Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect of spyware activity


  • This topic is locked This topic is locked
47 replies to this topic

#1 babas87

babas87

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 11 February 2012 - 01:41 PM

Hello, I am in big trouble. My computer started acting weird. Black screen, freeze, slugish... I dont even know why. I am not downloading anything on torrents. Just going online. That's it. Please I really need help. The GMER scan showed rootkit activity but only a real professional will tell. I will post the GMER log and attach the DSS log. Thank you in advance for your help.

GMER log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-12 02:33:04
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PC3O
Running: mx8og51f.exe; Driver: C:\Users\SEBAST~1\AppData\Local\Temp\kglyauoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x8A76F28A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcConnectPort [0x8A789342]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcCreatePort [0x8A789678]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcSendWaitReceivePort [0x8A7899EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x8A76FD04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x8A78902A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateEvent [0x8A770276]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateMutant [0x8A770164]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreatePort [0x8A7894E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSection [0x8A76F046]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSemaphore [0x8A77038E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThread [0x8A76F8BA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThreadEx [0x8A76FA2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateUserProcess [0x8A7704A6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateWaitablePort [0x8A7895B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x8A77074E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0x8A76FD46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDuplicateObject [0x8A771750]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwLoadDriver [0x8A770840]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwMapViewOfSection [0x8A770DAC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwNotifyChangeKey [0x8A787840]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenEvent [0x8A770308]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenMutant [0x8A7701F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenProcess [0x8A76F4C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x8A770B90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSemaphore [0x8A770420]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x8A76F3B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryDirectoryObject [0x8A77055C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryObject [0x8A787A38]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQuerySection [0x8A7710D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueueApcThread [0x8A7709E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyPort [0x8A7897DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0x8A78972A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x8A789848]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x8A7715F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x8A7891B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetContextThread [0x8A76FBA4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetInformationToken [0x8A7705FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSystemInformation [0x8A771222]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x8A771316]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendThread [0x8A771450]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSystemDebugControl [0x8A770670]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateProcess [0x8A76F664]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateThread [0x8A76F5BA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0x8A770F8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0x8A76F750]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 8404B369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 84084D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 8408BD8C 4 Bytes [8A, F2, 76, 8A] {MOV DH, DL; JBE 0xffffffffffffff8e}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 8408BDB4 8 Bytes [42, 93, 78, 8A, 78, 96, 78, ...] {INC EDX; XCHG EBX, EAX; JS 0xffffffffffffff8e; JS 0xffffffffffffff9c; JS 0xffffffffffffff92}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1143 8408BDF8 4 Bytes [EE, 99, 78, 8A] {OUT DX, AL ; CDQ ; JS 0xffffffffffffff8e}
.text ntkrnlpa.exe!KeRemoveQueueEx + 116F 8408BE24 4 Bytes [04, FD, 76, 8A] {ADD AL, 0xfd; JBE 0xffffffffffffff8e}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1193 8408BE48 4 Bytes [2A, 90, 78, 8A]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9260B000, 0x341EAE, 0xE8000020]
? C:\Windows\system32\Drivers\PROCEXP113.SYS 系统找不到指定的文件。 !
? C:\Users\SEBAST~1\AppData\Local\Temp\mbr.sys 系统找不到指定的文件。 !

