Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible conhost.exe virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 FreedomFighter33

FreedomFighter33

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 01 January 2012 - 03:00 PM

Hello,... I started having crashes a few days ago (Blue screen of death).. and judging by what I was seeing I just thought my video card was going bad until AVG picked up a few virus which I can't seem to remove.

********************
"";"C:\Windows\System32\taskhost.exe (2140):\memory_00010000";"Trojan horse Agent3.ATLI";"Infected"
"";"C:\Windows\System32\conhost.exe (4616):\memory_00010000";"Trojan horse Agent3.ATLI";"Infected"
"";"C:\Windows\explorer.exe (2436):\memory_00010000";"Trojan horse Agent3.ATLI";"Infected"
"";"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (3584):\memory_00010000";"Trojan horse Agent3.ATLI";"Infected"
"";"C:\Program Files (x86)\AVG\AVG2012\avgscana.exe (4192):\memory_00010000";"Trojan horse Agent3.ATLI";"Infected"
"";"C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (4032):\memory_00010000";"Trojan horse Agent3.ATLI";"Infected"
"";"C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (2432):\memory_00010000";"Trojan horse Agent3.ATLI";"Infected"
***********************

I ran Malwarebytes and can't remove two listed infections labeled "conhost.exe"

Below is the requested DDS log...

**********************
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8080.16413
Run by Gecko at 14:34:46 on 2012-01-01
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.2054 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
C:\Windows\system32\taskeng.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Uniblue\RegistryBooster\rbmonitor.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe
C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMTray2.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\DllHost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://maps.google.com/maps?hl=en&tab=wl
uSearch Bar = Preserve
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun: [SteelSeries World of Warcraft Cataclysm MMO Gaming Mouse] "C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe"
mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{261088E2-5F34-4F68-A42F-4C3C8EF8C27B} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "C:\Program Files (x86)\Common Files\LightScribe\LSRunOnce.exe"
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
BHO-X64: WormRadar.com IESiteBlocker.NavFilter - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
mRun-x64: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
mRun-x64: [SteelSeries World of Warcraft Cataclysm MMO Gaming Mouse] "C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe"
mRun-x64: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Gecko\AppData\Roaming\Mozilla\Firefox\Profiles\ah857loh.default\
FF - prefs.js: browser.startup.homepage - hxxp://maps.google.com/maps?hl=en&tab=wl
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff5.dll
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff6.dll
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff7.dll
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff8.dll
FF - component: C:\Program Files (x86)\AVG\AVG2012\Firefox4\components\avgssff9.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - C:\Program Files (x86)\AVG\AVG2012\Firefox4
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;C:\Windows\system32\DRIVERS\AVGIDSEH.Sys --> C:\Windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\system32\DRIVERS\avgrkx64.sys --> C:\Windows\system32\DRIVERS\avgrkx64.sys [?]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\system32\DRIVERS\avgldx64.sys --> C:\Windows\system32\DRIVERS\avgldx64.sys [?]
R1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\system32\DRIVERS\avgmfx64.sys --> C:\Windows\system32\DRIVERS\avgmfx64.sys [?]
R1 Avgtdia;AVG TDI Driver;C:\Windows\system32\DRIVERS\avgtdia.sys --> C:\Windows\system32\DRIVERS\avgtdia.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-8-2 192776]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-8-4 2329480]
R2 WDDMService;WD SmartWare Drive Manager Service;C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-10-14 116224]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 AVGIDSDriver;AVGIDSDriver;C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys --> C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R3 AVGIDSFilter;AVGIDSFilter;C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys --> C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R3 SSMO3v2Filter;MMO3v2 Mouse;C:\Windows\system32\drivers\MO3v2Driver.sys --> C:\Windows\system32\drivers\MO3v2Driver.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-14 136176]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;C:\Windows\system32\DRIVERS\athrxu6.sys --> C:\Windows\system32\DRIVERS\athrxu6.sys [?]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-5-14 136176]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\system32\DRIVERS\wdcsam64.sys --> C:\Windows\system32\DRIVERS\wdcsam64.sys [?]
.
=============== Created Last 30 ================
.
2012-01-01 16:45:15 -------- d-----w- C:\Users\Gecko\AppData\Roaming\Curiolab
2012-01-01 16:41:39 -------- d-----w- C:\Program Files (x86)\Exterminate It!
2012-01-01 16:17:56 -------- d-----w- C:\ProgramData\SecTaskMan
2012-01-01 16:17:51 -------- d-----w- C:\Program Files (x86)\Security Task Manager
2012-01-01 15:31:16 767952 ----a-w- C:\Windows\BDTSupport.dll0130.old
2012-01-01 15:31:16 1640400 ----a-w- C:\Windows\PCTBDCore.dll0130.old
2012-01-01 15:31:16 149456 ----a-w- C:\Windows\SGDetectionTool.dll0130.old
2012-01-01 15:30:57 -------- d-----w- C:\Program Files (x86)\Spyware Doctor
2012-01-01 15:30:57 -------- d-----w- C:\Program Files (x86)\Common Files\PC Tools
2012-01-01 07:28:00 -------- d-----w- C:\Users\Gecko\AppData\Roaming\Uniblue
2012-01-01 07:27:58 -------- dc-h--w- C:\ProgramData\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-01 07:27:58 -------- d-----w- C:\Program Files (x86)\Uniblue
2012-01-01 05:03:55 -------- d-----w- C:\MALWAREBYTES ANTI-MALWARE
2011-12-31 05:46:07 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2011-12-31 05:19:51 20480 ----a-w- C:\Windows\svchost.exe
2011-12-09 04:16:02 -------- d-----w- C:\ProgramData\CCP
2011-12-09 03:47:41 -------- d-----w- C:\Program Files (x86)\CCP
2011-12-09 03:17:41 -------- d-----w- C:\Users\Gecko\AppData\Local\CCP
.
==================== Find3M ====================
.
2011-12-10 20:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-10-07 10:23:46 283728 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
.
============= FINISH: 14:35:21.47 ===============


I thank you for any help you can provide me with on this issue...

Attached Files



BC AdBot (Login to Remove)

 


#2 FreedomFighter33

FreedomFighter33
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 05 January 2012 - 09:30 PM

Just an update.. I'm still having the same issues and still require help when you're able to provide it.. thanks again..

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:07 AM

Posted 06 January 2012 - 12:31 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 FreedomFighter33

FreedomFighter33
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 06 January 2012 - 12:07 PM

Heya Gringo, thanks for taking time to help me... All instructions understood and completed. Below is the generated log from Combofix.

During the process looks like Combofix deleted 2 files that I could see, svchost.exe and java.exe.

My PC.. it's running normal, and has been other then the bluescreen crashes and the reported viruses Malware and AVG picked up. I haven't used it barely the past 5 days due to these issues. There was one issue... a small screen would keep popping up with an "OK" button on it claiming something along the lines of "Memory error" or "out of memory error". But I haven't seen it again in days. Log below..

