Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with TDL4@mbr


  • This topic is locked This topic is locked
28 replies to this topic

#1 Fajen

Fajen

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 06 February 2012 - 11:55 PM

About a week ago, I noticed that I was infected with some virus that was redirecting my google searches to google.com/go?yadayadayada and resultant ads (why they'd send me to a Georgia law firm, I'll never know). I ran hijackthis and removed nine files related to either the problem or the StartNow Toolbar, and the problem seemed fixed.

But then AVG started sending reports of blocking viruses at completely random times. My denial was shattered when it blocked one when I had just turned my computer on and the only program that was supposed to have been opened was WMPlayer - I was in the bathroom with wireless headphones at the time.

Using HJT again revealed nothing. I tried using Trend's RootkitBuster. It found a lot of items (that I now know might not have been infected at all), but couldn't get rid of a few, and now just makes a pitiful doubled "Installation Failed" message whenever I try to open it. And so I prepared to throw myself at your mercy.

The preparation document says to make sure your firewall is up and running, and, guess what... of course it had been deactivated, and when I tried putting it back up to full blast, it wouldn't even let me open the menu. This led me to try Microsoft's malware remover (more out of desperation than anything); it found two things it didn't like, but not the biggie.

Today, as I was running the programs, it seemed to get worse. Now my sound drivers don't work - I can run the windows tool to fix it so that I can get sound from DVDs and MP3s, but not from Firefox. And my homepage (www.google.com/ig) results in a 404 Not Found, with nginx underneath a page break.

So now that this topic is finally finished, I'm going to keep my computer completely off while I wait for a reply. Check all my emails at the office, reacquaint myself with my XBox, maybe actually clean my apartment.... I throw myself and my computer at your feet. I've learned when I'm over my head.

One thing: I had actually been considering upgrading to 64bit windows before this mess, so a full reformat is a real possibility. All my games come from Steam, CDs or are MMOs available for download, and this is PC is actually only 3 months old so there wouldn't be much loss. But if there's a way to save my MP3s, I'd be very grateful. I'm starting to be suspicious of the machine I use as a backup, and like an idiot chose not to save most of them to the Amazon cloud when I bought them.


The nice thing is that I work at a psychiatrist's office. They'll understand the withdrawl.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Jeremy at 21:52:48 on 2012-02-06
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3326.2434 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Razer\Nostromo\RazerNostromoSysTray.exe
C:\Program Files\SmartTechnology\Software\ProfilerU.exe
C:\Program Files\SmartTechnology\Software\SaiMfd.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Windows\system32\conhost.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [HDAudDeck] c:\program files\via\viaudioi\vdeck\VDeck.exe -r
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Razer Nostromo Driver] c:\program files\razer\nostromo\RazerNostromoSysTray.exe
mRun: [ProfilerU] c:\program files\smarttechnology\software\ProfilerU.exe
mRun: [SaiMfd] c:\program files\smarttechnology\software\SaiMfd.exe
StartupFolder: c:\users\jeremy\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 192.168.15.1
TCP: Interfaces\{45E57C08-AB6D-43EF-8664-18EE4906B7C8} : DhcpNameServer = 192.168.15.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jeremy\appdata\roaming\mozilla\firefox\profiles\r73v14eb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dv.dll
FF - plugin: c:\program files\nvidia corporation\3d vision\npnv3dvstreaming.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2012-1-31 7391072]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-3-8 378472]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2011-8-24 122984]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-17 232448]
R3 rzjoystk;Razer VJoystick;c:\windows\system32\drivers\rzjoystk.sys [2011-3-24 16896]
R3 RzSynapse;Razer Driver;c:\windows\system32\drivers\RzSynapse.sys [2011-7-14 127360]
R3 SaiK0CC3;SaiK0CC3;c:\windows\system32\drivers\SaiK0CC3.sys [2011-9-20 147264]
R3 SaiU0CC3;SaiU0CC3;c:\windows\system32\drivers\SaiU0CC3.sys [2011-9-20 41152]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2011-8-24 1119232]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-8-24 2214504]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\steam\steamapps\common\dragon age ultimate edition\bin_ship\DAUpdaterSvc.Service.exe [2012-1-1 25832]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-25 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-8-24 1343400]
S4 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
.
=============== Created Last 30 ================
.
2012-02-03 22:51:06 -------- d-----w- c:\programdata\DivX
2012-01-25 04:10:51 -------- d-----w- c:\users\jeremy\appdata\local\SmartTechnology
2012-01-25 03:23:12 -------- d-----w- c:\programdata\SmartTechnology
2012-01-25 03:23:06 -------- d-----w- c:\program files\SmartTechnology
2012-01-24 15:49:42 46144 ----a-w- c:\windows\system32\drivers\SaiBus.sys
2012-01-24 15:49:42 22720 ----a-w- c:\windows\system32\drivers\SaiMini.sys
2012-01-24 05:30:31 -------- d-----w- c:\users\jeremy\appdata\local\Mozilla
2012-01-13 21:01:39 -------- d-----w- c:\windows\system32\directx
2012-01-13 21:01:17 -------- d-----w- c:\program files\Microsoft XNA
2012-01-11 06:50:59 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 06:50:58 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 06:50:58 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 06:50:57 514560 ----a-w- c:\windows\system32\qdvd.dll
.
==================== Find3M ====================
.
2012-01-24 17:17:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-06 18:50:08 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-06 18:50:08 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-24 04:25:27 2342912 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 21:53:32.52 ===============

GMER log:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-06 22:12:39
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdePort0 ADATA_SSD_S599_64GB rev.3.4.3
Running: 2poyjk34.exe; Driver: C:\Users\Jeremy\AppData\Local\Temp\pxryypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x825457A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x82545848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x825458E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x82545980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 82E93369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ECCD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82ED4054 4 Bytes [A0, 57, 54, 82]
.text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82ED4324 8 Bytes [48, 58, 54, 82, E4, 58, 54, ...]
.text ntkrnlpa.exe!KeRemoveQueueEx + 16E3 82ED4398 4 Bytes [80, 59, 54, 82] {SBB BYTE [ECX+0x54], 0x82}
? C:\Users\Jeremy\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1116] kernel32.dll!WriteFile 755053EE 5 Bytes JMP 001D000A
.text C:\Windows\system32\svchost.exe[1116] USER32.dll!GetCursorPos 74E9A4B3 5 Bytes JMP 016F000A
.text C:\Windows\system32\svchost.exe[1116] USER32.dll!GetForegroundWindow 74EA335D 5 Bytes JMP 01F0000A
.text C:\Windows\system32\svchost.exe[1116] USER32.dll!WindowFromPoint 74EC6BE9 5 Bytes JMP 01D7000A
.text C:\Windows\system32\svchost.exe[1116] ole32.dll!CoCreateInstance 75339D0B 5 Bytes JMP 0092000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[1164] ntdll.dll!LdrLoadDll 7716223E 5 Bytes JMP 65691B30 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Threads - GMER 1.0.15 ----

Thread System [4:3720] A3710F2E

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:12 PM

Posted 07 February 2012 - 01:08 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Fajen

Fajen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 08 February 2012 - 05:45 AM

Wow, that was fast. Thank you!