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[1904] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[1904] ntdll.dll!NtProtectVirtualMemory 773A5F18 5 Bytes JMP 6AC91765 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\ushata.dll (Ushata module/Kaspersky Lab ZAO)
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[1904] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[1904] USER32.dll!NotifyWinEvent + 6AE 76AFD66C 4 Bytes [E0, 13, 54, 67]
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!EnableWindow 76AE8D02 5 Bytes JMP 67239A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!DialogBoxParamW 76B03B9B 5 Bytes JMP 6719170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!DialogBoxIndirectParamW 76B13B7F 5 Bytes JMP 673862BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!DialogBoxParamA 76B2CF42 5 Bytes JMP 67386259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!DialogBoxIndirectParamA 76B2D274 5 Bytes JMP 67386323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!MessageBoxIndirectA 76B3E869 5 Bytes JMP 673861E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!MessageBoxIndirectW 76B3E963 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!MessageBoxIndirectW 76B3E963 5 Bytes JMP 67386167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!MessageBoxExA 76B3E9C9 5 Bytes JMP 67386103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3960] USER32.dll!MessageBoxExW 76B3E9ED 5 Bytes JMP 6738609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[4272] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[4272] ntdll.dll!NtProtectVirtualMemory 773A5F18 5 Bytes JMP 6AC91765 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\ushata.dll (Ushata module/Kaspersky Lab ZAO)
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[4272] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[4272] USER32.dll!NotifyWinEvent + 6AE 76AFD66C 4 Bytes [E0, 13, 54, 67]
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] kernel32.dll!CreateThread 75A0DCC2 5 Bytes JMP 671F7303 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!EnableWindow 76AE8D02 5 Bytes JMP 67239A14 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!CallNextHookEx 76AEABE1 5 Bytes JMP 67257BB7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!UnhookWindowsHookEx 76AEADF9 5 Bytes JMP 6727EB74 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!DefWindowProcA 76AEBB1C 7 Bytes JMP 671F952D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!CreateWindowExA 76AEBF40 5 Bytes JMP 67203363 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!SetWindowsHookExW 76AEE30C 5 Bytes JMP 67232194 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!CreateWindowExW 76AEEC7C 5 Bytes JMP 6725FF8F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!DefWindowProcW 76AF507D 7 Bytes JMP 67257C1A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!DialogBoxParamW 76B03B9B 5 Bytes JMP 6719170B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!DialogBoxIndirectParamW 76B13B7F 5 Bytes JMP 673862BE C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!DialogBoxParamA 76B2CF42 5 Bytes JMP 67386259 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!DialogBoxIndirectParamA 76B2D274 5 Bytes JMP 67386323 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!MessageBoxIndirectA 76B3E869 5 Bytes JMP 673861E0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!MessageBoxIndirectW 76B3E963 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!MessageBoxIndirectW 76B3E963 5 Bytes JMP 67386167 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!MessageBoxExA 76B3E9C9 5 Bytes JMP 67386103 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] USER32.dll!MessageBoxExW 76B3E9ED 5 Bytes JMP 6738609F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4728] ole32.dll!OleLoadFromStream 76986143 5 Bytes JMP 67386A8C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[5140] kernel32.dll!SetUnhandledExceptionFilter 75A0F4FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtClose 773A54C8 5 Bytes JMP 6855FE52 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtCreateFile 773A55C8 5 Bytes JMP 6855EB4B C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtCreateKey 773A5608 5 Bytes JMP 6855B8A5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtDeleteFile 773A5808 5 Bytes JMP 6855E968 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtDeleteKey 773A5818 5 Bytes JMP 6855B1AD C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtDeleteValueKey 773A5848 5 Bytes JMP 6855B470 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtDuplicateObject 773A5898 5 Bytes JMP 6855FF28 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtEnumerateKey 773A58E8 5 Bytes JMP 6855B251 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtEnumerateValueKey 773A5918 5 Bytes JMP 6855B3CA C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtFlushKey 773A5988 5 Bytes JMP 6855B1FF C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtNotifyChangeKey 773A5C68 5 Bytes JMP 6855B51E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtNotifyChangeMultipleKeys 773A5C78 5 Bytes JMP 6855B5AC C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtOpenFile 773A5CD8 5 Bytes JMP 6855ECD6 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtOpenKey 773A5D08 5 Bytes JMP 6855B7B6 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtOpenKeyEx 773A5D18 5 Bytes JMP 6855B829 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtQueryAttributesFile 773A5F38 5 Bytes JMP 6855E9D3 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtQueryDirectoryFile 773A5F98 5 Bytes JMP 6855D955 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtQueryFullAttributesFile 773A5FE8 5 Bytes JMP 6855EA43 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtQueryKey 773A60E8 5 Bytes JMP 6855B2A4 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtQueryMultipleValueKey 773A6108 5 Bytes JMP 6855B4CB C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtQueryObject 773A6128 5 Bytes JMP 6855FF7E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtQuerySecurityObject 773A61A8 5 Bytes JMP 6855FEC2 