3204 SynTP (cf196a45fd61118c95585489fad5b2aa) C:\Windows\system32\DRIVERS\SynTP.sys
22:16:15.0978 3204 SynTP - ok
22:16:16.0056 3204 Tcpip (56c198ac82efa622dd93e9e43575f79c) C:\Windows\system32\drivers\tcpip.sys
22:16:16.0088 3204 Tcpip - ok
22:16:16.0166 3204 TCPIP6 (56c198ac82efa622dd93e9e43575f79c) C:\Windows\system32\DRIVERS\tcpip.sys
22:16:16.0181 3204 TCPIP6 - ok
22:16:16.0228 3204 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
22:16:16.0228 3204 tcpipreg - ok
22:16:16.0259 3204 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
22:16:16.0259 3204 TDPIPE - ok
22:16:16.0290 3204 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
22:16:16.0290 3204 TDTCP - ok
22:16:16.0322 3204 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
22:16:16.0322 3204 tdx - ok
22:16:16.0353 3204 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
22:16:16.0353 3204 TermDD - ok
22:16:16.0384 3204 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
22:16:16.0384 3204 tssecsrv - ok
22:16:16.0415 3204 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
22:16:16.0415 3204 tunnel - ok
22:16:16.0524 3204 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
22:16:16.0524 3204 uagp35 - ok
22:16:16.0587 3204 udfs (eb0a7bd4d471ac3ce55564a4c55b9d8e) C:\Windows\system32\DRIVERS\udfs.sys
22:16:16.0587 3204 udfs - ok
22:16:16.0665 3204 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
22:16:16.0665 3204 uliagpkx - ok
22:16:16.0727 3204 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
22:16:16.0727 3204 umbus - ok
22:16:16.0758 3204 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
22:16:16.0758 3204 UmPass - ok
22:16:16.0883 3204 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\Windows\system32\Drivers\usbaapl.sys
22:16:16.0883 3204 USBAAPL - ok
22:16:16.0977 3204 usbccgp (5c233aefb566ee78c1efbc0493fb066a) C:\Windows\system32\DRIVERS\usbccgp.sys
22:16:16.0977 3204 usbccgp - ok
22:16:17.0008 3204 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
22:16:17.0024 3204 usbcir - ok
22:16:17.0133 3204 usbehci (5b71019a6aca0116fd21b368f19c0b91) C:\Windows\system32\drivers\usbehci.sys
22:16:17.0133 3204 usbehci - ok
22:16:17.0226 3204 UsbFltr (1d6a4fa75af0400d3f99642c271f3255) C:\Windows\system32\Drivers\UsbFltr.sys
22:16:17.0226 3204 UsbFltr - ok
22:16:17.0320 3204 usbhub (5823d3965c2a4f6f785ed1a3b403f3b8) C:\Windows\system32\DRIVERS\usbhub.sys
22:16:17.0336 3204 usbhub - ok
22:16:17.0445 3204 usbohci (e753ed6c49da13967ebabf9ea616454a) C:\Windows\system32\drivers\usbohci.sys
22:16:17.0445 3204 usbohci - ok
22:16:17.0523 3204 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
22:16:17.0523 3204 usbprint - ok
22:16:17.0585 3204 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
22:16:17.0601 3204 usbscan - ok
22:16:17.0694 3204 USBSTOR (1c4287739a93594e57e2a9e6a3ed7353) C:\Windows\system32\DRIVERS\USBSTOR.SYS
22:16:17.0694 3204 USBSTOR - ok
22:16:17.0772 3204 usbuhci (6a30928a469ce802600e1ea8c0f2f53f) C:\Windows\system32\drivers\usbuhci.sys
22:16:17.0788 3204 usbuhci - ok
22:16:17.0866 3204 usbvideo (b5f6a992d996282b7fae7048e50af83a) C:\Windows\system32\Drivers\usbvideo.sys
22:16:17.0866 3204 usbvideo - ok
22:16:17.0960 3204 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
22:16:17.0975 3204 vdrvroot - ok
22:16:18.0053 3204 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
22:16:18.0053 3204 vga - ok
22:16:18.0084 3204 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
22:16:18.0084 3204 VgaSave - ok
22:16:18.0116 3204 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
22:16:18.0116 3204 vhdmp - ok
22:16:18.0194 3204 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
22:16:18.0194 3204 viaagp - ok
22:16:18.0225 3204 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
22:16:18.0225 3204 ViaC7 - ok
22:16:18.0256 3204 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
22:16:18.0256 3204 viaide - ok
22:16:18.0365 3204 vmbus (379b349f65f453d2a6e75ea6b7448e49) C:\Windows\system32\DRIVERS\vmbus.sys
22:16:18.0381 3204 vmbus - ok