ComboFix 12-01-06.01 - Gecko 01/06/2012 11:36:08.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.2817 [GMT -5:00]
Running from: c:\users\Gecko\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\svchost.exe
c:\windows\system32\java.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
.
.
2012-01-06 16:42 . 2012-01-06 16:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-01 16:45 . 2012-01-01 16:45 -------- d-----w- c:\users\Gecko\AppData\Roaming\Curiolab
2012-01-01 16:41 . 2012-01-01 17:08 -------- d-----w- c:\program files (x86)\Exterminate It!
2012-01-01 16:17 . 2012-01-01 16:22 -------- d-----w- c:\programdata\SecTaskMan
2012-01-01 16:17 . 2012-01-01 16:17 -------- d-----w- c:\program files (x86)\Security Task Manager
2012-01-01 15:31 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll0130.old
2012-01-01 15:31 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll0130.old
2012-01-01 15:31 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll0130.old
2012-01-01 15:30 . 2012-01-01 18:42 -------- d-----w- c:\program files (x86)\Spyware Doctor
2012-01-01 15:30 . 2012-01-01 18:42 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-01-01 07:28 . 2012-01-01 07:28 -------- d-----w- c:\users\Gecko\AppData\Roaming\Uniblue
2012-01-01 07:27 . 2012-01-01 07:27 -------- dc-h--w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-01 07:27 . 2012-01-01 07:27 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-01 05:03 . 2012-01-01 18:42 -------- d-----w- C:\MALWAREBYTES ANTI-MALWARE
2011-12-31 05:46 . 2011-12-31 05:46 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2011-12-31 05:19 . 2009-07-14 01:14 20480 ----a-w- c:\windows\svchost.exe
2011-12-09 04:16 . 2011-12-09 04:16 -------- d-----w- c:\programdata\CCP
2011-12-09 03:47 . 2011-12-09 03:47 -------- d-----w- c:\program files (x86)\CCP
2011-12-09 03:17 . 2011-12-09 03:17 -------- d-----w- c:\users\Gecko\AppData\Local\CCP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 20:24 . 2010-07-03 16:10 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"SteelSeries World of Warcraft Cataclysm MMO Gaming Mouse"="c:\program files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe" [2010-12-23 1987072]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-07-08 336384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-14 136176]
R3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\DRIVERS\athrxu6.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-14 136176]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-08-04 2329480]
S2 WDDMService;WD SmartWare Drive Manager Service;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-10-14 116224]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 SSMO3v2Filter;MMO3v2 Mouse;c:\windows\system32\drivers\MO3v2Driver.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-01-19 20:06 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-14 20:05]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-14 20:05]
.
2012-01-06 c:\windows\Tasks\RegistryBooster.job
- c:\program files (x86)\Uniblue\RegistryBooster\rbmonitor.exe [2012-01-01 08:26]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-08 10867816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://maps.google.com/maps?hl=en&tab=wl
mLocal Page = c:\windows\system32\blank.htm
FF - ProfilePath - c:\users\Gecko\AppData\Roaming\Mozilla\Firefox\Profiles\ah857loh.default\
FF - prefs.js: browser.startup.homepage - hxxp://maps.google.com/maps?hl=en&tab=wl
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files (x86)\AVG\AVG2012\Firefox4
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe
c:\program files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMTray2.exe
c:\\.\globalroot\systemroot\svchost.exe
c:\\.\globalroot\systemroot\svchost.exe
.
**************************************************************************
.
Completion time: 2012-01-06 11:52:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-06 16:52
.
Pre-Run: 172,469,821,440 bytes free
Post-Run: 172,893,892,608 bytes free
.
- - End Of File - - BD1E3B9F16FA9B440A4621AF8D420516

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:07 AM

Posted 06 January 2012 - 12:16 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 FreedomFighter33

FreedomFighter33
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 06 January 2012 - 12:30 PM

Again, instructions understood and completed.. log below...