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtQueryValueKey 773A6248 5 Bytes JMP 6855B377 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtRenameKey 773A63C8 5 Bytes JMP 6855B91A C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtSetInformationFile 773A6638 5 Bytes JMP 6855EAB3 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtSetInformationKey 773A6658 5 Bytes JMP 6855B30A C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtSetSecurityObject 773A6758 5 Bytes JMP 6855FFDB C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ntdll.dll!NtSetValueKey 773A6808 5 Bytes JMP 6855B41D C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] kernel32.dll!CreateProcessW 759C204D 5 Bytes JMP 6853889C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] kernel32.dll!CreateProcessA 759C2082 5 Bytes JMP 685389DA C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] kernel32.dll!CreateProcessAsUserW 759F59AF 5 Bytes JMP 68538C10 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] kernel32.dll!SetDllDirectoryW 75A4D773 5 Bytes JMP 685393F1 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] kernel32.dll!SetDllDirectoryA 75A4D81C 5 Bytes JMP 68539724 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] kernel32.dll!WinExec 75A4EDB2 5 Bytes JMP 68538F93 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] kernel32.dll!AllocConsole 75A6C67D 5 Bytes JMP 685610E2 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] kernel32.dll!AttachConsole 75A6C74B 5 Bytes JMP 685610F4 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] USER32.dll!CreateWindowExA 76AEBF40 5 Bytes JMP 685610B2 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] USER32.dll!CreateWindowExW 76AEEC7C 5 Bytes JMP 685610CA C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] GDI32.dll!AddFontResourceW 75D0EC13 5 Bytes JMP 685464B8 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] GDI32.dll!AddFontResourceA 75D0EFA7 5 Bytes JMP 6854649C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!EnumDependentServicesW 774D1E3A 7 Bytes JMP 68549330 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!EnumServicesStatusExW 774DB466 7 Bytes JMP 6854A251 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!GetServiceKeyNameW 774F78FF 7 Bytes JMP 685499D7 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!GetServiceDisplayNameW 774F79BB 7 Bytes JMP 68549B88 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!EnumServicesStatusExA 774FA3E2 7 Bytes JMP 6854A317 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!CreateProcessAsUserA 77512538 5 Bytes JMP 68538D52 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!GetServiceKeyNameA 77531B94 7 Bytes JMP 68549A8F C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!GetServiceDisplayNameA 77531C31 7 Bytes JMP 68549C40 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!EnumServicesStatusA 77532021 7 Bytes JMP 6854A193 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!EnumDependentServicesA 77532104 7 Bytes JMP 685493E7 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ADVAPI32.dll!EnumServicesStatusW 77532221 5 Bytes JMP 6854A0D5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoRegisterPSClsid 7698C56E 5 Bytes JMP 6854FF58 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoResumeClassObjects + 7 7698EA09 7 Bytes JMP 68550529 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!OleRun 769907DE 5 Bytes JMP 685503E4 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoRegisterClassObject 769921E1 5 Bytes JMP 68551059 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!OleUninitialize 7699EBA1 6 Bytes JMP 68550303 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!OleInitialize 7699EFD7 5 Bytes JMP 68550293 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoGetPSClsid 769A26B9 5 Bytes JMP 685500D0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoGetClassObject 769B54AD 5 Bytes JMP 685515E7 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoInitializeEx 769C09AD 5 Bytes JMP 68550143 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoUninitialize 769C86D3 5 Bytes JMP 685501C5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoCreateInstance 769C9D0B 5 Bytes JMP 685528B5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoCreateInstanceEx 769C9D4E 5 Bytes JMP 685509F0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoSuspendClassObjects + 7 769EBB09 7 Bytes JMP 68550454 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoRevokeClassObject 76A0EACF 5 Bytes JMP 6854F9B5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!CoGetInstanceFromFile 76A4340B 5 Bytes JMP 68551AA7 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text Q:\140061.enu\Office14\ONENOTEM.EXE[5896] ole32.dll!OleRegEnumFormatEtc 76A8CFD9 5 Bytes JMP 6855036E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtClose 773A54C8 5 Bytes JMP 6855FE52 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtCreateFile 773A55C8 5 Bytes JMP 6855EB4B C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtCreateKey 773A5608 5 Bytes JMP 6855B8A5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtDeleteFile 773A5808 5 Bytes JMP 6855E968 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtDeleteKey 773A5818 5 Bytes JMP 6855B1AD C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtDeleteValueKey 773A5848 5 Bytes JMP 6855B470 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtDuplicateObject 773A5898 5 Bytes JMP 6855FF28 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtEnumerateKey 773A58E8 5 Bytes JMP 6855B251 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtEnumerateValueKey 773A5918 5 Bytes JMP 6855B3CA C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtFlushKey 773A5988 5 Bytes JMP 6855B1FF C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtNotifyChangeKey 773A5C68 5 Bytes JMP 6855B51E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtNotifyChangeMultipleKeys 773A5C78 5 Bytes JMP 6855B5AC C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtOpenFile 773A5CD8 5 Bytes JMP 6855ECD6 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtOpenKey 773A5D08 5 Bytes JMP 6855B7B6 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtOpenKeyEx 773A5D18 5 Bytes JMP 6855B829 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtQueryAttributesFile 773A5F38 5 Bytes JMP 6855E9D3 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtQueryDirectoryFile 773A5F98 5 Bytes JMP 6855D955 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtQueryFullAttributesFile 773A5FE8 5 Bytes JMP 6855EA43 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtQueryKey 773A60E8 5 Bytes JMP 6855B2A4 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtQueryMultipleValueKey 773A6108 5 Bytes JMP 6855B4CB C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtQueryObject 773A6128 5 Bytes JMP 6855FF7E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtQuerySecurityObject 773A61A8 5 Bytes JMP 6855FEC2 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtQueryValueKey 773A6248 5 Bytes JMP 6855B377 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtRenameKey 773A63C8 5 Bytes JMP 6855B91A C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtSetInformationFile 773A6638 5 Bytes JMP 6855EAB3 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtSetInformationKey 773A6658 5 Bytes JMP 6855B30A C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtSetSecurityObject 773A6758 5 Bytes JMP 6855FFDB C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ntdll.dll!NtSetValueKey 773A6808 5 Bytes JMP 6855B41D C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] kernel32.dll!CreateProcessW 759C204D 5 Bytes JMP 6853889C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] kernel32.dll!CreateProcessA 759C2082 5 Bytes JMP 685389DA C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] kernel32.dll!CreateProcessAsUserW 759F59AF 5 Bytes JMP 68538C10 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] kernel32.dll!SetDllDirectoryW 75A4D773 5 Bytes JMP 685393F1 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] kernel32.dll!SetDllDirectoryA 75A4D81C 5 Bytes JMP 68539724 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] kernel32.dll!WinExec 75A4EDB2 5 Bytes JMP 68538F93 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] kernel32.dll!AllocConsole 75A6C67D 5 Bytes JMP 685610E2 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] kernel32.dll!AttachConsole 75A6C74B 5 Bytes JMP 685610F4 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] USER32.dll!CreateWindowExA 76AEBF40 5 Bytes JMP 685610B2 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] USER32.dll!CreateWindowExW 76AEEC7C 5 Bytes JMP 685610CA C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] GDI32.dll!AddFontResourceW 75D0EC13 5 Bytes JMP 685464B8 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] GDI32.dll!AddFontResourceA 75D0EFA7 5 Bytes JMP 6854649C C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!EnumDependentServicesW 774D1E3A 7 Bytes JMP 68549330 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!EnumServicesStatusExW 774DB466 7 Bytes JMP 6854A251 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!GetServiceKeyNameW 774F78FF 7 Bytes JMP 685499D7 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!GetServiceDisplayNameW 774F79BB 7 Bytes JMP 68549B88 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!EnumServicesStatusExA 774FA3E2 7 Bytes JMP 6854A317 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!CreateProcessAsUserA 77512538 5 Bytes JMP 68538D52 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!GetServiceKeyNameA 77531B94 7 Bytes JMP 68549A8F C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!GetServiceDisplayNameA 77531C31 7 Bytes JMP 68549C40 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!EnumServicesStatusA 77532021 7 Bytes JMP 6854A193 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!EnumDependentServicesA 77532104 7 Bytes JMP 685493E7 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ADVAPI32.dll!EnumServicesStatusW 77532221 5 Bytes JMP 6854A0D5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoRegisterPSClsid 7698C56E 5 Bytes JMP 6854FF58 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoResumeClassObjects + 7 7698EA09 7 Bytes JMP 68550529 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!OleRun 769907DE 5 Bytes JMP 685503E4 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoRegisterClassObject 769921E1 5 Bytes JMP 68551059 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!OleUninitialize 7699EBA1 6 Bytes JMP 68550303 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!OleInitialize 7699EFD7 5 Bytes JMP 68550293 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoGetPSClsid 769A26B9 5 Bytes JMP 685500D0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoGetClassObject 769B54AD 5 Bytes JMP 685515E7 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoInitializeEx 769C09AD 5 Bytes JMP 68550143 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoUninitialize 769C86D3 5 Bytes JMP 685501C5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoCreateInstance 769C9D0B 5 Bytes JMP 685528B5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoCreateInstanceEx 769C9D4E 5 Bytes JMP 685509F0 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoSuspendClassObjects + 7 769EBB09 7 Bytes JMP 68550454 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoRevokeClassObject 76A0EACF 5 Bytes JMP 6854F9B5 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!CoGetInstanceFromFile 76A4340B 5 Bytes JMP 68551AA7 C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)
.text C:\Program Files\Common Files\microsoft shared\virtualization handler\OfficeVirt.exe[6052] ole32.dll!OleRegEnumFormatEtc 76A8CFD9 5 Bytes JMP 6855036E C:\Windows\system32\sftldr.dll (Microsoft Application Virtualization SoftLoader/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (内核模式驱动程序框架运行时/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (内核模式驱动程序框架运行时/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft 文件系统筛选器管理器/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library Q:\140061.enu\Office14\ONENOTEM.EXE (*** hidden *** ) @ Q:\140061.enu\Office14\ONENOTEM.EXE [5896] 0x2DCD0000
Library Q:\140061.enu\Office14\1033\ONINTL.DLL (*** hidden *** ) @ Q:\140061.enu\Office14\ONENOTEM.EXE [5896] 0x67BE0000