So I followed all the instructions for disabling my antivirus and downloaded combofix. Running CF gave a message that my AVG was still active. I went into the AVG monitor, verified that all of the processes were disabled and that I still had about twelve minutes without instant guard, so I clicked ComboFix's ok button. The message I got was "Your antivirus is still working, but ComboFix will attempt to run anyway. Note that this is at your own risk." AVG didn't seem to interfere, at least on the surface. When Combofix restarted my computer, AVG warned about one of Combofix's processes, but I just waited until CF had done its thing and then clicked Allow on AVG.

When my computer restarted, there was no longer a red X over my volume control. I had to mess with a few things to get my headphones working (setting defaults and the like) but they seems fine now. EDIT: When I turned on my computer, it had changed back. So that's not cleared up.

I'm having trouble, though, with my homepage (www.google.com/ig). I open Firefox and get the same 404 Not Found / nginx screen. Going to www.google.com brings up google as normal, but clicking the Sign In button on that page gives me Google Accounts - The page you requested is invalid. Clicking the Sign In button on that page brings me to the normal Google login screen. Logging in therejust makes it time out.

Aw, drat. The URL for the "Google Accounts - The page you requested is invalid" is https://accounts.google.com/ServiceLogin?hl=en&continue=http://209.85.145.103/ and that is not my ip address. Time to change passwords. EDIT: So it turns out that IS a google link. Whew. Still, gonna have to change it once this is fixed...

Anyway, I tried using Google to search, and the urls for the results seemed correct, but clicking on them started to send me to the creditpuma domain. So that's similar to the first infection I noticed, but is a different iteration (honestly, I was wondering why the first virus hadn't changed the urls - it's one of the easiest things in html...)

Also, the firewall is still disabled and can't be enabled.

So, still infected, alas, but 600MB worth of fewer viruses. What's next?







ComboFix 12-02-07.01 - Jeremy 02/08/2012 3:34.1.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3326.1546 [GMT -6:00]
Running from: c:\users\Jeremy\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\StartNow Toolbar
c:\program files\StartNow Toolbar\Resources\images\engine_images.png
c:\program files\StartNow Toolbar\Resources\images\engine_maps.png
c:\program files\StartNow Toolbar\Resources\images\engine_news.png
c:\program files\StartNow Toolbar\Resources\images\engine_videos.png
c:\program files\StartNow Toolbar\Resources\images\engine_web.png
c:\program files\StartNow Toolbar\Resources\images\icon_amazon.png
c:\program files\StartNow Toolbar\Resources\images\icon_ebay.png
c:\program files\StartNow Toolbar\Resources\images\icon_facebook.png
c:\program files\StartNow Toolbar\Resources\images\icon_games.png
c:\program files\StartNow Toolbar\Resources\images\icon_msn.png
c:\program files\StartNow Toolbar\Resources\images\icon_shopping.png
c:\program files\StartNow Toolbar\Resources\images\icon_travel.png
c:\program files\StartNow Toolbar\Resources\images\icon_twitter.png
c:\program files\StartNow Toolbar\Resources\images\startnow_logo.png
c:\program files\StartNow Toolbar\Resources\installer.xml
c:\program files\StartNow Toolbar\Resources\protect\index.html
c:\program files\StartNow Toolbar\Resources\protect\NotIE6.css
c:\program files\StartNow Toolbar\Resources\protect\OnlyIE6.css
c:\program files\StartNow Toolbar\Resources\protect\SearchProtectIcon.png
c:\program files\StartNow Toolbar\Resources\protect\window.css
c:\program files\StartNow Toolbar\Resources\protect\window.js
c:\program files\StartNow Toolbar\Resources\reactivate\index.html
c:\program files\StartNow Toolbar\Resources\reactivate\LeftImage.png
c:\program files\StartNow Toolbar\Resources\reactivate\NotIE6.css
c:\program files\StartNow Toolbar\Resources\reactivate\OnlyIE6.css
c:\program files\StartNow Toolbar\Resources\reactivate\window.css
c:\program files\StartNow Toolbar\Resources\reactivate\window.js
c:\program files\StartNow Toolbar\Resources\skin\chevron_button.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_background.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_left.png
c:\program files\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
c:\program files\StartNow Toolbar\Resources\skin\separator.png
c:\program files\StartNow Toolbar\Resources\skin\splitter.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
c:\program files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
c:\program files\StartNow Toolbar\Resources\toolbar.xml
c:\program files\StartNow Toolbar\Resources\update.xml
c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
c:\program files\StartNow Toolbar\ToolbarUpdaterService.exe
c:\program files\StartNow Toolbar\uninstall.dat
c:\windows\expert
c:\windows\expert\X6827.INI
D:\install.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Updater Service for StartNow Toolbar
-------\Service_Updater Service for StartNow Toolbar
.
.
((((((((((((((((((((((((( Files Created from 2012-01-08 to 2012-02-08 )))))))))))))))))))))))))))))))
.
.
2012-02-08 09:41 . 2012-02-08 09:44 -------- d-----w- c:\users\Jeremy\AppData\Local\temp
2012-02-03 22:51 . 2012-02-03 22:51 -------- d-----w- c:\programdata\DivX
2012-01-25 04:10 . 2012-01-25 04:10 -------- d-----w- c:\users\Jeremy\AppData\Local\SmartTechnology
2012-01-25 03:23 . 2012-01-25 03:23 -------- d-----w- c:\programdata\SmartTechnology
2012-01-25 03:23 . 2012-01-25 03:23 -------- d-----w- c:\program files\SmartTechnology
2012-01-24 15:49 . 2012-01-24 15:49 46144 ----a-w- c:\windows\system32\drivers\SaiBus.sys
2012-01-24 15:49 . 2012-01-24 15:49 22720 ----a-w- c:\windows\system32\drivers\SaiMini.sys
2012-01-24 05:30 . 2012-01-24 05:30 -------- d-----w- c:\users\Jeremy\AppData\Local\Mozilla
2012-01-13 21:01 . 2012-01-13 21:01 -------- d-----w- c:\program files\Microsoft XNA
2012-01-11 06:50 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 06:50 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 06:50 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 06:50 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-24 17:17 . 2011-08-26 02:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-06 18:50 . 2011-12-06 18:50 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-06 18:50 . 2011-12-06 18:50 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-24 04:25 . 2011-12-14 03:22 2342912 ----a-w- c:\windows\system32\win32k.sys
2012-02-03 16:45 . 2012-01-24 05:29 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2010-02-10 1713152]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Razer Nostromo Driver"="c:\program files\Razer\Nostromo\RazerNostromoSysTray.exe" [2011-07-19 978840]
"ProfilerU"="c:\program files\SmartTechnology\Software\ProfilerU.exe" [2012-01-23 313856]
"SaiMfd"="c:\program files\SmartTechnology\Software\SaiMfd.exe" [2012-01-23 122880]
.
c:\users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [2012-01-01 25832]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-25 1343400]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-05 297168]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2012-01-31 7391072]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-03-08 378472]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-28 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 21968]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-11-12 122984]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-11-17 232448]
S3 rzjoystk;Razer VJoystick;c:\windows\system32\DRIVERS\rzjoystk.sys [2011-03-24 16896]
S3 RzSynapse;Razer Driver;c:\windows\system32\DRIVERS\RzSynapse.sys [2011-07-14 127360]
S3 SaiK0CC3;SaiK0CC3;c:\windows\system32\DRIVERS\SaiK0CC3.sys [2011-09-20 147264]
S3 SaiU0CC3;SaiU0CC3;c:\windows\system32\DRIVERS\SaiU0CC3.sys [2011-09-20 41152]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-01-11 1119232]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\r73v14eb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-StartNow Toolbar - c:\program files\StartNow Toolbar\StartNowToolbarUninstall.exe
AddRemove-Steam App 26800 - c:\program files\Steam\steam.exe
AddRemove-Steam App 28050 - c:\program files\Steam\steam.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG10\avgchsvx.exe
c:\progra~1\AVG\AVG10\avgrsx.exe
c:\windows\system32\nvvsvc.exe
c:\program files\NVIDIA Corporation\Display\NvXDSync.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\AVG\AVG10\avgnsx.exe
c:\program files\AVG\AVG10\avgemcx.exe
c:\windows\system32\conhost.exe
c:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-02-08 03:45:39 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-08 09:45
.
Pre-Run: 29,008,957,440 bytes free
Post-Run: 29,605,199,872 bytes free
.
- - End Of File - - 5287FF54AA5C1795A69B5B79DA92ACFC