12:24:03.0709 5612 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
12:24:04.0087 5612 ============================================================
12:24:04.0087 5612 Current date / time: 2012/01/06 12:24:04.0087
12:24:04.0087 5612 SystemInfo:
12:24:04.0087 5612
12:24:04.0087 5612 OS Version: 6.1.7600 ServicePack: 0.0
12:24:04.0087 5612 Product type: Workstation
12:24:04.0087 5612 ComputerName: GECKO-PC2
12:24:04.0088 5612 UserName: Gecko
12:24:04.0088 5612 Windows directory: C:\Windows
12:24:04.0088 5612 System windows directory: C:\Windows
12:24:04.0088 5612 Running under WOW64
12:24:04.0088 5612 Processor architecture: Intel x64
12:24:04.0088 5612 Number of processors: 4
12:24:04.0088 5612 Page size: 0x1000
12:24:04.0088 5612 Boot type: Normal boot
12:24:04.0088 5612 ============================================================
12:24:05.0081 5612 Initialize success
12:24:06.0493 6056 ============================================================
12:24:06.0493 6056 Scan started
12:24:06.0493 6056 Mode: Manual;
12:24:06.0493 6056 ============================================================
12:24:08.0967 6056 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
12:24:08.0973 6056 1394ohci - ok
12:24:09.0032 6056 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
12:24:09.0037 6056 ACPI - ok
12:24:09.0064 6056 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
12:24:09.0065 6056 AcpiPmi - ok
12:24:09.0219 6056 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
12:24:09.0225 6056 adp94xx - ok
12:24:09.0292 6056 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
12:24:09.0297 6056 adpahci - ok
12:24:09.0345 6056 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
12:24:09.0348 6056 adpu320 - ok
12:24:09.0417 6056 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
12:24:09.0423 6056 AFD - ok
12:24:09.0462 6056 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
12:24:09.0464 6056 agp440 - ok
12:24:09.0517 6056 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
12:24:09.0519 6056 aliide - ok
12:24:09.0572 6056 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
12:24:09.0574 6056 amdide - ok
12:24:09.0613 6056 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
12:24:09.0615 6056 AmdK8 - ok
12:24:09.0978 6056 amdkmdag (75bbd04f450ce109031a215fd4ec667a) C:\Windows\system32\DRIVERS\atikmdag.sys
12:24:10.0223 6056 amdkmdag - ok
12:24:10.0286 6056 amdkmdap (adb8ee976ce4a47c54d39f2581593c03) C:\Windows\system32\DRIVERS\atikmpag.sys
12:24:10.0290 6056 amdkmdap - ok
12:24:10.0334 6056 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
12:24:10.0337 6056 AmdPPM - ok
12:24:10.0393 6056 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
12:24:10.0396 6056 amdsata - ok
12:24:10.0430 6056 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
12:24:10.0437 6056 amdsbs - ok
12:24:10.0473 6056 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
12:24:10.0474 6056 amdxata - ok
12:24:10.0512 6056 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
12:24:10.0514 6056 AppID - ok
12:24:10.0589 6056 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
12:24:10.0592 6056 arc - ok
12:24:10.0615 6056 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
12:24:10.0616 6056 arcsas - ok
12:24:10.0673 6056 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
12:24:10.0675 6056 AsyncMac - ok
12:24:10.0719 6056 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
12:24:10.0721 6056 atapi - ok
12:24:10.0831 6056 athrusb6 (aec505976ef01bbd8f57cba912f39259) C:\Windows\system32\DRIVERS\athrxu6.sys
12:24:10.0869 6056 athrusb6 - ok
12:24:10.0934 6056 AtiHDAudioService (cbd14f698def12ee3557604b726cb8eb) C:\Windows\system32\drivers\AtihdW76.sys
12:24:10.0940 6056 AtiHDAudioService - ok
12:24:11.0000 6056 AtiHdmiService (2d648572ba9a610952fcafba1e119c2d) C:\Windows\system32\drivers\AtiHdmi.sys
12:24:11.0013 6056 AtiHdmiService - ok
12:24:11.0133 6056 AVGIDSDriver (e29ea1a0ec7ab9fa2dc7e75a03f12a4f) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
12:24:11.0136 6056 AVGIDSDriver - ok
12:24:11.0195 6056 AVGIDSEH (f823d184b8e8ffb8da3ead45dbf5bd6a) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
12:24:11.0197 6056 AVGIDSEH - ok
12:24:11.0258 6056 AVGIDSFilter (ed2b25bd7fe35d1944211968842d30da) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
12:24:11.0259 6056 AVGIDSFilter - ok
12:24:11.0339 6056 Avgldx64 (979cf8912449a10b987218bff80a1fa3) C:\Windows\system32\DRIVERS\avgldx64.sys
12:24:11.0344 6056 Avgldx64 - ok
12:24:11.0407 6056 Avgmfx64 (36b1a5843695766eac714daffc5b84d1) C:\Windows\system32\DRIVERS\avgmfx64.sys
12:24:11.0410 6056 Avgmfx64 - ok
12:24:11.0469 6056 Avgrkx64 (1102239fb724527f1febbbbccf6bf313) C:\Windows\system32\DRIVERS\avgrkx64.sys
12:24:11.0473 6056 Avgrkx64 - ok
12:24:11.0547 6056 Avgtdia (11f36d3ea82d9db9aa05a476a210551b) C:\Windows\system32\DRIVERS\avgtdia.sys
12:24:11.0553 6056 Avgtdia - ok
12:24:11.0623 6056 AX88772 (594931a6353318ee9d77a9ceafddee21) C:\Windows\system32\DRIVERS\ax88772.sys
12:24:11.0624 6056 AX88772 - ok
12:24:11.0698 6056 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
12:24:11.0705 6056 b06bdrv - ok
12:24:11.0782 6056 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
12:24:11.0813 6056 b57nd60a - ok
12:24:11.0863 6056 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
12:24:11.0865 6056 Beep - ok
12:24:11.0911 6056 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
12:24:11.0913 6056 blbdrive - ok
12:24:11.0949 6056 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
12:24:11.0953 6056 bowser - ok
12:24:11.0984 6056 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
12:24:11.0987 6056 BrFiltLo - ok
12:24:12.0053 6056 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
12:24:12.0054 6056 BrFiltUp - ok
12:24:12.0117 6056 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
12:24:12.0124 6056 BridgeMP - ok
12:24:12.0169 6056 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
12:24:12.0173 6056 Brserid - ok
12:24:12.0207 6056 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
12:24:12.0208 6056 BrSerWdm - ok
12:24:12.0237 6056 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
12:24:12.0239 6056 BrUsbMdm - ok
12:24:12.0269 6056 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
12:24:12.0271 6056 BrUsbSer - ok
12:24:12.0313 6056 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
12:24:12.0317 6056 BTHMODEM - ok
12:24:12.0357 6056 catchme - ok
12:24:12.0408 6056 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
12:24:12.0416 6056 cdfs - ok
12:24:12.0504 6056 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
12:24:12.0508 6056 cdrom - ok
12:24:12.0570 6056 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
12:24:12.0572 6056 circlass - ok
12:24:12.0655 6056 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
12:24:12.0659 6056 CLFS - ok
12:24:12.0718 6056 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
12:24:12.0721 6056 CmBatt - ok
12:24:12.0758 6056 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
12:24:12.0759 6056 cmdide - ok
12:24:12.0812 6056 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
12:24:12.0820 6056 CNG - ok
12:24:12.0857 6056 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
12:24:12.0859 6056 Compbatt - ok
12:24:12.0890 6056 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
12:24:12.0892 6056 CompositeBus - ok
12:24:12.0958 6056 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
12:24:12.0959 6056 crcdisk - ok
12:24:13.0028 6056 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
12:24:13.0084 6056 CSC - ok