22:16:18.0443 3204 VMBusHID (ec2bbab4b84d0738c6c83d2234dc36fe) C:\Windows\system32\DRIVERS\VMBusHID.sys
22:16:18.0443 3204 VMBusHID - ok
22:16:18.0584 3204 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
22:16:18.0584 3204 volmgr - ok
22:16:18.0708 3204 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
22:16:18.0708 3204 volmgrx - ok
22:16:18.0927 3204 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
22:16:18.0989 3204 volsnap - ok
22:16:19.0317 3204 vpcbus (33e74df34753fcaab06f6f2bdc8cabf5) C:\Windows\system32\DRIVERS\vpchbus.sys
22:16:19.0317 3204 vpcbus - ok
22:16:19.0520 3204 vpcusb (625088d6ee9ede977fd03cf18d1cd5c5) C:\Windows\system32\DRIVERS\vpcusb.sys
22:16:19.0535 3204 vpcusb - ok
22:16:19.0785 3204 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
22:16:19.0800 3204 vsmraid - ok
22:16:19.0816 3204 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
22:16:19.0816 3204 vwifibus - ok
22:16:19.0832 3204 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
22:16:19.0847 3204 vwififlt - ok
22:16:19.0956 3204 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys
22:16:19.0956 3204 vwifimp - ok
22:16:19.0988 3204 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
22:16:19.0988 3204 WacomPen - ok
22:16:20.0050 3204 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
22:16:20.0066 3204 WANARP - ok
22:16:20.0066 3204 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
22:16:20.0066 3204 Wanarpv6 - ok
22:16:20.0097 3204 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
22:16:20.0097 3204 Wd - ok
22:16:20.0128 3204 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
22:16:20.0128 3204 Wdf01000 - ok
22:16:20.0206 3204 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
22:16:20.0206 3204 WfpLwf - ok
22:16:20.0237 3204 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
22:16:20.0237 3204 WIMMount - ok
22:16:20.0331 3204 WinUsb (b5ba3cc19d00f2eba92f1cfbebb5d650) C:\Windows\system32\DRIVERS\WinUsb.sys
22:16:20.0331 3204 WinUsb - ok
22:16:20.0409 3204 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
22:16:20.0409 3204 WmiAcpi - ok
22:16:20.0487 3204 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
22:16:20.0487 3204 ws2ifsl - ok
22:16:20.0518 3204 WudfPf (a52494b107afc92ddca21f0b64f83376) C:\Windows\system32\drivers\WudfPf.sys
22:16:20.0518 3204 WudfPf - ok
22:16:20.0580 3204 WUDFRd (90a541c607da0025ae75f0f3673945fe) C:\Windows\system32\DRIVERS\WUDFRd.sys
22:16:20.0596 3204 WUDFRd - ok
22:16:20.0799 3204 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} (74ec37b9eaf9fca015b933a526825c7a) C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl
22:16:20.0799 3204 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC} - ok
22:16:20.0877 3204 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
22:16:20.0892 3204 \Device\Harddisk0\DR0 - ok
22:16:21.0360 3204 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk1\DR1
22:16:21.0360 3204 \Device\Harddisk1\DR1 - ok
22:16:21.0360 3204 Boot (0x1200) (2324084c6657b423c5a69b21defd9816) \Device\Harddisk0\DR0\Partition0
22:16:21.0376 3204 \Device\Harddisk0\DR0\Partition0 - ok
22:16:21.0376 3204 Boot (0x1200) (c8ff53d0084bbfcc5a79506404f4667d) \Device\Harddisk0\DR0\Partition1
22:16:21.0392 3204 \Device\Harddisk0\DR0\Partition1 - ok
22:16:21.0392 3204 Boot (0x1200) (38e97481729e3125ce2e0781f6c388b0) \Device\Harddisk1\DR1\Partition0
22:16:21.0392 3204 \Device\Harddisk1\DR1\Partition0 - ok
22:16:21.0392 3204 ============================================================
22:16:21.0392 3204 Scan finished
22:16:21.0392 3204 ============================================================
22:16:21.0407 0984 Detected object count: 1
22:16:21.0407 0984 Actual detected object count: 1
22:16:39.0924 0984 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\Windows\system32\drivers\csc.sys) error 1813
22:16:44.0495 0984 Backup copy found, using it..
22:16:44.0542 0984 C:\Windows\system32\drivers\csc.sys - will be cured on reboot
22:16:48.0910 0984 CSC ( Rootkit.Win32.ZAccess.k ) - User select action: Cure
22:16:59.0440 5608 Deinitialize success