Edited by Fajen, 08 February 2012 - 03:58 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:12 PM

Posted 08 February 2012 - 05:18 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Fajen

Fajen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 08 February 2012 - 07:59 PM

When I started up after running it, my headphones were working perfectly, and iGoogle loaded up just fine.

Oh, and I haven't been on my computer much since I first posted here, but I still haven't seen random viruses get blocked by AVG since running combofix, and I would have had at least one before that. So that's good.

However, I still can't get into my firewall - the error code for that is 0x80070424.

Still. The progress is exciting.




18:44:10.0351 7348 TDSS rootkit removing tool 2.7.10.0 Feb 7 2012 15:14:46
18:44:10.0741 7348 ============================================================
18:44:10.0741 7348 Current date / time: 2012/02/08 18:44:10.0741
18:44:10.0741 7348 SystemInfo:
18:44:10.0741 7348
18:44:10.0741 7348 OS Version: 6.1.7601 ServicePack: 1.0
18:44:10.0742 7348 Product type: Workstation
18:44:10.0742 7348 ComputerName: DIABLOTEK
18:44:10.0742 7348 UserName: <mind if I keep this off the net?>
18:44:10.0742 7348 Windows directory: C:\Windows
18:44:10.0742 7348 System windows directory: C:\Windows
18:44:10.0742 7348 Processor architecture: Intel x86
18:44:10.0742 7348 Number of processors: 4
18:44:10.0742 7348 Page size: 0x1000
18:44:10.0742 7348 Boot type: Normal boot
18:44:10.0742 7348 ============================================================
18:44:11.0390 7348 Drive \Device\Harddisk0\DR0 - Size: 0xDF99E6000 (55.90 Gb), SectorSize: 0x200, Cylinders: 0x1E49, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
18:44:18.0272 7348 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:44:18.0277 7348 \Device\Harddisk0\DR0:
18:44:18.0288 7348 MBR used
18:44:18.0288 7348 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
18:44:18.0288 7348 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x6F99800
18:44:18.0288 7348 \Device\Harddisk1\DR1:
18:44:18.0289 7348 MBR used
18:44:18.0289 7348 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74705982
18:44:18.0319 7348 Initialize success
18:44:18.0320 7348 ============================================================
18:44:30.0962 6328 ============================================================
18:44:30.0962 6328 Scan started
18:44:30.0962 6328 Mode: Manual;
18:44:30.0962 6328 ============================================================
18:44:31.0432 6328 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
18:44:31.0442 6328 1394ohci - ok
18:44:31.0462 6328 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
18:44:31.0472 6328 ACPI - ok
18:44:31.0492 6328 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
18:44:31.0492 6328 AcpiPmi - ok
18:44:31.0522 6328 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
18:44:31.0532 6328 adp94xx - ok
18:44:31.0552 6328 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
18:44:31.0562 6328 adpahci - ok
18:44:31.0582 6328 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
18:44:31.0592 6328 adpu320 - ok
18:44:31.0622 6328 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
18:44:31.0632 6328 AFD - ok
18:44:31.0642 6328 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
18:44:31.0652 6328 agp440 - ok
18:44:31.0662 6328 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
18:44:31.0672 6328 aic78xx - ok
18:44:31.0692 6328 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
18:44:31.0692 6328 aliide - ok
18:44:31.0702 6328 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
18:44:31.0712 6328 amdagp - ok
18:44:31.0722 6328 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
18:44:31.0732 6328 amdide - ok
18:44:31.0742 6328 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
18:44:31.0752 6328 AmdK8 - ok
18:44:31.0772 6328 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
18:44:31.0772 6328 AmdPPM - ok
18:44:31.0782 6328 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
18:44:31.0792 6328 amdsata - ok
18:44:31.0812 6328 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
18:44:31.0812 6328 amdsbs - ok
18:44:31.0832 6328 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
18:44:31.0832 6328 amdxata - ok
18:44:31.0852 6328 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
18:44:31.0852 6328 AppID - ok
18:44:31.0882 6328 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
18:44:31.0882 6328 arc - ok
18:44:31.0902 6328 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
18:44:31.0902 6328 arcsas - ok
18:44:31.0922 6328 AsIO - ok
18:44:31.0952 6328 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
18:44:31.0952 6328 AsyncMac - ok
18:44:31.0972 6328 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
18:44:31.0972 6328 atapi - ok
18:44:32.0072 6328 atikmdag (712d8a95e45b070114c5309ada7358ff) C:\Windows\system32\DRIVERS\atikmdag.sys
18:44:32.0152 6328 atikmdag - ok
18:44:32.0172 6328 AtiPcie (b73c832088dd54b55e04ff6f9646ad8c) C:\Windows\system32\DRIVERS\AtiPcie.sys
18:44:32.0172 6328 AtiPcie - ok
18:44:32.0212 6328 AVGIDSDriver (b9acb889ba1e0561868c025f95d63e25) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
18:44:32.0212 6328 AVGIDSDriver - ok
18:44:32.0232 6328 AVGIDSEH (13256fc72fa5b3f6d6e8c5957e579b7c) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
18:44:32.0232 6328 AVGIDSEH - ok
18:44:32.0252 6328 AVGIDSFilter (fa0685cc51de5cfd804e7deaa6488e0e) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
18:44:32.0252 6328 AVGIDSFilter - ok
18:44:32.0262 6328 AVGIDSShim (f788b51100d0f40ea176798cce954a1a) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
18:44:32.0272 6328 AVGIDSShim - ok
18:44:32.0292 6328 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\Windows\system32\DRIVERS\avgldx86.sys
18:44:32.0292 6328 Avgldx86 - ok
18:44:32.0312 6328 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\Windows\system32\DRIVERS\avgmfx86.sys
18:44:32.0312 6328 Avgmfx86 - ok
18:44:32.0332 6328 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\Windows\system32\DRIVERS\avgrkx86.sys
18:44:32.0332 6328 Avgrkx86 - ok
18:44:32.0352 6328 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\Windows\system32\DRIVERS\avgtdix.sys
18:44:32.0362 6328 Avgtdix - ok
18:44:32.0392 6328 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
18:44:32.0402 6328 b06bdrv - ok
18:44:32.0422 6328 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
18:44:32.0432 6328 b57nd60x - ok
18:44:32.0452 6328 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
18:44:32.0462 6328 Beep - ok
18:44:32.0482 6328 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
18:44:32.0482 6328 blbdrive - ok
18:44:32.0502 6328 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
18:44:32.0512 6328 bowser - ok
18:44:32.0522 6328 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
18:44:32.0522 6328 BrFiltLo - ok
18:44:32.0542 6328 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
18:44:32.0542 6328 BrFiltUp - ok
18:44:32.0562 6328 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
18:44:32.0562 6328 BridgeMP - ok
18:44:32.0592 6328 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
18:44:32.0592 6328 Brserid - ok
18:44:32.0612 6328 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
18:44:32.0612 6328 BrSerWdm - ok
18:44:32.0632 6328 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
18:44:32.0632 6328 BrUsbMdm - ok
18:44:32.0652 6328 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
18:44:32.0652 6328 BrUsbSer - ok
18:44:32.0662 6328 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
18:44:32.0672 6328 BTHMODEM - ok
18:44:32.0682 6328 catchme - ok
18:44:32.0702 6328 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
18:44:32.0712 6328 cdfs - ok
18:44:32.0722 6328 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
18:44:32.0732 6328 cdrom - ok
18:44:32.0752 6328 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
18:44:32.0752 6328 circlass - ok
18:44:32.0772 6328 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
18:44:32.0782 6328 CLFS - ok
18:44:32.0812 6328 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
18:44:32.0812 6328 CmBatt - ok
18:44:32.0822 6328 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