---- EOF - GMER 1.0.15 ----


Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:03 PM

Posted 15 February 2012 - 10:07 AM

Hello and :welcome: to BleepingComputer!

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 babas87

babas87
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 15 February 2012 - 05:01 PM

Hello, thanks for helping me. Here's the TDSSKiller log:



TDSSKiller Logs:


05:57:27.0613 6128 TDSS rootkit removing tool 2.7.12.0 Feb 11 2012 16:58:52
05:57:27.0644 6128 ============================================================
05:57:27.0644 6128 Current date / time: 2012/02/16 05:57:27.0644
05:57:27.0644 6128 SystemInfo:
05:57:27.0644 6128
05:57:27.0644 6128 OS Version: 6.1.7601 ServicePack: 1.0
05:57:27.0644 6128 Product type: Workstation
05:57:27.0644 6128 ComputerName: SEBASTIEN-PC
05:57:27.0644 6128 UserName: Sebastien
05:57:27.0644 6128 Windows directory: C:\Windows
05:57:27.0644 6128 System windows directory: C:\Windows
05:57:27.0644 6128 Processor architecture: Intel x86
05:57:27.0644 6128 Number of processors: 4
05:57:27.0644 6128 Page size: 0x1000
05:57:27.0644 6128 Boot type: Normal boot
05:57:27.0644 6128 ============================================================
05:57:28.0736 6128 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
05:57:28.0736 6128 \Device\Harddisk0\DR0:
05:57:28.0752 6128 MBR used
05:57:28.0752 6128 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x63800
05:57:28.0752 6128 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x64000, BlocksNum 0x23704000
05:57:28.0752 6128 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x23768000, BlocksNum 0x1C92800
05:57:28.0752 6128 \Device\Harddisk0\DR0\Partition3: MBR, Type 0xC, StartLBA 0x253FA800, BlocksNum 0x33AB0
05:57:28.0830 6128 Initialize success
05:57:28.0830 6128 ============================================================
05:58:08.0625 3468 ============================================================
05:58:08.0625 3468 Scan started
05:58:08.0625 3468 Mode: Manual; SigCheck; TDLFS;
05:58:08.0625 3468 ============================================================
05:58:10.0419 3468 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
05:58:10.0591 3468 1394ohci - ok
05:58:10.0606 3468 Accelerometer (cc1f1d3d70dc13c2c281488d347d4415) C:\Windows\system32\DRIVERS\Accelerometer.sys
05:58:10.0606 3468 Accelerometer - ok
05:58:10.0653 3468 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
05:58:10.0669 3468 ACPI - ok
05:58:10.0716 3468 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
05:58:10.0794 3468 AcpiPmi - ok
05:58:10.0934 3468 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
05:58:10.0981 3468 adp94xx - ok
05:58:10.0996 3468 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
05:58:11.0028 3468 adpahci - ok
05:58:11.0043 3468 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
05:58:11.0059 3468 adpu320 - ok
05:58:11.0137 3468 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
05:58:11.0199 3468 AFD - ok
05:58:11.0293 3468 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
05:58:11.0308 3468 agp440 - ok
05:58:11.0386 3468 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
05:58:11.0402 3468 aic78xx - ok
05:58:11.0464 3468 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
05:58:11.0496 3468 aliide - ok
05:58:11.0496 3468 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
05:58:11.0511 3468 amdagp - ok
05:58:11.0542 3468 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
05:58:11.0558 3468 amdide - ok
05:58:11.0574 3468 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
05:58:11.0652 3468 AmdK8 - ok
05:58:11.0886 3468 amdkmdag (c34523ce979f5520ebcd204f9cda899e) C:\Windows\system32\DRIVERS\atikmdag.sys
05:58:12.0042 3468 amdkmdag - ok
05:58:12.0120 3468 amdkmdap (b4d7145a6ed40471c794d980f505d621) C:\Windows\system32\DRIVERS\atikmpag.sys
05:58:12.0166 3468 amdkmdap - ok
05:58:12.0198 3468 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
05:58:12.0244 3468 AmdPPM - ok
05:58:12.0276 3468 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
05:58:12.0307 3468 amdsata - ok
05:58:12.0369 3468 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
05:58:12.0416 3468 amdsbs - ok
05:58:12.0432 3468 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
05:58:12.0447 3468 amdxata - ok
05:58:12.0478 3468 AmUStor (4cdc536166f3cadf6496bdac857b0f58) C:\Windows\system32\drivers\AmUStor.SYS
05:58:12.0556 3468 AmUStor - ok
05:58:12.0588 3468 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
05:58:12.0697 3468 AppID - ok
05:58:12.0806 3468 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
05:58:12.0837 3468 arc - ok
05:58:12.0853 3468 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
05:58:12.0868 3468 arcsas - ok
05:58:12.0900 3468 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
05:58:13.0024 3468 AsyncMac - ok
05:58:13.0118 3468 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
05:58:13.0134 3468 atapi - ok
05:58:13.0196 3468 athr (b01751cc563aecac09bbe36aaa21fbef) C:\Windows\system32\DRIVERS\athr.sys
05:58:13.0290 3468 athr - ok
05:58:13.0399 3468 AtiHdmiService (8df873d0587596c1d35a9cececc61da1) C:\Windows\system32\drivers\AtiHdmi.sys
05:58:13.0430 3468 AtiHdmiService - ok
05:58:13.0524 3468 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
05:58:13.0586 3468 b06bdrv - ok
05:58:13.0680 3468 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
05:58:13.0726 3468 b57nd60x - ok
05:58:13.0758 3468 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
05:58:13.0789 3468 Beep - ok
05:58:13.0820 3468 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
05:58:13.0851 3468 blbdrive - ok
05:58:13.0882 3468 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
05:58:13.0929 3468 bowser - ok
05:58:14.0023 3468 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
05:58:14.0101 3468 BrFiltLo - ok
05:58:14.0116 3468 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
05:58:14.0194 3468 BrFiltUp - ok
05:58:14.0304 3468 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
05:58:14.0397 3468 BridgeMP - ok
05:58:14.0444 3468 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
05:58:14.0491 3468 Brserid - ok
05:58:14.0506 3468 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
05:58:14.0553 3468 BrSerWdm - ok
05:58:14.0584 3468 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
05:58:14.0616 3468 BrUsbMdm - ok
05:58:14.0694 3468 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
05:58:14.0725 3468 BrUsbSer - ok
05:58:14.0756 3468 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
05:58:14.0803 3468 BTHMODEM - ok
05:58:14.0881 3468 catchme - ok
05:58:14.0974 3468 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
05:58:15.0052 3468 cdfs - ok
05:58:15.0099 3468 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
05:58:15.0130 3468 cdrom - ok
05:58:15.0162 3468 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
05:58:15.0193 3468 circlass - ok
05:58:15.0208 3468 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
05:58:15.0240 3468 CLFS - ok
05:58:15.0364 3468 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