12:24:13.0161 6056 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
12:24:13.0165 6056 DfsC - ok
12:24:13.0219 6056 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
12:24:13.0222 6056 discache - ok
12:24:13.0263 6056 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
12:24:13.0265 6056 Disk - ok
12:24:13.0342 6056 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
12:24:13.0353 6056 drmkaud - ok
12:24:13.0434 6056 DXGKrnl (1633b9abf52784a1331476397a48cbef) C:\Windows\System32\drivers\dxgkrnl.sys
12:24:13.0447 6056 DXGKrnl - ok
12:24:13.0655 6056 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
12:24:13.0688 6056 ebdrv - ok
12:24:13.0771 6056 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
12:24:13.0780 6056 elxstor - ok
12:24:13.0859 6056 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
12:24:13.0862 6056 ErrDev - ok
12:24:13.0925 6056 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
12:24:13.0942 6056 exfat - ok
12:24:13.0980 6056 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
12:24:13.0986 6056 fastfat - ok
12:24:14.0024 6056 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
12:24:14.0028 6056 fdc - ok
12:24:14.0073 6056 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
12:24:14.0075 6056 FileInfo - ok
12:24:14.0105 6056 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
12:24:14.0124 6056 Filetrace - ok
12:24:14.0166 6056 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
12:24:14.0185 6056 flpydisk - ok
12:24:14.0237 6056 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
12:24:14.0241 6056 FltMgr - ok
12:24:14.0299 6056 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
12:24:14.0317 6056 FsDepends - ok
12:24:14.0347 6056 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
12:24:14.0349 6056 Fs_Rec - ok
12:24:14.0397 6056 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
12:24:14.0401 6056 fvevol - ok
12:24:14.0434 6056 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
12:24:14.0435 6056 gagp30kx - ok
12:24:14.0466 6056 GMSIPCI - ok
12:24:14.0553 6056 hamachi (1e6438d4ea6e1174a3b3b1edc4de660b) C:\Windows\system32\DRIVERS\hamachi.sys
12:24:14.0556 6056 hamachi - ok
12:24:14.0615 6056 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
12:24:14.0617 6056 hcw85cir - ok
12:24:14.0680 6056 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
12:24:14.0698 6056 HdAudAddService - ok
12:24:14.0731 6056 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
12:24:14.0735 6056 HDAudBus - ok
12:24:14.0764 6056 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
12:24:14.0767 6056 HidBatt - ok
12:24:14.0805 6056 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
12:24:14.0808 6056 HidBth - ok
12:24:14.0847 6056 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
12:24:14.0850 6056 HidIr - ok
12:24:14.0904 6056 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
12:24:14.0909 6056 HidUsb - ok
12:24:15.0033 6056 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
12:24:15.0036 6056 HpSAMD - ok
12:24:15.0088 6056 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
12:24:15.0105 6056 HTTP - ok
12:24:15.0138 6056 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
12:24:15.0141 6056 hwpolicy - ok
12:24:15.0180 6056 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
12:24:15.0186 6056 i8042prt - ok
12:24:15.0238 6056 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
12:24:15.0247 6056 iaStorV - ok
12:24:15.0306 6056 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
12:24:15.0308 6056 iirsp - ok
12:24:15.0469 6056 IntcAzAudAddService (2b888bbdf6962e608a5e1a1d7a626adf) C:\Windows\system32\drivers\RTKVHD64.sys
12:24:15.0512 6056 IntcAzAudAddService - ok
12:24:15.0567 6056 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
12:24:15.0569 6056 intelide - ok
12:24:15.0623 6056 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
12:24:15.0625 6056 intelppm - ok
12:24:15.0670 6056 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
12:24:15.0676 6056 IpFilterDriver - ok
12:24:15.0727 6056 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
12:24:15.0729 6056 IPMIDRV - ok
12:24:15.0780 6056 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
12:24:15.0795 6056 IPNAT - ok
12:24:15.0831 6056 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
12:24:15.0857 6056 IRENUM - ok
12:24:15.0883 6056 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
12:24:15.0886 6056 isapnp - ok
12:24:15.0916 6056 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
12:24:15.0918 6056 iScsiPrt - ok
12:24:15.0967 6056 ISODrive (88bb5280137dc9a7e9989c475763cd08) D:\Apps\UltraISO\drivers\ISODrv64.sys
12:24:15.0969 6056 ISODrive - ok
12:24:16.0002 6056 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
12:24:16.0004 6056 kbdclass - ok
12:24:16.0024 6056 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
12:24:16.0026 6056 kbdhid - ok
12:24:16.0077 6056 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
12:24:16.0081 6056 KSecDD - ok
12:24:16.0127 6056 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
12:24:16.0129 6056 KSecPkg - ok
12:24:16.0158 6056 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
12:24:16.0160 6056 ksthunk - ok
12:24:16.0243 6056 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
12:24:16.0246 6056 lltdio - ok
12:24:16.0308 6056 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
12:24:16.0311 6056 LSI_FC - ok
12:24:16.0350 6056 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
12:24:16.0353 6056 LSI_SAS - ok
12:24:16.0386 6056 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
12:24:16.0389 6056 LSI_SAS2 - ok
12:24:16.0420 6056 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
12:24:16.0423 6056 LSI_SCSI - ok
12:24:16.0506 6056 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
12:24:16.0509 6056 luafv - ok
12:24:16.0584 6056 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
12:24:16.0586 6056 megasas - ok
12:24:16.0688 6056 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
12:24:16.0692 6056 MegaSR - ok
12:24:16.0770 6056 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
12:24:16.0799 6056 Modem - ok
12:24:16.0913 6056 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
12:24:16.0915 6056 monitor - ok
12:24:16.0993 6056 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
12:24:16.0995 6056 mouclass - ok
12:24:17.0097 6056 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
12:24:17.0103 6056 mouhid - ok
12:24:17.0150 6056 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
12:24:17.0152 6056 mountmgr - ok
12:24:17.0205 6056 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
12:24:17.0207 6056 mpio - ok
12:24:17.0355 6056 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
12:24:17.0363 6056 mpsdrv - ok
12:24:17.0446 6056 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
12:24:17.0449 6056 MRxDAV - ok
12:24:17.0529 6056 mrxsmb (767a4c3bcf9410c286ced15a2db17108) C:\Windows\system32\DRIVERS\mrxsmb.sys
12:24:17.0535 6056 mrxsmb - ok
12:24:17.0607 6056 mrxsmb10 (920ee0ff995fcfdeb08c41605a959e1c) C:\Windows\system32\DRIVERS\mrxsmb10.sys
12:24:17.0617 6056 mrxsmb10 - ok
12:24:17.0682 6056 mrxsmb20 (740d7ea9d72c981510a5292cf6adc941) C:\Windows\system32\DRIVERS\mrxsmb20.sys
12:24:17.0687 6056 mrxsmb20 - ok
12:24:17.0789 6056 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
12:24:17.0791 6056 msahci - ok
12:24:17.0838 6056 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
12:24:17.0840 6056 msdsm - ok
12:24:17.0911 6056 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
12:24:17.0915 6056 Msfs - ok