18:44:32.0832 6328 cmdide - ok
18:44:32.0852 6328 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
18:44:32.0862 6328 CNG - ok
18:44:32.0872 6328 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
18:44:32.0882 6328 Compbatt - ok
18:44:32.0892 6328 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
18:44:32.0902 6328 CompositeBus - ok
18:44:32.0922 6328 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
18:44:32.0922 6328 crcdisk - ok
18:44:32.0952 6328 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
18:44:32.0962 6328 CSC - ok
18:44:33.0002 6328 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
18:44:33.0002 6328 DfsC - ok
18:44:33.0022 6328 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
18:44:33.0032 6328 discache - ok
18:44:33.0042 6328 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
18:44:33.0052 6328 Disk - ok
18:44:33.0082 6328 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
18:44:33.0082 6328 drmkaud - ok
18:44:33.0112 6328 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
18:44:33.0132 6328 DXGKrnl - ok
18:44:33.0202 6328 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
18:44:33.0272 6328 ebdrv - ok
18:44:33.0312 6328 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
18:44:33.0322 6328 elxstor - ok
18:44:33.0332 6328 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
18:44:33.0342 6328 ErrDev - ok
18:44:33.0372 6328 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
18:44:33.0372 6328 exfat - ok
18:44:33.0392 6328 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
18:44:33.0392 6328 fastfat - ok
18:44:33.0412 6328 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
18:44:33.0422 6328 fdc - ok
18:44:33.0442 6328 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
18:44:33.0452 6328 FileInfo - ok
18:44:33.0472 6328 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
18:44:33.0472 6328 Filetrace - ok
18:44:33.0482 6328 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
18:44:33.0492 6328 flpydisk - ok
18:44:33.0512 6328 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
18:44:33.0512 6328 FltMgr - ok
18:44:33.0542 6328 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
18:44:33.0542 6328 FsDepends - ok
18:44:33.0562 6328 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
18:44:33.0562 6328 Fs_Rec - ok
18:44:33.0582 6328 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
18:44:33.0592 6328 fvevol - ok
18:44:33.0602 6328 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
18:44:33.0612 6328 gagp30kx - ok
18:44:33.0622 6328 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
18:44:33.0632 6328 hcw85cir - ok
18:44:33.0652 6328 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
18:44:33.0662 6328 HdAudAddService - ok
18:44:33.0682 6328 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\DRIVERS\HDAudBus.sys
18:44:33.0682 6328 HDAudBus - ok
18:44:33.0692 6328 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
18:44:33.0702 6328 HidBatt - ok
18:44:33.0712 6328 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
18:44:33.0722 6328 HidBth - ok
18:44:33.0742 6328 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
18:44:33.0742 6328 HidIr - ok
18:44:33.0762 6328 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
18:44:33.0762 6328 HidUsb - ok
18:44:33.0792 6328 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
18:44:33.0802 6328 HpSAMD - ok
18:44:33.0822 6328 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
18:44:33.0842 6328 HTTP - ok
18:44:33.0852 6328 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
18:44:33.0862 6328 hwpolicy - ok
18:44:33.0872 6328 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
18:44:33.0882 6328 i8042prt - ok
18:44:33.0902 6328 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
18:44:33.0912 6328 iaStorV - ok
18:44:33.0932 6328 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
18:44:33.0932 6328 iirsp - ok
18:44:33.0962 6328 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
18:44:33.0962 6328 intelide - ok
18:44:33.0982 6328 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
18:44:33.0982 6328 intelppm - ok
18:44:34.0002 6328 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
18:44:34.0002 6328 IpFilterDriver - ok
18:44:34.0022 6328 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
18:44:34.0022 6328 IPMIDRV - ok
18:44:34.0042 6328 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
18:44:34.0052 6328 IPNAT - ok
18:44:34.0062 6328 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
18:44:34.0062 6328 IRENUM - ok
18:44:34.0082 6328 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
18:44:34.0082 6328 isapnp - ok
18:44:34.0102 6328 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
18:44:34.0112 6328 iScsiPrt - ok
18:44:34.0132 6328 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
18:44:34.0132 6328 kbdclass - ok
18:44:34.0152 6328 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\DRIVERS\kbdhid.sys
18:44:34.0152 6328 kbdhid - ok
18:44:34.0172 6328 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys
18:44:34.0172 6328 KSecDD - ok
18:44:34.0192 6328 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys
18:44:34.0202 6328 KSecPkg - ok
18:44:34.0232 6328 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
18:44:34.0242 6328 lltdio - ok
18:44:34.0272 6328 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
18:44:34.0282 6328 LSI_FC - ok
18:44:34.0292 6328 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
18:44:34.0302 6328 LSI_SAS - ok
18:44:34.0312 6328 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
18:44:34.0322 6328 LSI_SAS2 - ok
18:44:34.0332 6328 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
18:44:34.0342 6328 LSI_SCSI - ok
18:44:34.0352 6328 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
18:44:34.0362 6328 luafv - ok
18:44:34.0382 6328 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
18:44:34.0382 6328 megasas - ok
18:44:34.0402 6328 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
18:44:34.0412 6328 MegaSR - ok
18:44:34.0432 6328 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
18:44:34.0432 6328 Modem - ok
18:44:34.0452 6328 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
18:44:34.0452 6328 monitor - ok
18:44:34.0472 6328 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
18:44:34.0472 6328 mouclass - ok
18:44:34.0492 6328 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
18:44:34.0492 6328 mouhid - ok
18:44:34.0512 6328 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
18:44:34.0512 6328 mountmgr - ok
18:44:34.0532 6328 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
18:44:34.0542 6328 mpio - ok
18:44:34.0552 6328 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
18:44:34.0562 6328 mpsdrv - ok
18:44:34.0572 6328 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
18:44:34.0582 6328 MRxDAV - ok
18:44:34.0602 6328 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
18:44:34.0602 6328 mrxsmb - ok
18:44:34.0622 6328 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
18:44:34.0632 6328 mrxsmb10 - ok
18:44:34.0652 6328 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
18:44:34.0652 6328 mrxsmb20 - ok
18:44:34.0672 6328 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
18:44:34.0672 6328 msahci - ok
18:44:34.0692 6328 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
18:44:34.0692 6328 msdsm - ok
18:44:34.0722 6328 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
18:44:34.0732 6328 Msfs - ok
18:44:34.0742 6328 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
18:44:34.0752 6328 mshidkmdf - ok
18:44:34.0762 6328 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
18:44:34.0762 6328 msisadrv - ok
18:44:34.0792 6328 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
18:44:34.0792 6328 MSKSSRV - ok
18:44:34.0812 6328 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
18:44:34.0812 6328 MSPCLOCK - ok
18:44:34.0832 6328 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
18:44:34.0832 6328 MSPQM - ok
18:44:34.0852 6328 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
18:44:34.0862 6328 MsRPC - ok
18:44:34.0882 6328 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
18:44:34.0882 6328 mssmbios - ok
18:44:34.0902 6328 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