05:58:15.0396 3468 CmBatt - ok
05:58:15.0427 3468 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
05:58:15.0442 3468 cmdide - ok
05:58:15.0505 3468 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
05:58:15.0536 3468 CNG - ok
05:58:15.0567 3468 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
05:58:15.0583 3468 Compbatt - ok
05:58:15.0630 3468 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
05:58:15.0692 3468 CompositeBus - ok
05:58:15.0770 3468 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
05:58:15.0801 3468 crcdisk - ok
05:58:15.0864 3468 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
05:58:15.0926 3468 DfsC - ok
05:58:15.0957 3468 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
05:58:16.0004 3468 discache - ok
05:58:16.0098 3468 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
05:58:16.0113 3468 Disk - ok
05:58:16.0160 3468 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
05:58:16.0191 3468 drmkaud - ok
05:58:16.0238 3468 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
05:58:16.0269 3468 DXGKrnl - ok
05:58:16.0410 3468 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
05:58:16.0519 3468 ebdrv - ok
05:58:16.0644 3468 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
05:58:16.0675 3468 elxstor - ok
05:58:16.0706 3468 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
05:58:16.0722 3468 ErrDev - ok
05:58:16.0768 3468 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
05:58:16.0800 3468 exfat - ok
05:58:16.0831 3468 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
05:58:16.0893 3468 fastfat - ok
05:58:16.0987 3468 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
05:58:17.0034 3468 fdc - ok
05:58:17.0065 3468 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
05:58:17.0080 3468 FileInfo - ok
05:58:17.0096 3468 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
05:58:17.0174 3468 Filetrace - ok
05:58:17.0205 3468 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
05:58:17.0221 3468 flpydisk - ok
05:58:17.0236 3468 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
05:58:17.0252 3468 FltMgr - ok
05:58:17.0283 3468 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
05:58:17.0299 3468 FsDepends - ok
05:58:17.0392 3468 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
05:58:17.0424 3468 Fs_Rec - ok
05:58:17.0470 3468 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
05:58:17.0486 3468 fvevol - ok
05:58:17.0517 3468 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
05:58:17.0533 3468 gagp30kx - ok
05:58:17.0564 3468 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
05:58:17.0595 3468 hcw85cir - ok
05:58:17.0673 3468 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
05:58:17.0736 3468 HdAudAddService - ok
05:58:17.0782 3468 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
05:58:17.0814 3468 HDAudBus - ok
05:58:17.0845 3468 HECI (a88485dc6a7136c10d9a6c7e38fdfe3c) C:\Windows\system32\DRIVERS\HECI.sys
05:58:17.0892 3468 HECI - ok
05:58:17.0907 3468 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
05:58:17.0938 3468 HidBatt - ok
05:58:18.0001 3468 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
05:58:18.0048 3468 HidBth - ok
05:58:18.0063 3468 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
05:58:18.0110 3468 HidIr - ok
05:58:18.0172 3468 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys
05:58:18.0219 3468 HidUsb - ok
05:58:18.0344 3468 hpdskflt (4ef10b866c62abbeaf7511cdd05a19be) C:\Windows\system32\DRIVERS\hpdskflt.sys
05:58:18.0360 3468 hpdskflt - ok
05:58:18.0422 3468 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
05:58:18.0484 3468 HTTP - ok
05:58:18.0516 3468 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
05:58:18.0531 3468 hwpolicy - ok
05:58:18.0625 3468 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
05:58:18.0687 3468 i8042prt - ok
05:58:18.0734 3468 iaStor (8cdacd4ad63d49834c6b59db102e7cd7) C:\Windows\system32\DRIVERS\iaStor.sys
05:58:18.0765 3468 iaStor - ok
05:58:18.0890 3468 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
05:58:18.0921 3468 iaStorV - ok
05:58:19.0108 3468 igfx (db7413cf09d74231720f78737dcf4188) C:\Windows\system32\DRIVERS\igdkmd32.sys
05:58:19.0405 3468 igfx - ok
05:58:19.0483 3468 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
05:58:19.0514 3468 iirsp - ok
05:58:19.0561 3468 Impcd (2db41ba61d5e44d0667cf126d35dcf34) C:\Windows\system32\DRIVERS\Impcd.sys
05:58:19.0608 3468 Impcd - ok
05:58:19.0639 3468 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
05:58:19.0654 3468 intelide - ok
05:58:19.0842 3468 intelkmd (db7413cf09d74231720f78737dcf4188) C:\Windows\system32\DRIVERS\igdpmd32.sys
05:58:20.0076 3468 intelkmd - ok
05:58:20.0216 3468 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
05:58:20.0263 3468 intelppm - ok
05:58:20.0278 3468 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
05:58:20.0325 3468 IpFilterDriver - ok
05:58:20.0356 3468 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
05:58:20.0388 3468 IPMIDRV - ok
05:58:20.0403 3468 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
05:58:20.0450 3468 IPNAT - ok
05:58:20.0466 3468 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
05:58:20.0528 3468 IRENUM - ok
05:58:20.0606 3468 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
05:58:20.0637 3468 isapnp - ok
05:58:20.0653 3468 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
05:58:20.0684 3468 iScsiPrt - ok
05:58:20.0715 3468 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
05:58:20.0731 3468 kbdclass - ok
05:58:20.0762 3468 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
05:58:20.0793 3468 kbdhid - ok
05:58:20.0902 3468 KL1 (186b54479d98e48aee0e9ada4b3c4d31) C:\Windows\system32\DRIVERS\kl1.sys
05:58:20.0934 3468 KL1 - ok
05:58:20.0949 3468 kl2 (bf485bfba13c0ab116701fd9c55324d0) C:\Windows\system32\DRIVERS\kl2.sys
05:58:20.0965 3468 kl2 - ok
05:58:21.0012 3468 KLIF (af04d0ce7939324e9a605b159295706c) C:\Windows\system32\DRIVERS\klif.sys
05:58:21.0058 3468 KLIF - ok
05:58:21.0152 3468 KLIM6 (6295a19003f935ecc6ccbe9e2376427b) C:\Windows\system32\DRIVERS\klim6.sys
05:58:21.0183 3468 KLIM6 - ok
05:58:21.0199 3468 klmouflt (3de1771c135328420315e21dde229bba) C:\Windows\system32\DRIVERS\klmouflt.sys
05:58:21.0214 3468 klmouflt - ok
05:58:21.0246 3468 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
05:58:21.0261 3468 KSecDD - ok
05:58:21.0292 3468 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
05:58:21.0308 3468 KSecPkg - ok
05:58:21.0355 3468 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
05:58:21.0386 3468 lltdio - ok
05:58:21.0495 3468 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
05:58:21.0526 3468 LSI_FC - ok
05:58:21.0573 3468 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
05:58:21.0604 3468 LSI_SAS - ok
05:58:21.0620 3468 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
05:58:21.0651 3468 LSI_SAS2 - ok
05:58:21.0682 3468 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
05:58:21.0698 3468 LSI_SCSI - ok
05:58:21.0714 3468 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