12:24:17.0965 6056 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
12:24:17.0966 6056 mshidkmdf - ok
12:24:18.0025 6056 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
12:24:18.0028 6056 msisadrv - ok
12:24:18.0086 6056 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
12:24:18.0089 6056 MSKSSRV - ok
12:24:18.0124 6056 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
12:24:18.0126 6056 MSPCLOCK - ok
12:24:18.0163 6056 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
12:24:18.0176 6056 MSPQM - ok
12:24:18.0237 6056 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
12:24:18.0252 6056 MsRPC - ok
12:24:18.0297 6056 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
12:24:18.0299 6056 mssmbios - ok
12:24:18.0350 6056 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
12:24:18.0356 6056 MSTEE - ok
12:24:18.0386 6056 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
12:24:18.0388 6056 MTConfig - ok
12:24:18.0431 6056 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
12:24:18.0434 6056 Mup - ok
12:24:18.0509 6056 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
12:24:18.0534 6056 NativeWifiP - ok
12:24:18.0629 6056 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
12:24:18.0649 6056 NDIS - ok
12:24:18.0689 6056 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
12:24:18.0699 6056 NdisCap - ok
12:24:18.0733 6056 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
12:24:18.0736 6056 NdisTapi - ok
12:24:18.0781 6056 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
12:24:18.0784 6056 Ndisuio - ok
12:24:18.0815 6056 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
12:24:18.0820 6056 NdisWan - ok
12:24:18.0856 6056 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
12:24:18.0861 6056 NDProxy - ok
12:24:18.0881 6056 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
12:24:18.0883 6056 NetBIOS - ok
12:24:18.0933 6056 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
12:24:18.0941 6056 NetBT - ok
12:24:19.0079 6056 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
12:24:19.0082 6056 nfrd960 - ok
12:24:19.0145 6056 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
12:24:19.0148 6056 Npfs - ok
12:24:19.0195 6056 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
12:24:19.0198 6056 nsiproxy - ok
12:24:19.0362 6056 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
12:24:19.0384 6056 Ntfs - ok
12:24:19.0482 6056 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
12:24:19.0484 6056 Null - ok
12:24:19.0722 6056 NVENETFD (a85b4f2ef3a7304a5399ef0526423040) C:\Windows\system32\DRIVERS\nvm62x64.sys
12:24:20.0041 6056 NVENETFD - ok
12:24:20.0197 6056 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
12:24:20.0205 6056 nvraid - ok
12:24:20.0260 6056 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
12:24:20.0262 6056 nvstor - ok
12:24:20.0313 6056 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
12:24:20.0317 6056 nv_agp - ok
12:24:20.0398 6056 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
12:24:20.0400 6056 ohci1394 - ok
12:24:20.0539 6056 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
12:24:20.0541 6056 Parport - ok
12:24:20.0631 6056 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
12:24:20.0634 6056 partmgr - ok
12:24:20.0883 6056 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
12:24:20.0886 6056 pci - ok
12:24:21.0008 6056 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
12:24:21.0010 6056 pciide - ok
12:24:21.0046 6056 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
12:24:21.0051 6056 pcmcia - ok
12:24:21.0117 6056 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
12:24:21.0119 6056 pcw - ok
12:24:21.0212 6056 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
12:24:21.0261 6056 PEAUTH - ok
12:24:21.0574 6056 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
12:24:21.0580 6056 PptpMiniport - ok
12:24:21.0636 6056 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
12:24:21.0638 6056 Processor - ok
12:24:21.0738 6056 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
12:24:21.0743 6056 Psched - ok
12:24:21.0831 6056 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
12:24:21.0856 6056 ql2300 - ok
12:24:21.0919 6056 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
12:24:21.0924 6056 ql40xx - ok
12:24:21.0979 6056 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
12:24:21.0981 6056 QWAVEdrv - ok
12:24:22.0038 6056 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
12:24:22.0042 6056 RasAcd - ok
12:24:22.0098 6056 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
12:24:22.0101 6056 RasAgileVpn - ok
12:24:22.0152 6056 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
12:24:22.0162 6056 Rasl2tp - ok
12:24:22.0221 6056 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
12:24:22.0225 6056 RasPppoe - ok
12:24:22.0264 6056 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
12:24:22.0267 6056 RasSstp - ok
12:24:22.0320 6056 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
12:24:22.0336 6056 rdbss - ok
12:24:22.0396 6056 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
12:24:22.0403 6056 rdpbus - ok
12:24:22.0452 6056 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
12:24:22.0455 6056 RDPCDD - ok
12:24:22.0505 6056 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
12:24:22.0512 6056 RDPDR - ok
12:24:22.0552 6056 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
12:24:22.0553 6056 RDPENCDD - ok
12:24:22.0631 6056 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
12:24:22.0633 6056 RDPREFMP - ok
12:24:22.0698 6056 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
12:24:22.0724 6056 RDPWD - ok
12:24:22.0785 6056 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
12:24:22.0789 6056 rdyboost - ok
12:24:22.0900 6056 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
12:24:22.0903 6056 rspndr - ok
12:24:23.0040 6056 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
12:24:23.0043 6056 s3cap - ok
12:24:23.0106 6056 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
12:24:23.0111 6056 sbp2port - ok
12:24:23.0160 6056 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
12:24:23.0165 6056 scfilter - ok
12:24:23.0249 6056 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
12:24:23.0261 6056 secdrv - ok
12:24:23.0357 6056 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
12:24:23.0360 6056 Serenum - ok
12:24:23.0405 6056 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
12:24:23.0409 6056 Serial - ok
12:24:23.0468 6056 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
12:24:23.0470 6056 sermouse - ok
12:24:23.0552 6056 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
12:24:23.0553 6056 sffdisk - ok
12:24:23.0595 6056 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
12:24:23.0597 6056 sffp_mmc - ok
12:24:23.0645 6056 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys
12:24:23.0646 6056 sffp_sd - ok
12:24:23.0683 6056 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
12:24:23.0684 6056 sfloppy - ok
12:24:23.0736 6056 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
12:24:23.0737 6056 SiSRaid2 - ok
12:24:23.0776 6056 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
12:24:23.0779 6056 SiSRaid4 - ok
12:24:23.0824 6056 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
12:24:23.0828 6056 Smb - ok
12:24:23.0894 6056 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
12:24:23.0895 6056 spldr - ok
12:24:23.0981 6056 srv (43067a65522eaec33d31a12d6fa8e3f4) C:\Windows\system32\DRIVERS\srv.sys
12:24:24.0007 6056 srv - ok