18:44:34.0902 6328 MSTEE - ok
18:44:34.0912 6328 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
18:44:34.0922 6328 MTConfig - ok
18:44:34.0932 6328 MTsensor (cbe71c122434805cb73ffb6619f60598) C:\Windows\system32\DRIVERS\ASACPI.sys
18:44:34.0942 6328 MTsensor - ok
18:44:34.0952 6328 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
18:44:34.0962 6328 Mup - ok
18:44:34.0982 6328 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
18:44:34.0992 6328 NativeWifiP - ok
18:44:35.0022 6328 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
18:44:35.0042 6328 NDIS - ok
18:44:35.0062 6328 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
18:44:35.0062 6328 NdisCap - ok
18:44:35.0072 6328 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
18:44:35.0082 6328 NdisTapi - ok
18:44:35.0092 6328 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
18:44:35.0102 6328 Ndisuio - ok
18:44:35.0112 6328 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
18:44:35.0122 6328 NdisWan - ok
18:44:35.0142 6328 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
18:44:35.0142 6328 NDProxy - ok
18:44:35.0162 6328 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
18:44:35.0162 6328 NetBIOS - ok
18:44:35.0182 6328 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
18:44:35.0192 6328 NetBT - ok
18:44:35.0242 6328 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
18:44:35.0242 6328 nfrd960 - ok
18:44:35.0262 6328 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
18:44:35.0262 6328 Npfs - ok
18:44:35.0282 6328 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
18:44:35.0292 6328 nsiproxy - ok
18:44:35.0332 6328 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
18:44:35.0362 6328 Ntfs - ok
18:44:35.0372 6328 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
18:44:35.0382 6328 Null - ok
18:44:35.0402 6328 NVHDA (92cfe8964b3a6da0692331fa66630db3) C:\Windows\system32\drivers\nvhda32v.sys
18:44:35.0402 6328 NVHDA - ok
18:44:35.0632 6328 nvlddmkm (0dbe3e97af7a77999525848fde102efe) C:\Windows\system32\DRIVERS\nvlddmkm.sys
18:44:35.0832 6328 nvlddmkm - ok
18:44:35.0862 6328 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
18:44:35.0862 6328 nvraid - ok
18:44:35.0882 6328 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
18:44:35.0892 6328 nvstor - ok
18:44:35.0912 6328 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
18:44:35.0922 6328 nv_agp - ok
18:44:35.0932 6328 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
18:44:35.0942 6328 ohci1394 - ok
18:44:35.0972 6328 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
18:44:35.0972 6328 Parport - ok
18:44:35.0992 6328 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
18:44:35.0992 6328 partmgr - ok
18:44:36.0012 6328 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
18:44:36.0012 6328 Parvdm - ok
18:44:36.0032 6328 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
18:44:36.0042 6328 pci - ok
18:44:36.0052 6328 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
18:44:36.0062 6328 pciide - ok
18:44:36.0082 6328 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
18:44:36.0082 6328 pcmcia - ok
18:44:36.0102 6328 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
18:44:36.0102 6328 pcw - ok
18:44:36.0132 6328 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
18:44:36.0142 6328 PEAUTH - ok
18:44:36.0222 6328 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
18:44:36.0222 6328 PptpMiniport - ok
18:44:36.0242 6328 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
18:44:36.0242 6328 Processor - ok
18:44:36.0272 6328 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
18:44:36.0272 6328 Psched - ok
18:44:36.0322 6328 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
18:44:36.0352 6328 ql2300 - ok
18:44:36.0362 6328 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
18:44:36.0372 6328 ql40xx - ok
18:44:36.0392 6328 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
18:44:36.0392 6328 QWAVEdrv - ok
18:44:36.0412 6328 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
18:44:36.0412 6328 RasAcd - ok
18:44:36.0432 6328 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
18:44:36.0432 6328 RasAgileVpn - ok
18:44:36.0452 6328 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
18:44:36.0462 6328 Rasl2tp - ok
18:44:36.0482 6328 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
18:44:36.0482 6328 RasPppoe - ok
18:44:36.0502 6328 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
18:44:36.0512 6328 RasSstp - ok
18:44:36.0532 6328 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
18:44:36.0542 6328 rdbss - ok
18:44:36.0552 6328 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
18:44:36.0552 6328 rdpbus - ok
18:44:36.0572 6328 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
18:44:36.0572 6328 RDPCDD - ok
18:44:36.0602 6328 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
18:44:36.0602 6328 RDPDR - ok
18:44:36.0622 6328 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
18:44:36.0622 6328 RDPENCDD - ok
18:44:36.0642 6328 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
18:44:36.0652 6328 RDPREFMP - ok
18:44:36.0672 6328 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
18:44:36.0672 6328 RDPWD - ok
18:44:36.0692 6328 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
18:44:36.0702 6328 rdyboost - ok
18:44:36.0742 6328 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
18:44:36.0742 6328 rspndr - ok
18:44:36.0762 6328 RTL8167 (be70718d14bfc8b6925c3a25a9c1be45) C:\Windows\system32\DRIVERS\Rt86win7.sys
18:44:36.0772 6328 RTL8167 - ok
18:44:36.0792 6328 rzjoystk (350bf92e675c3139d07744fb5bafe14b) C:\Windows\system32\DRIVERS\rzjoystk.sys
18:44:36.0792 6328 rzjoystk - ok
18:44:36.0812 6328 RzSynapse (b2e763fd0178dac306f935d68a42c279) C:\Windows\system32\DRIVERS\RzSynapse.sys
18:44:36.0822 6328 RzSynapse - ok
18:44:36.0832 6328 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
18:44:36.0842 6328 s3cap - ok
18:44:36.0862 6328 SaiK0CC3 (3a93a21680960ddc1234fdcfc9640717) C:\Windows\system32\DRIVERS\SaiK0CC3.sys
18:44:36.0862 6328 SaiK0CC3 - ok
18:44:36.0882 6328 SaiMini (ca4fe3bf6defd87b12eb7c4c47de110b) C:\Windows\system32\DRIVERS\SaiMini.sys
18:44:36.0882 6328 SaiMini - ok
18:44:36.0902 6328 SaiNtBus (2c5b6a566f24053ffff8e3414d7c4a58) C:\Windows\system32\drivers\SaiBus.sys
18:44:36.0902 6328 SaiNtBus - ok
18:44:36.0922 6328 SaiU0CC3 (eb94b9288b8d9399e8b1f699b9d184f3) C:\Windows\system32\DRIVERS\SaiU0CC3.sys
18:44:36.0922 6328 SaiU0CC3 - ok
18:44:36.0952 6328 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
18:44:36.0952 6328 sbp2port - ok
18:44:36.0972 6328 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
18:44:36.0982 6328 scfilter - ok
18:44:37.0012 6328 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
18:44:37.0012 6328 secdrv - ok
18:44:37.0042 6328 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
18:44:37.0042 6328 Serenum - ok
18:44:37.0062 6328 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
18:44:37.0072 6328 Serial - ok
18:44:37.0082 6328 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
18:44:37.0092 6328 sermouse - ok
18:44:37.0122 6328 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
18:44:37.0122 6328 sffdisk - ok
18:44:37.0142 6328 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
18:44:37.0142 6328 sffp_mmc - ok
18:44:37.0162 6328 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
18:44:37.0162 6328 sffp_sd - ok
18:44:37.0182 6328 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
18:44:37.0182 6328 sfloppy - ok
18:44:37.0212 6328 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
18:44:37.0212 6328 sisagp - ok
18:44:37.0232 6328 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
18:44:37.0232 6328 SiSRaid2 - ok
18:44:37.0252 6328 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
18:44:37.0252 6328 SiSRaid4 - ok
18:44:37.0272 6328 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
18:44:37.0272 6328 Smb - ok
18:44:37.0302 6328 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
18:44:37.0312 6328 spldr - ok
18:44:37.0342 6328 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
18:44:37.0352 6328 srv - ok
18:44:37.0372 6328 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