05:58:21.0760 3468 luafv - ok
05:58:21.0792 3468 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
05:58:21.0807 3468 megasas - ok
05:58:21.0885 3468 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
05:58:21.0916 3468 MegaSR - ok
05:58:21.0948 3468 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
05:58:22.0010 3468 Modem - ok
05:58:22.0026 3468 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
05:58:22.0057 3468 monitor - ok
05:58:22.0088 3468 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys
05:58:22.0104 3468 mouclass - ok
05:58:22.0119 3468 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
05:58:22.0150 3468 mouhid - ok
05:58:22.0197 3468 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
05:58:22.0213 3468 mountmgr - ok
05:58:22.0291 3468 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
05:58:22.0306 3468 mpio - ok
05:58:22.0338 3468 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
05:58:22.0384 3468 mpsdrv - ok
05:58:22.0416 3468 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
05:58:22.0478 3468 MRxDAV - ok
05:58:22.0556 3468 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
05:58:22.0587 3468 mrxsmb - ok
05:58:22.0603 3468 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
05:58:22.0634 3468 mrxsmb10 - ok
05:58:22.0665 3468 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
05:58:22.0696 3468 mrxsmb20 - ok
05:58:22.0728 3468 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
05:58:22.0743 3468 msahci - ok
05:58:22.0759 3468 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
05:58:22.0790 3468 msdsm - ok
05:58:22.0821 3468 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
05:58:22.0852 3468 Msfs - ok
05:58:22.0915 3468 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
05:58:22.0977 3468 mshidkmdf - ok
05:58:22.0977 3468 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
05:58:22.0993 3468 msisadrv - ok
05:58:23.0024 3468 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
05:58:23.0071 3468 MSKSSRV - ok
05:58:23.0086 3468 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
05:58:23.0133 3468 MSPCLOCK - ok
05:58:23.0149 3468 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
05:58:23.0196 3468 MSPQM - ok
05:58:23.0227 3468 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
05:58:23.0242 3468 MsRPC - ok
05:58:23.0320 3468 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
05:58:23.0336 3468 mssmbios - ok
05:58:23.0352 3468 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
05:58:23.0398 3468 MSTEE - ok
05:58:23.0414 3468 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
05:58:23.0445 3468 MTConfig - ok
05:58:23.0461 3468 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
05:58:23.0476 3468 Mup - ok
05:58:23.0492 3468 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
05:58:23.0508 3468 NativeWifiP - ok
05:58:23.0554 3468 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
05:58:23.0586 3468 NDIS - ok
05:58:23.0664 3468 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
05:58:23.0742 3468 NdisCap - ok
05:58:23.0773 3468 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
05:58:23.0804 3468 NdisTapi - ok
05:58:23.0866 3468 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
05:58:23.0913 3468 Ndisuio - ok
05:58:23.0944 3468 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
05:58:23.0991 3468 NdisWan - ok
05:58:24.0054 3468 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
05:58:24.0116 3468 NDProxy - ok
05:58:24.0147 3468 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
05:58:24.0194 3468 NetBIOS - ok
05:58:24.0225 3468 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
05:58:24.0272 3468 NetBT - ok
05:58:24.0397 3468 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
05:58:24.0490 3468 netw5v32 - ok
05:58:24.0584 3468 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
05:58:24.0600 3468 nfrd960 - ok
05:58:24.0631 3468 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
05:58:24.0693 3468 Npfs - ok
05:58:24.0709 3468 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
05:58:24.0756 3468 nsiproxy - ok
05:58:24.0802 3468 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
05:58:24.0849 3468 Ntfs - ok
05:58:24.0912 3468 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
05:58:24.0990 3468 Null - ok
05:58:25.0036 3468 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
05:58:25.0052 3468 nvraid - ok
05:58:25.0068 3468 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
05:58:25.0083 3468 nvstor - ok
05:58:25.0099 3468 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
05:58:25.0114 3468 nv_agp - ok
05:58:25.0130 3468 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
05:58:25.0161 3468 ohci1394 - ok
05:58:25.0192 3468 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
05:58:25.0208 3468 Parport - ok
05:58:25.0239 3468 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
05:58:25.0255 3468 partmgr - ok
05:58:25.0333 3468 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
05:58:25.0380 3468 Parvdm - ok
05:58:25.0426 3468 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
05:58:25.0442 3468 pci - ok
05:58:25.0473 3468 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
05:58:25.0489 3468 pciide - ok
05:58:25.0520 3468 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
05:58:25.0551 3468 pcmcia - ok
05:58:25.0567 3468 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
05:58:25.0582 3468 pcw - ok
05:58:25.0614 3468 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
05:58:25.0676 3468 PEAUTH - ok
05:58:25.0801 3468 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
05:58:25.0879 3468 PptpMiniport - ok
05:58:25.0910 3468 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
05:58:25.0941 3468 Processor - ok
05:58:25.0988 3468 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
05:58:26.0035 3468 Psched - ok
05:58:26.0082 3468 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
05:58:26.0144 3468 ql2300 - ok
05:58:26.0206 3468 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
05:58:26.0238 3468 ql40xx - ok
05:58:26.0253 3468 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
05:58:26.0300 3468 QWAVEdrv - ok
05:58:26.0347 3468 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
05:58:26.0394 3468 RasAcd - ok
05:58:26.0425 3468 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
05:58:26.0472 3468 RasAgileVpn - ok
05:58:26.0503 3468 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
05:58:26.0565 3468 Rasl2tp - ok
05:58:26.0628 3468 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
05:58:26.0674 3468 RasPppoe - ok
05:58:26.0706 3468 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
05:58:26.0752 3468 RasSstp - ok
05:58:26.0784 3468 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
05:58:26.0846 3468 rdbss - ok
05:58:26.0877 3468 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
05:58:26.0908 3468 rdpbus - ok
05:58:26.0986 3468 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
05:58:27.0064 3468 RDPCDD - ok
05:58:27.0096 3468 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