12:24:24.0042 6056 srv2 (03715cf9c30b563da35fc5f2b8f7b8e0) C:\Windows\system32\DRIVERS\srv2.sys
12:24:24.0060 6056 srv2 - ok
12:24:24.0112 6056 srvnet (fbd09635227a8026c0f7790f604343c6) C:\Windows\system32\DRIVERS\srvnet.sys
12:24:24.0116 6056 srvnet - ok
12:24:24.0185 6056 SSMO3v2Filter (d1e083d50f354a1840c9df1c62437bc9) C:\Windows\system32\drivers\MO3v2Driver.sys
12:24:24.0188 6056 SSMO3v2Filter - ok
12:24:24.0226 6056 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
12:24:24.0226 6056 stexstor - ok
12:24:24.0284 6056 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
12:24:24.0286 6056 storflt - ok
12:24:24.0315 6056 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
12:24:24.0317 6056 storvsc - ok
12:24:24.0349 6056 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
12:24:24.0351 6056 swenum - ok
12:24:24.0531 6056 Tcpip (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\drivers\tcpip.sys
12:24:24.0550 6056 Tcpip - ok
12:24:24.0650 6056 TCPIP6 (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\DRIVERS\tcpip.sys
12:24:24.0665 6056 TCPIP6 - ok
12:24:24.0705 6056 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
12:24:24.0707 6056 tcpipreg - ok
12:24:24.0739 6056 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
12:24:24.0742 6056 TDPIPE - ok
12:24:24.0776 6056 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
12:24:24.0779 6056 TDTCP - ok
12:24:24.0815 6056 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
12:24:24.0818 6056 tdx - ok
12:24:24.0842 6056 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
12:24:24.0844 6056 TermDD - ok
12:24:24.0911 6056 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
12:24:24.0914 6056 tssecsrv - ok
12:24:24.0982 6056 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
12:24:24.0987 6056 tunnel - ok
12:24:25.0022 6056 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
12:24:25.0023 6056 uagp35 - ok
12:24:25.0061 6056 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
12:24:25.0069 6056 udfs - ok
12:24:25.0135 6056 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
12:24:25.0136 6056 uliagpkx - ok
12:24:25.0164 6056 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
12:24:25.0166 6056 umbus - ok
12:24:25.0190 6056 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
12:24:25.0191 6056 UmPass - ok
12:24:25.0249 6056 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
12:24:25.0251 6056 usbccgp - ok
12:24:25.0288 6056 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
12:24:25.0291 6056 usbcir - ok
12:24:25.0322 6056 usbehci (df9f9afc9aaabd8ed47975d44e38169a) C:\Windows\system32\DRIVERS\usbehci.sys
12:24:25.0324 6056 usbehci - ok
12:24:25.0386 6056 usbhub (372a91bc3c6603080a793880b0873785) C:\Windows\system32\DRIVERS\usbhub.sys
12:24:25.0392 6056 usbhub - ok
12:24:25.0440 6056 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
12:24:25.0442 6056 usbohci - ok
12:24:25.0493 6056 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
12:24:25.0495 6056 usbprint - ok
12:24:25.0544 6056 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
12:24:25.0547 6056 usbscan - ok
12:24:25.0582 6056 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:24:25.0583 6056 USBSTOR - ok
12:24:25.0625 6056 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
12:24:25.0627 6056 usbuhci - ok
12:24:25.0670 6056 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
12:24:25.0673 6056 vdrvroot - ok
12:24:25.0752 6056 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
12:24:25.0759 6056 vga - ok
12:24:25.0834 6056 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
12:24:25.0836 6056 VgaSave - ok
12:24:25.0941 6056 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
12:24:25.0943 6056 vhdmp - ok
12:24:26.0036 6056 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
12:24:26.0037 6056 viaide - ok
12:24:26.0139 6056 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
12:24:26.0142 6056 vmbus - ok
12:24:26.0196 6056 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
12:24:26.0198 6056 VMBusHID - ok
12:24:26.0260 6056 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
12:24:26.0262 6056 volmgr - ok
12:24:26.0325 6056 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
12:24:26.0329 6056 volmgrx - ok
12:24:26.0367 6056 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
12:24:26.0372 6056 volsnap - ok
12:24:26.0427 6056 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
12:24:26.0429 6056 vsmraid - ok
12:24:26.0481 6056 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
12:24:26.0486 6056 vwifibus - ok
12:24:26.0541 6056 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
12:24:26.0541 6056 WacomPen - ok
12:24:26.0597 6056 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
12:24:26.0603 6056 WANARP - ok
12:24:26.0611 6056 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
12:24:26.0613 6056 Wanarpv6 - ok
12:24:26.0743 6056 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
12:24:26.0744 6056 Wd - ok
12:24:26.0819 6056 WDC_SAM (a3d04ebf5227886029b4532f20d026f7) C:\Windows\system32\DRIVERS\wdcsam64.sys
12:24:26.0821 6056 WDC_SAM - ok
12:24:26.0898 6056 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
12:24:26.0906 6056 Wdf01000 - ok
12:24:27.0050 6056 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
12:24:27.0052 6056 WfpLwf - ok
12:24:27.0090 6056 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
12:24:27.0094 6056 WIMMount - ok
12:24:27.0249 6056 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
12:24:27.0252 6056 WinUsb - ok
12:24:27.0330 6056 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
12:24:27.0332 6056 WmiAcpi - ok
12:24:27.0409 6056 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
12:24:27.0410 6056 ws2ifsl - ok
12:24:27.0470 6056 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
12:24:27.0474 6056 WudfPf - ok
12:24:27.0542 6056 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
12:24:27.0550 6056 WUDFRd - ok
12:24:27.0635 6056 MBR (0x1B8) (c0dcf0ac171db02db8b0014c5d767cf1) \Device\Harddisk0\DR0
12:24:27.0661 6056 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
12:24:27.0661 6056 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
12:24:27.0673 6056 MBR (0x1B8) (09ce7397af23d4c0b331b89d0297cc7e) \Device\Harddisk1\DR1
12:24:27.0680 6056 \Device\Harddisk1\DR1 - ok
12:24:27.0692 6056 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk2\DR2
12:24:27.0699 6056 \Device\Harddisk2\DR2 - ok
12:24:27.0735 6056 Boot (0x1200) (ae947387e9886447a727897d2b18b1f4) \Device\Harddisk0\DR0\Partition0
12:24:27.0736 6056 \Device\Harddisk0\DR0\Partition0 - ok
12:24:27.0758 6056 Boot (0x1200) (0771f8245c96163b315186820dc88dc4) \Device\Harddisk0\DR0\Partition1
12:24:27.0759 6056 \Device\Harddisk0\DR0\Partition1 - ok
12:24:27.0768 6056 Boot (0x1200) (e5e6881cad7af5cc227f7bae9a6ba596) \Device\Harddisk1\DR1\Partition0
12:24:27.0770 6056 \Device\Harddisk1\DR1\Partition0 - ok
12:24:27.0783 6056 Boot (0x1200) (6a5df980cea6c8373882d71ca046699b) \Device\Harddisk2\DR2\Partition0
12:24:27.0784 6056 \Device\Harddisk2\DR2\Partition0 - ok
12:24:27.0787 6056 ============================================================
12:24:27.0787 6056 Scan finished
12:24:27.0787 6056 ============================================================
12:24:27.0832 5440 Detected object count: 1
12:24:27.0832 5440 Actual detected object count: 1
12:24:45.0750 5440 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
12:24:45.0751 5440 \Device\Harddisk0\DR0 - ok
12:24:45.0753 5440 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
12:25:03.0967 3952 Deinitialize success