18:44:37.0382 6328 srv2 - ok
18:44:37.0402 6328 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
18:44:37.0412 6328 srvnet - ok
18:44:37.0442 6328 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
18:44:37.0442 6328 stexstor - ok
18:44:37.0462 6328 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
18:44:37.0472 6328 storflt - ok
18:44:37.0492 6328 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
18:44:37.0492 6328 storvsc - ok
18:44:37.0512 6328 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
18:44:37.0512 6328 swenum - ok
18:44:37.0572 6328 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys
18:44:37.0602 6328 Tcpip - ok
18:44:37.0642 6328 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys
18:44:37.0662 6328 TCPIP6 - ok
18:44:37.0682 6328 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
18:44:37.0692 6328 tcpipreg - ok
18:44:37.0712 6328 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
18:44:37.0712 6328 TDPIPE - ok
18:44:37.0732 6328 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
18:44:37.0732 6328 TDTCP - ok
18:44:37.0752 6328 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
18:44:37.0752 6328 tdx - ok
18:44:37.0772 6328 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
18:44:37.0782 6328 TermDD - ok
18:44:37.0822 6328 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
18:44:37.0822 6328 tssecsrv - ok
18:44:37.0842 6328 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
18:44:37.0842 6328 TsUsbFlt - ok
18:44:37.0862 6328 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
18:44:37.0872 6328 tunnel - ok
18:44:37.0882 6328 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
18:44:37.0892 6328 uagp35 - ok
18:44:37.0912 6328 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
18:44:37.0922 6328 udfs - ok
18:44:37.0952 6328 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
18:44:37.0962 6328 uliagpkx - ok
18:44:37.0972 6328 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\DRIVERS\umbus.sys
18:44:37.0982 6328 umbus - ok
18:44:37.0992 6328 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
18:44:38.0002 6328 UmPass - ok
18:44:38.0022 6328 usbaudio (1d9f2bd026e8e2d45033a4df3f16b78c) C:\Windows\system32\drivers\usbaudio.sys
18:44:38.0032 6328 usbaudio - ok
18:44:38.0052 6328 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
18:44:38.0052 6328 usbccgp - ok
18:44:38.0072 6328 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
18:44:38.0072 6328 usbcir - ok
18:44:38.0092 6328 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
18:44:38.0102 6328 usbehci - ok
18:44:38.0122 6328 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
18:44:38.0132 6328 usbhub - ok
18:44:38.0142 6328 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\DRIVERS\usbohci.sys
18:44:38.0152 6328 usbohci - ok
18:44:38.0162 6328 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
18:44:38.0172 6328 usbprint - ok
18:44:38.0182 6328 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
18:44:38.0192 6328 usbscan - ok
18:44:38.0202 6328 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:44:38.0212 6328 USBSTOR - ok
18:44:38.0222 6328 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\drivers\usbuhci.sys
18:44:38.0232 6328 usbuhci - ok
18:44:38.0262 6328 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
18:44:38.0262 6328 vdrvroot - ok
18:44:38.0282 6328 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
18:44:38.0292 6328 vga - ok
18:44:38.0312 6328 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
18:44:38.0312 6328 VgaSave - ok
18:44:38.0332 6328 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
18:44:38.0342 6328 vhdmp - ok
18:44:38.0362 6328 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
18:44:38.0362 6328 viaagp - ok
18:44:38.0382 6328 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
18:44:38.0392 6328 ViaC7 - ok
18:44:38.0432 6328 VIAHdAudAddService (b9ecf6756858c8fed4fe68e966bf2f5f) C:\Windows\system32\drivers\viahduaa.sys
18:44:38.0462 6328 VIAHdAudAddService - ok
18:44:38.0482 6328 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
18:44:38.0492 6328 viaide - ok
18:44:38.0512 6328 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
18:44:38.0512 6328 vmbus - ok
18:44:38.0532 6328 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
18:44:38.0532 6328 VMBusHID - ok
18:44:38.0552 6328 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
18:44:38.0562 6328 volmgr - ok
18:44:38.0582 6328 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
18:44:38.0592 6328 volmgrx - ok
18:44:38.0612 6328 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
18:44:38.0622 6328 volsnap - ok
18:44:38.0642 6328 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
18:44:38.0642 6328 vsmraid - ok
18:44:38.0662 6328 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
18:44:38.0672 6328 vwifibus - ok
18:44:38.0702 6328 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
18:44:38.0702 6328 WacomPen - ok
18:44:38.0722 6328 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
18:44:38.0722 6328 WANARP - ok
18:44:38.0732 6328 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
18:44:38.0732 6328 Wanarpv6 - ok
18:44:38.0772 6328 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
18:44:38.0772 6328 Wd - ok
18:44:38.0802 6328 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
18:44:38.0812 6328 Wdf01000 - ok
18:44:38.0862 6328 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
18:44:38.0862 6328 WfpLwf - ok
18:44:38.0882 6328 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
18:44:38.0882 6328 WIMMount - ok
18:44:38.0942 6328 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
18:44:38.0942 6328 WmiAcpi - ok
18:44:38.0982 6328 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
18:44:38.0982 6328 ws2ifsl - ok
18:44:39.0022 6328 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
18:44:39.0032 6328 WudfPf - ok
18:44:39.0042 6328 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
18:44:39.0052 6328 WUDFRd - ok
18:44:39.0082 6328 MBR (0x1B8) (c0dcf0ac171db02db8b0014c5d767cf1) \Device\Harddisk0\DR0
18:44:39.0082 6328 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
18:44:39.0082 6328 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
18:44:39.0102 6328 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
18:44:39.0282 6328 \Device\Harddisk1\DR1 - ok
18:44:39.0292 6328 Boot (0x1200) (27e3e7bf284e0cb0bb59180ff55e9a58) \Device\Harddisk0\DR0\Partition0
18:44:39.0292 6328 \Device\Harddisk0\DR0\Partition0 - ok
18:44:39.0302 6328 Boot (0x1200) (fd61916808ac33b295df460f4bfd87e8) \Device\Harddisk0\DR0\Partition1
18:44:39.0302 6328 \Device\Harddisk0\DR0\Partition1 - ok
18:44:39.0312 6328 Boot (0x1200) (9258d5cab6210c297cbdf9239da46de7) \Device\Harddisk1\DR1\Partition0
18:44:39.0312 6328 \Device\Harddisk1\DR1\Partition0 - ok
18:44:39.0312 6328 ============================================================
18:44:39.0312 6328 Scan finished
18:44:39.0312 6328 ============================================================
18:44:39.0362 0480 Detected object count: 1
18:44:39.0362 0480 Actual detected object count: 1
18:44:49.0392 0480 \Device\Harddisk0\DR0\# - copied to quarantine
18:44:49.0392 0480 \Device\Harddisk0\DR0 - copied to quarantine
18:44:49.0422 0480 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
18:44:49.0432 0480 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
18:44:49.0432 0480 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
18:44:49.0442 0480 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
18:44:49.0452 0480 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
18:44:49.0452 0480 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
18:44:49.0462 0480 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
18:44:49.0462 0480 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
18:44:49.0462 0480 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
18:44:49.0472 0480 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
18:44:49.0472 0480 \Device\Harddisk0\DR0\TDLFS\xh.dll - copied to quarantine
18:44:49.0482 0480 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
18:44:49.0482 0480 \Device\Harddisk0\DR0 - ok
18:44:49.0482 0480 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
18:44:51.0062 5104 Deinitialize success