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 AM

Posted 14 December 2011 - 06:16 PM

That did cure it :thumbup2: . Please rerun aswMBR and post the log.
Posted Image
m0le is a proud member of UNITE

#9 volita

volita
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 14 December 2011 - 10:39 PM

Again, aswMBR did not complete the scan. It always stops at C:\Users\Ricardo\Documents\GlobalEnfant\Papers\SitePoint The Web Design Business Kit\... and about 40 minutes later Windows opens a message to close the program. The last time I clicked on "Save Log" before aswMBR was closed. Here is the report:

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-14 16:58:13
-----------------------------
16:58:13.751 OS Version: Windows 6.1.7600
16:58:13.751 Number of processors: 4 586 0x2505
16:58:13.752 ComputerName: LAPTOP17 UserName: Ricardo
16:58:14.663 Initialize success
16:58:49.356 AVAST engine defs: 11121402
16:58:55.962 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
16:58:55.966 Disk 0 Vendor: ST925041 D005 Size: 238475MB BusType: 3
16:58:56.045 Disk 0 MBR read successfully
16:58:56.049 Disk 0 MBR scan
16:58:56.055 Disk 0 Windows 7 default MBR code
16:58:56.061 Disk 0 scanning sectors +488394752
16:58:56.210 Disk 0 scanning C:\Windows\system32\drivers
16:59:11.814 Service scanning
16:59:13.036 Modules scanning
16:59:18.561 Disk 0 trace - called modules:
16:59:18.594 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys
16:59:18.598 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87d86030]
16:59:18.602 3 CLASSPNP.SYS[8b58f59e] -> nt!IofCallDriver -> [0x861e7a60]
16:59:18.606 5 ACPI.sys[8aec13b2] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x861ee028]
16:59:20.077 AVAST engine scan C:\Windows
16:59:23.320 AVAST engine scan C:\Windows\system32
17:01:14.877 AVAST engine scan C:\Windows\system32\drivers
17:01:26.623 AVAST engine scan C:\Users\Ricardo
18:22:13.768 Disk 0 MBR has been saved successfully to "C:\Users\Ricardo\Desktop\MBR.dat"
18:22:13.775 The log file has been saved successfully to "C:\Users\Ricardo\Desktop\aswMBR_20111214.txt"

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 AM

Posted 15 December 2011 - 07:28 PM

RunDLL
There was a problem starting
C:\ProgramData\BE887E7A-E821-FAC3-6EEC-E4F9863526FA.avi
The specified module could not be found


This is a registry entry which is trying to load a file that is no longer there. We should be able to find it though.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :regfind
    BE887E7A-E821-FAC3-6EEC-E4F9863526FA
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#11 volita

volita
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 15 December 2011 - 07:39 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 16:36 on 15/12/2011 by Ricardo
Administrator - Elevation successful

========== regfind ==========

Searching for "BE887E7A-E821-FAC3-6EEC-E4F9863526FA"
No data found.

-= EOF =-

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 AM

Posted 15 December 2011 - 08:05 PM

Let's alter the system to stop the process attempting to load

Go to Start and Run.
Type msconfig.
On the start up tab uncheck the line that loads BE887E7A-E821-FAC3-6EEC-E4F9863526FA.avi if it's there.
Click on Apply and OK.
Restart your PC and it should be gone.
Posted Image
m0le is a proud member of UNITE

#13 volita

volita
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 15 December 2011 - 08:33 PM

Yes, thank you.
That did it.

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:25 AM

Posted 15 December 2011 - 09:35 PM

The machine looks good so let's mop up with an ESET scan

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Copy and paste the resulting log in your next reply
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#15 volita

volita
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:05:25 PM

Posted 16 December 2011 - 08:07 AM

C:\Documents and Settings\Ricardo\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\14\5f804f8e-4d29689f a variant of Java/TrojanDownloader.OpenConnection.AQ trojan deleted - quarantined
C:\Documents and Settings\Ricardo\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\f4586d1-3f23dfd4 a variant of Java/Agent.DN trojan deleted - quarantined
C:\Documents and Settings\Ricardo\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\26\44f2359a-70db3ac8 multiple threats deleted - quarantined
C:\Documents and Settings\Ricardo\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\3\3db6dd83-78ec86eb a variant of Java/TrojanDownloader.OpenConnection.AQ trojan deleted - quarantined
C:\Documents and Settings\Ricardo\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\30\690e761e-4fd13201 multiple threats deleted - quarantined




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users