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:07 AM

Posted 06 January 2012 - 12:35 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
c:\windows\svchost.exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 FreedomFighter33

FreedomFighter33
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 06 January 2012 - 01:01 PM

Followed instructions.. upon reboot and waiting on the log from ComboFix to generate.. AVG picked up (C;\combofix\nircmdb.exe) which was labeled as a PUA - Potentially Unwanted Application. By mistake I hit "remove threat".. Hope that wasn't a wrong move.. =/ Log below...


ComboFix 12-01-06.01 - Gecko 01/06/2012 12:40:46.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.4095.3063 [GMT -5:00]
Running from: c:\users\Gecko\Desktop\ComboFix.exe
Command switches used :: c:\users\Gecko\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\svchost.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
.
.
2012-01-06 17:46 . 2012-01-06 17:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-01 16:45 . 2012-01-01 16:45 -------- d-----w- c:\users\Gecko\AppData\Roaming\Curiolab
2012-01-01 16:41 . 2012-01-01 17:08 -------- d-----w- c:\program files (x86)\Exterminate It!
2012-01-01 16:17 . 2012-01-01 16:22 -------- d-----w- c:\programdata\SecTaskMan
2012-01-01 16:17 . 2012-01-01 16:17 -------- d-----w- c:\program files (x86)\Security Task Manager
2012-01-01 15:31 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll0130.old
2012-01-01 15:31 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll0130.old
2012-01-01 15:31 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll0130.old
2012-01-01 15:30 . 2012-01-01 18:42 -------- d-----w- c:\program files (x86)\Spyware Doctor
2012-01-01 15:30 . 2012-01-01 18:42 -------- d-----w- c:\program files (x86)\Common Files\PC Tools
2012-01-01 07:28 . 2012-01-01 07:28 -------- d-----w- c:\users\Gecko\AppData\Roaming\Uniblue
2012-01-01 07:27 . 2012-01-01 07:27 -------- dc-h--w- c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}
2012-01-01 07:27 . 2012-01-01 07:27 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-01 05:03 . 2012-01-01 18:42 -------- d-----w- C:\MALWAREBYTES ANTI-MALWARE
2011-12-31 05:46 . 2011-12-31 05:46 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2011-12-09 04:16 . 2011-12-09 04:16 -------- d-----w- c:\programdata\CCP
2011-12-09 03:47 . 2011-12-09 03:47 -------- d-----w- c:\program files (x86)\CCP
2011-12-09 03:17 . 2011-12-09 03:17 -------- d-----w- c:\users\Gecko\AppData\Local\CCP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-10 20:24 . 2010-07-03 16:10 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-06_16.45.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-31 08:46 . 2012-01-06 16:45 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2011-12-31 08:46 . 2012-01-06 03:59 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-12-31 05:45 . 2012-01-06 16:45 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2011-12-31 05:45 . 2012-01-06 15:44 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-06-29 20:36 . 2012-01-06 17:29 48880 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-01-06 17:29 32256 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-06-29 20:18 . 2012-01-06 17:29 21308 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2744090536-1397516078-442745839-1001_UserData.bin
+ 2011-08-12 17:03 . 2011-05-25 02:24 31744 c:\windows\LastGood.Tmp\SysWOW64\atiuxpag.dll
+ 2011-08-12 17:03 . 2011-05-25 02:24 29184 c:\windows\LastGood.Tmp\SysWOW64\atiu9pag.dll
- 2011-07-07 08:20 . 2011-01-19 17:30 52736 c:\windows\LastGood.Tmp\SysWOW64\atimpc32.dll
+ 2011-08-12 17:03 . 2011-05-25 02:38 52736 c:\windows\LastGood.Tmp\SysWOW64\atimpc32.dll
+ 2011-08-12 17:03 . 2011-05-25 02:26 12800 c:\windows\LastGood.Tmp\SysWOW64\atiglpxx.dll
- 2011-07-07 08:20 . 2011-01-19 17:35 12800 c:\windows\LastGood.Tmp\SysWOW64\atiglpxx.dll
+ 2011-08-12 17:03 . 2011-05-25 02:25 32768 c:\windows\LastGood.Tmp\SysWOW64\atigktxx.dll
+ 2011-08-12 17:03 . 2011-05-25 02:47 46080 c:\windows\LastGood.Tmp\SysWOW64\aticalrt.dll
- 2011-07-07 08:20 . 2011-01-19 17:50 46080 c:\windows\LastGood.Tmp\SysWOW64\aticalrt.dll
+ 2011-08-12 17:03 . 2011-05-25 02:47 44032 c:\windows\LastGood.Tmp\SysWOW64\aticalcl.dll
- 2011-07-07 08:20 . 2011-01-19 17:50 44032 c:\windows\LastGood.Tmp\SysWOW64\aticalcl.dll
- 2011-07-07 08:20 . 2011-01-19 18:14 43520 c:\windows\LastGood.Tmp\SysWOW64\ati2edxx.dll
+ 2011-08-12 17:03 . 2011-05-25 03:01 43520 c:\windows\LastGood.Tmp\SysWOW64\ati2edxx.dll
- 2011-07-07 08:20 . 2011-01-19 17:30 52736 c:\windows\LastGood.Tmp\SysWOW64\amdpcom32.dll
+ 2011-08-12 17:03 . 2011-05-25 02:38 52736 c:\windows\LastGood.Tmp\SysWOW64\amdpcom32.dll
+ 2011-08-12 17:03 . 2011-05-25 02:19 58880 c:\windows\LastGood.Tmp\system32\coinst.dll
- 2011-07-07 08:20 . 2011-01-19 17:42 58880 c:\windows\LastGood.Tmp\system32\coinst.dll
+ 2011-08-12 17:03 . 2011-05-25 02:24 40960 c:\windows\LastGood.Tmp\system32\atiuxp64.dll
+ 2011-08-12 17:03 . 2011-05-25 02:24 38912 c:\windows\LastGood.Tmp\system32\atiu9p64.dll
- 2011-07-07 08:20 . 2011-01-19 18:14 16384 c:\windows\LastGood.Tmp\system32\atimuixx.dll
+ 2011-08-12 17:03 . 2011-05-25 03:01 16384 c:\windows\LastGood.Tmp\system32\atimuixx.dll
- 2011-07-07 08:20 . 2011-01-19 17:30 53760 c:\windows\LastGood.Tmp\system32\atimpc64.dll
+ 2011-08-12 17:03 . 2011-05-25 02:38 53760 c:\windows\LastGood.Tmp\system32\atimpc64.dll
- 2011-07-07 08:20 . 2011-01-19 17:35 12800 c:\windows\LastGood.Tmp\system32\atiglpxx.dll
+ 2011-08-12 17:03 . 2011-05-25 02:26 12800 c:\windows\LastGood.Tmp\system32\atiglpxx.dll
+ 2011-08-12 17:03 . 2011-05-25 02:25 39936 c:\windows\LastGood.Tmp\system32\atig6txx.dll
- 2011-07-07 08:20 . 2011-01-19 17:35 14848 c:\windows\LastGood.Tmp\system32\atig6pxx.dll
+ 2011-08-12 17:03 . 2011-05-25 02:26 14848 c:\windows\LastGood.Tmp\system32\atig6pxx.dll
- 2011-07-07 08:20 . 2011-01-19 18:14 59392 c:\windows\LastGood.Tmp\system32\atiedu64.dll
+ 2011-08-12 17:03 . 2011-05-25 03:01 59392 c:\windows\LastGood.Tmp\system32\atiedu64.dll
- 2011-07-07 08:20 . 2011-01-19 17:50 51200 c:\windows\LastGood.Tmp\system32\aticalrt64.dll
+ 2011-08-12 17:03 . 2011-05-25 02:47 51200 c:\windows\LastGood.Tmp\system32\aticalrt64.dll
+ 2011-08-12 17:03 . 2011-05-25 02:47 44544 c:\windows\LastGood.Tmp\system32\aticalcl64.dll
- 2011-07-07 08:20 . 2011-01-19 17:50 44544 c:\windows\LastGood.Tmp\system32\aticalcl64.dll
- 2011-07-07 08:20 . 2011-01-19 17:30 53760 c:\windows\LastGood.Tmp\system32\amdpcom64.dll
+ 2011-08-12 17:03 . 2011-05-25 02:38 53760 c:\windows\LastGood.Tmp\system32\amdpcom64.dll
- 2012-01-06 16:44 . 2012-01-06 16:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-01-06 17:47 . 2012-01-06 17:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-01-06 16:44 . 2012-01-06 16:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-06 17:47 . 2012-01-06 17:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 05:01 . 2012-01-06 17:46 472036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-01-06 16:43 472036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-07-07 08:20 . 2011-01-19 18:15 278528 c:\windows\LastGood.Tmp\SysWOW64\Oemdspif.dll
+ 2011-08-12 17:03 . 2011-05-25 03:02 278528 c:\windows\LastGood.Tmp\SysWOW64\Oemdspif.dll
- 2011-07-07 08:20 . 2011-01-19 18:15 356352 c:\windows\LastGood.Tmp\SysWOW64\atipdlxx.dll
+ 2011-08-12 17:03 . 2011-05-25 03:02 356352 c:\windows\LastGood.Tmp\SysWOW64\atipdlxx.dll
+ 2011-08-12 17:03 . 2011-05-25 03:07 688128 c:\windows\LastGood.Tmp\SysWOW64\aticfx32.dll
+ 2011-08-12 17:03 . 2011-05-25 02:26 262144 c:\windows\LastGood.Tmp\SysWOW64\atiadlxy.dll
+ 2011-08-12 17:03 . 2011-05-25 02:25 309760 c:\windows\LastGood.Tmp\system32\DRIVERS\atikmpag.sys
+ 2011-08-12 17:03 . 2011-05-25 03:03 204288 c:\windows\LastGood.Tmp\system32\atiesrxx.exe
+ 2011-08-12 17:03 . 2011-05-25 03:04 485376 c:\windows\LastGood.Tmp\system32\atieclxx.exe
+ 2011-08-12 17:03 . 2011-05-25 03:06 811008 c:\windows\LastGood.Tmp\system32\aticfx64.dll
+ 2011-08-12 17:03 . 2011-05-25 03:07 151552 c:\windows\LastGood.Tmp\system32\atiapfxx.exe
+ 2011-08-12 17:03 . 2011-05-25 02:26 366592 c:\windows\LastGood.Tmp\system32\atiadlxx.dll
+ 2011-02-05 09:45 . 2012-01-06 17:46 1043096 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-02-05 09:45 . 2012-01-06 16:43 1043096 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-12-31 09:57 . 2012-01-06 16:43 9870700 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
+ 2011-12-31 09:57 . 2012-01-06 17:25 9870700 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
+ 2011-08-12 17:03 . 2011-05-25 02:50 4017152 c:\windows\LastGood.Tmp\SysWOW64\atiumdva.dll
+ 2011-08-12 17:03 . 2011-05-25 02:59 1828864 c:\windows\LastGood.Tmp\SysWOW64\atiumdmv.dll
+ 2011-08-12 17:03 . 2011-05-25 02:39 4330496 c:\windows\LastGood.Tmp\SysWOW64\atiumdag.dll
+ 2011-08-12 17:03 . 2011-05-25 02:58 4219904 c:\windows\LastGood.Tmp\SysWOW64\atidxx32.dll
+ 2011-08-12 17:03 . 2011-05-25 02:43 6847488 c:\windows\LastGood.Tmp\SysWOW64\aticaldd.dll
+ 2011-08-12 17:03 . 2011-05-25 02:49 5008384 c:\windows\LastGood.Tmp\system32\atidxx64.dll
+ 2011-08-12 17:03 . 2011-05-25 02:47 8489472 c:\windows\LastGood.Tmp\system32\aticaldd64.dll
- 2011-02-14 15:30 . 2012-01-06 16:43 13257552 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2744090536-1397516078-442745839-1001-12288.dat
+ 2011-02-14 15:30 . 2012-01-06 17:46 13257552 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2744090536-1397516078-442745839-1001-12288.dat
+ 2011-08-12 17:03 . 2011-05-25 03:31 17940992 c:\windows\LastGood.Tmp\SysWOW64\atioglxx.dll
+ 2011-08-12 17:03 . 2011-05-25 03:53 23336960 c:\windows\LastGood.Tmp\system32\atio6axx.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"EEventManager"="c:\progra~2\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-04-07 673616]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2011-12-03 2415456]
"SteelSeries World of Warcraft Cataclysm MMO Gaming Mouse"="c:\program files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe" [2010-12-23 1987072]
"LogMeIn Hamachi Ui"="c:\program files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" [2011-08-04 1955208]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-07-08 336384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\run-]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-14 136176]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
R3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\system32\DRIVERS\athrxu6.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-14 136176]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam64.sys [x]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [x]
S0 Avgrkx64;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx64.sys [x]
S1 Avgldx64;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx64.sys [x]
S1 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\DRIVERS\avgmfx64.sys [x]
S1 Avgtdia;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdia.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe [2011-10-12 4433248]
S2 avgwd;AVG WatchDog;c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe [2011-08-02 192776]
S2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-08-04 2329480]
S2 WDDMService;WD SmartWare Drive Manager Service;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-10-14 116224]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [x]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [x]
S3 SSMO3v2Filter;MMO3v2 Mouse;c:\windows\system32\drivers\MO3v2Driver.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2011-01-19 20:06 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-14 20:05]
.
2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-05-14 20:05]
.
2012-01-06 c:\windows\Tasks\RegistryBooster.job
- c:\program files (x86)\Uniblue\RegistryBooster\rbmonitor.exe [2012-01-01 08:26]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-08 10867816]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://maps.google.com/maps?hl=en&tab=wl
mLocal Page = c:\windows\system32\blank.htm
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Gecko\AppData\Roaming\Mozilla\Firefox\Profiles\ah857loh.default\
FF - prefs.js: browser.startup.homepage - hxxp://maps.google.com/maps?hl=en&tab=wl
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files (x86)\AVG\AVG2012\Firefox4
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Epson Software\Event Manager\EEventManager.exe
c:\program files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMTray2.exe
.
**************************************************************************
.
Completion time: 2012-01-06 12:52:43 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-06 17:52
ComboFix2.txt 2012-01-06 16:52
.
Pre-Run: 172,501,364,736 bytes free
Post-Run: 172,524,896,256 bytes free
.
- - End Of File - - 9F28B3FF04E4216C442104639D2D22E5