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:12 PM

Posted 08 February 2012 - 08:39 PM

Download both the registry files

http://www.mediafire.com/?317ea53a883288d

http://www.mediafire.com/?z6aw8j7997qa7j9

Launch and import them to registry

Restart your PC

Now,open RUN and type

regedit and click ok

go to

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BFE

Right click on it-permissions

Click on ADD and type

Everyone and click ok

Now Click on Everyone

Below you have permission for users

Select full control and click ok

Now,open RUN and type

services.msc and click ok

start base filtering engine service and then windows firewall service
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Fajen

Fajen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 08 February 2012 - 11:23 PM

When I went to turn those services on, they actually already were, so I went to my firewall and it looks like it's actually working! Thank you.

Everything seems fine, but could we make sure about that? This experience has me jumpy...

Edited by Fajen, 08 February 2012 - 11:23 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:12 PM

Posted 09 February 2012 - 07:19 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Fajen

Fajen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 09 February 2012 - 01:53 PM

I'm pretty sure I ran combofix in the correct way, via the script.txt, but I'm not 100%. I probably shouldn't have tried this as soon as I woke up. :wacko: EDIT: Yeah, I see the script in the log. Whew.

Combofix didn't restart my computer this time. It did change my default browser to something other than Firefox which seemed odd.

ComboFix 12-02-07.01 - Jeremy 02/09/2012 12:26:05.2.4 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3326.2373 [GMT -6:00]
Running from: c:\users\Jeremy\Desktop\ComboFix.exe
Command switches used :: c:\users\Jeremy\Desktop\cfscript.txt
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-09 18:30 . 2012-02-09 18:30 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-02-09 18:30 . 2012-02-09 18:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-09 06:08 . 2011-11-17 05:32 1038848 ----a-w- c:\windows\system32\lsasrv.dll
2012-02-09 06:08 . 2011-11-17 05:41 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-02-09 06:08 . 2011-11-17 05:41 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-02-09 06:08 . 2011-11-17 05:39 369352 ----a-w- c:\windows\system32\drivers\cng.sys
2012-02-09 06:08 . 2011-11-17 05:35 314880 ----a-w- c:\windows\system32\webio.dll
2012-02-09 06:08 . 2011-11-17 05:34 15872 ----a-w- c:\windows\system32\sspisrv.dll
2012-02-09 06:08 . 2011-11-17 05:34 100352 ----a-w- c:\windows\system32\sspicli.dll
2012-02-09 06:08 . 2011-11-17 05:34 224768 ----a-w- c:\windows\system32\schannel.dll
2012-02-09 06:08 . 2011-11-17 05:34 22016 ----a-w- c:\windows\system32\secur32.dll
2012-02-09 06:08 . 2011-11-17 05:29 22528 ----a-w- c:\windows\system32\lsass.exe
2012-02-09 00:44 . 2012-02-09 00:44 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-08 09:41 . 2012-02-09 18:30 -------- d-----w- c:\users\Jeremy\AppData\Local\temp
2012-02-03 22:51 . 2012-02-03 22:51 -------- d-----w- c:\programdata\DivX
2012-01-25 04:10 . 2012-01-25 04:10 -------- d-----w- c:\users\Jeremy\AppData\Local\SmartTechnology
2012-01-25 03:23 . 2012-01-25 03:23 -------- d-----w- c:\programdata\SmartTechnology
2012-01-25 03:23 . 2012-01-25 03:23 -------- d-----w- c:\program files\SmartTechnology
2012-01-24 15:49 . 2012-01-24 15:49 46144 ----a-w- c:\windows\system32\drivers\SaiBus.sys
2012-01-24 15:49 . 2012-01-24 15:49 22720 ----a-w- c:\windows\system32\drivers\SaiMini.sys
2012-01-24 05:30 . 2012-01-24 05:30 -------- d-----w- c:\users\Jeremy\AppData\Local\Mozilla
2012-01-13 21:01 . 2012-01-13 21:01 -------- d-----w- c:\program files\Microsoft XNA
2012-01-11 06:50 . 2011-11-17 05:38 1288472 ----a-w- c:\windows\system32\ntdll.dll
2012-01-11 06:50 . 2011-11-19 14:01 67072 ----a-w- c:\windows\system32\packager.dll
2012-01-11 06:50 . 2011-10-26 04:32 1328128 ----a-w- c:\windows\system32\quartz.dll
2012-01-11 06:50 . 2011-10-26 04:32 514560 ----a-w- c:\windows\system32\qdvd.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-24 17:17 . 2011-08-26 02:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-06 18:50 . 2011-12-06 18:50 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2011-12-06 18:50 . 2011-12-06 18:50 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2011-11-24 04:25 . 2011-12-14 03:22 2342912 ----a-w- c:\windows\system32\win32k.sys
2012-02-03 16:45 . 2012-01-24 05:29 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HDAudDeck"="c:\program files\VIA\VIAudioi\VDeck\VDeck.exe" [2010-02-10 1713152]
"AVG_TRAY"="c:\program files\AVG\AVG10\avgtray.exe" [2012-01-18 2339168]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Razer Nostromo Driver"="c:\program files\Razer\Nostromo\RazerNostromoSysTray.exe" [2011-07-19 978840]
"ProfilerU"="c:\program files\SmartTechnology\Software\ProfilerU.exe" [2012-01-23 313856]
"SaiMfd"="c:\program files\SmartTechnology\Software\SaiMfd.exe" [2012-01-23 122880]
.
c:\users\Jeremy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2012-01-31 7391072]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;d:\steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe [2012-01-01 25832]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-25 1343400]
S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]
S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]
S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]
S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-04-05 297168]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 avgwd;AVG WatchDog;c:\program files\AVG\AVG10\avgwdsvc.exe [2011-02-08 269520]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-05-21 2214504]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-03-08 378472]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-28 134480]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 21968]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-11-12 122984]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-11-17 232448]
S3 rzjoystk;Razer VJoystick;c:\windows\system32\DRIVERS\rzjoystk.sys [2011-03-24 16896]
S3 RzSynapse;Razer Driver;c:\windows\system32\DRIVERS\RzSynapse.sys [2011-07-14 127360]
S3 SaiK0CC3;SaiK0CC3;c:\windows\system32\DRIVERS\SaiK0CC3.sys [2011-09-20 147264]
S3 SaiU0CC3;SaiU0CC3;c:\windows\system32\DRIVERS\SaiU0CC3.sys [2011-09-20 41152]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2010-01-11 1119232]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\users\Jeremy\AppData\Roaming\Mozilla\Firefox\Profiles\r73v14eb.default\
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: browser.startup.homepage - hxxp://www.bleepingcomputer.com/forums/topic441613.html
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-02-09 12:31:54
ComboFix-quarantined-files.txt 2012-02-09 18:31
ComboFix2.txt 2012-02-08 09:45
.
Pre-Run: 28,634,206,208 bytes free
Post-Run: 28,527,206,400 bytes free
.
- - End Of File - - 24D796B586FE3B331DCEA8819662C83C