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:07 AM

Posted 06 January 2012 - 01:29 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Java™ 6 Update 23

and click on remove




Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 FreedomFighter33

FreedomFighter33
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 06 January 2012 - 01:38 PM

Unfortunately I'm pressed for time as I have a few appointments to get to for a few clients. I will however proceed to follow all instructions as soon as I get home from work... Thanks again for you effort in helping me and we'll talk again soon as I return...

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:07 AM

Posted 06 January 2012 - 01:59 PM

Hello

No problem I myself will be going out for a couple hours



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 FreedomFighter33

FreedomFighter33
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 06 January 2012 - 08:04 PM

Here are the two logs you requested... MBAM then Hijackthis..



Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.06.06

Windows 7 x64 NTFS
Internet Explorer 9.0.8080.16413
Gecko :: GECKO-PC2 [administrator]

1/6/2012 7:34:11 PM
mbam-log-2012-01-06 (19-34-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 185780
Time elapsed: 3 minute(s), 56 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:03:03 PM, on 1/6/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v9.00 (9.00.8080.16413)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Uniblue\RegistryBooster\rbmonitor.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe
C:\Program Files (x86)\AVG\AVG2012\avgtray.exe
C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMTray2.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Gecko\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://maps.google.com/maps?hl=en&tab=wl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG2012\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [SteelSeries World of Warcraft Cataclysm MMO Gaming Mouse] "C:\Program Files (x86)\SteelSeries\World of Warcraft Cataclysm MMO Gaming Mouse\WoWMHID2.exe"
O4 - HKLM\..\Run: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG2012\avgpp.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40STB.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: WD SmartWare Drive Manager Service (WDDMService) - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service (WDSmartWareBackgroundService) - Memeo - C:\Program Files (x86)\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)

--
End of file - 7819 bytes

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:07 AM

Posted 06 January 2012 - 08:43 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~2\EPSONS~1\EVENTM~1\EEventManager.exe
      O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard and paste the results here in this topic
  • you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 FreedomFighter33

FreedomFighter33
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 06 January 2012 - 10:11 PM

Scan took over an hour.. but here is the log...


C:\Program Files (x86)\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\rb_ubm.exe Win32/RegistryBooster application
C:\Program Files (x86)\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application
C:\Users\Gecko\Desktop\Unlocker1.9.1-x64.exe a variant of Win32/Toolbar.Babylon application
D:\Downloads\Apps\FLVPlayerSetup.exe a variant of Win32/InstallCore.D application
D:\Downloads\Drivers\64bit_Win7_realtek.exe a variant of Win32/InstallCore.D application

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:07 AM

Posted 06 January 2012 - 10:39 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    rd /s /q "C:\Program Files (x86)\Uniblue\RegistryBooster\"
    del /f /s /q "C:\Users\Gecko\Desktop\Unlocker1.9.1-x64.exe"
    del /f /s /q "D:\Downloads\Apps\FLVPlayerSetup.exe"
    del /f /s /q "D:\Downloads\Drivers\64bit_Win7_realtek.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users