Edited by Fajen, 09 February 2012 - 01:54 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:12 PM

Posted 09 February 2012 - 11:54 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Java™ 6 Update 22
StartNow Toolbar
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.


Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close


TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Fajen

Fajen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 10 February 2012 - 01:02 AM

StartNow Toolbar doesn't appear on my list of installed programs. This may be due to the "made it worse" actions of my initial post.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:12 PM

Posted 10 February 2012 - 01:48 AM

no most likely it was done with the cleanup just move to next iteam


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Fajen

Fajen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 10 February 2012 - 09:02 PM

Oh for the... 1 step forward, 2 steps back. Now it's BuffPuma forwarding google searches.

EIDT: so out of date...running programs now.

Edited by Fajen, 10 February 2012 - 09:04 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:12 PM

Posted 10 February 2012 - 09:04 PM

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Fajen

Fajen
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 10 February 2012 - 09:42 PM

I probably caused a reinfection. I had used my computer briefly after the recent improvements. That's a lesson learned and a bookmark deleted. And from this point, this will be the only website this computer sees until everything is fixed.

MWB:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.10.08

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Jeremy :: DIABLOTEK [administrator]

2/10/2012 8:09:21 PM
mbam-log-2012-02-10 (20-09-21).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 187105
Time elapsed: 2 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:32:53 PM, on 2/10/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\System32\rundll32.exe
C:\Windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\notepad.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Jeremy\Downloads\aswMBR.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\VDeck\VDeck.exe -r
O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Razer Nostromo Driver] C:\Program Files\Razer\Nostromo\RazerNostromoSysTray.exe
O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\SmartTechnology\Software\ProfilerU.exe
O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\SmartTechnology\Software\SaiMfd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-21-3875600826-1584425895-1042196255-1003\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-3875600826-1584425895-1042196255-1003\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - D:\Steam\steamapps\common\Dragon Age Ultimate Edition\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe

--

aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-10 20:27:47
-----------------------------
20:27:47.559 OS Version: Windows 6.1.7601 Service Pack 1
20:27:47.559 Number of processors: 4 586 0x402
20:27:47.562 ComputerName: DIABLOTEK UserName: Jeremy
20:27:47.882 Initialize success
20:28:54.999 AVAST engine defs: 12021001
20:29:18.867 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:29:18.873 Disk 0 Vendor: ADATA_SSD_S599_64GB 3.4.3 Size: 57241MB BusType: 3
20:29:18.880 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-5
20:29:18.887 Disk 1 Vendor: Hitachi_HDS721010CLA332 JP4OA3MA Size: 953869MB BusType: 3
20:29:18.895 Disk 0 MBR read successfully
20:29:18.903 Disk 0 MBR scan
20:29:18.916 Disk 0 MBR:Pihar-C [Rtk]
20:29:18.926 Disk 0 TDL4@MBR code has been found
20:29:18.936 Disk 0 Windows 7 default MBR code found via API
20:29:18.946 Disk 0 MBR hidden
20:29:18.957 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:29:18.973 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 57139 MB offset 206848
20:29:18.989 Disk 0 MBR [TDL4] **ROOTKIT**
20:29:19.005 Disk 0 trace - called modules:
20:29:19.020 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8610b49f]<<
20:29:19.034 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e4c030]
20:29:19.050 3 CLASSPNP.SYS[8bf7f59e] -> nt!IofCallDriver -> [0x85fa47e0]
20:29:19.064 5 ACPI.sys[836393d4] -> nt!IofCallDriver -> \IdeDeviceP0T0L0-0[0x85f92030]
20:29:19.073 \Driver\atapi[0x86140b28] -> IRP_MJ_CREATE -> 0x8610b49f
20:29:19.304 AVAST engine scan C:\Windows
20:29:21.178 AVAST engine scan C:\Windows\system32
20:30:37.583 AVAST engine scan C:\Windows\system32\drivers
20:30:40.895 AVAST engine scan C:\Users\Jeremy
20:31:48.213 AVAST engine scan C:\ProgramData
20:31:54.929 Scan finished successfully
20:32:08.294 Disk 0 MBR has been saved successfully to "C:\Users\Jeremy\Desktop\MBR.dat"
20:32:08.302 The log file has been saved successfully to "C:\Users\Jeremy\Desktop\aswMBR.txt"

Edited by Fajen, 10 February 2012 - 09:43 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users