05:58:27.0127 3468 RDPENCDD - ok
05:58:27.0142 3468 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
05:58:27.0205 3468 RDPREFMP - ok
05:58:27.0236 3468 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
05:58:27.0298 3468 RDPWD - ok
05:58:27.0345 3468 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
05:58:27.0361 3468 rdyboost - ok
05:58:27.0454 3468 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
05:58:27.0548 3468 rspndr - ok
05:58:27.0579 3468 RTL8167 (bcebd5d1aabce4efb7597635e347c44b) C:\Windows\system32\DRIVERS\Rt86win7.sys
05:58:27.0642 3468 RTL8167 - ok
05:58:27.0735 3468 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
05:58:27.0751 3468 SASDIFSV - ok
05:58:27.0766 3468 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
05:58:27.0782 3468 SASKUTIL - ok
05:58:27.0860 3468 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
05:58:27.0891 3468 sbp2port - ok
05:58:27.0922 3468 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
05:58:27.0969 3468 scfilter - ok
05:58:28.0000 3468 sdbus (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\drivers\sdbus.sys
05:58:28.0032 3468 sdbus - ok
05:58:28.0063 3468 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
05:58:28.0110 3468 secdrv - ok
05:58:28.0188 3468 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
05:58:28.0219 3468 Serenum - ok
05:58:28.0234 3468 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
05:58:28.0266 3468 Serial - ok
05:58:28.0297 3468 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
05:58:28.0312 3468 sermouse - ok
05:58:28.0359 3468 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
05:58:28.0422 3468 sffdisk - ok
05:58:28.0437 3468 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
05:58:28.0500 3468 sffp_mmc - ok
05:58:28.0531 3468 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
05:58:28.0562 3468 sffp_sd - ok
05:58:28.0624 3468 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
05:58:28.0640 3468 sfloppy - ok
05:58:28.0687 3468 Sftfs (d9b734638dd8dba9d59aad3189cd0fad) C:\Windows\system32\DRIVERS\Sftfslh.sys
05:58:28.0718 3468 Sftfs - ok
05:58:28.0780 3468 Sftplay (2f61bd46c0bff4eb36e1e359ca17bfc5) C:\Windows\system32\DRIVERS\Sftplaylh.sys
05:58:28.0796 3468 Sftplay - ok
05:58:28.0874 3468 Sftredir (518bac0179f94304f422696b47c0ec12) C:\Windows\system32\DRIVERS\Sftredirlh.sys
05:58:28.0890 3468 Sftredir - ok
05:58:28.0921 3468 Sftvol (747325236d88b3f05ffd27ff9ec711c5) C:\Windows\system32\DRIVERS\Sftvollh.sys
05:58:28.0936 3468 Sftvol - ok
05:58:28.0983 3468 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
05:58:29.0014 3468 sisagp - ok
05:58:29.0046 3468 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
05:58:29.0061 3468 SiSRaid2 - ok
05:58:29.0108 3468 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
05:58:29.0124 3468 SiSRaid4 - ok
05:58:29.0186 3468 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
05:58:29.0248 3468 Smb - ok
05:58:29.0280 3468 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
05:58:29.0295 3468 spldr - ok
05:58:29.0342 3468 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
05:58:29.0373 3468 srv - ok
05:58:29.0404 3468 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
05:58:29.0436 3468 srv2 - ok
05:58:29.0529 3468 SrvHsfHDA (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
05:58:29.0576 3468 SrvHsfHDA - ok
05:58:29.0623 3468 SrvHsfV92 (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
05:58:29.0685 3468 SrvHsfV92 - ok
05:58:29.0779 3468 SrvHsfWinac (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
05:58:29.0826 3468 SrvHsfWinac - ok
05:58:29.0841 3468 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
05:58:29.0888 3468 srvnet - ok
05:58:29.0935 3468 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
05:58:29.0950 3468 stexstor - ok
05:58:30.0044 3468 STHDA (d5d73b49d53fcc47e2828d6805dfa0f6) C:\Windows\system32\DRIVERS\stwrt.sys
05:58:30.0106 3468 STHDA - ok
05:58:30.0153 3468 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
05:58:30.0169 3468 swenum - ok
05:58:30.0247 3468 SynTP (916a6435b54bd87c65950425aed642b7) C:\Windows\system32\DRIVERS\SynTP.sys
05:58:30.0278 3468 SynTP - ok
05:58:30.0372 3468 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys
05:58:30.0434 3468 Tcpip - ok
05:58:30.0528 3468 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys
05:58:30.0574 3468 TCPIP6 - ok
05:58:30.0606 3468 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
05:58:30.0652 3468 tcpipreg - ok
05:58:30.0684 3468 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
05:58:30.0715 3468 TDPIPE - ok
05:58:30.0730 3468 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
05:58:30.0762 3468 TDTCP - ok
05:58:30.0808 3468 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
05:58:30.0871 3468 tdx - ok
05:58:30.0949 3468 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
05:58:30.0980 3468 TermDD - ok
05:58:31.0011 3468 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
05:58:31.0074 3468 tssecsrv - ok
05:58:31.0136 3468 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
05:58:31.0183 3468 TsUsbFlt - ok
05:58:31.0261 3468 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
05:58:31.0339 3468 tunnel - ok
05:58:31.0370 3468 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
05:58:31.0386 3468 uagp35 - ok
05:58:31.0417 3468 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
05:58:31.0464 3468 udfs - ok
05:58:31.0510 3468 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
05:58:31.0526 3468 uliagpkx - ok
05:58:31.0557 3468 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\DRIVERS\umbus.sys
05:58:31.0588 3468 umbus - ok
05:58:31.0651 3468 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
05:58:31.0698 3468 UmPass - ok
05:58:31.0729 3468 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
05:58:31.0760 3468 usbccgp - ok
05:58:31.0791 3468 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
05:58:31.0807 3468 usbcir - ok
05:58:31.0838 3468 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\drivers\usbehci.sys
05:58:31.0869 3468 usbehci - ok
05:58:31.0932 3468 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
05:58:31.0978 3468 usbhub - ok
05:58:32.0025 3468 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
05:58:32.0056 3468 usbohci - ok
05:58:32.0103 3468 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
05:58:32.0134 3468 usbprint - ok
05:58:32.0166 3468 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\drivers\USBSTOR.SYS
05:58:32.0212 3468 USBSTOR - ok
05:58:32.0228 3468 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\drivers\usbuhci.sys
05:58:32.0259 3468 usbuhci - ok
05:58:32.0353 3468 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\Windows\System32\Drivers\usbvideo.sys
05:58:32.0384 3468 usbvideo - ok
05:58:32.0415 3468 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
05:58:32.0431 3468 vdrvroot - ok
05:58:32.0478 3468 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
05:58:32.0509 3468 vga - ok
05:58:32.0540 3468 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
05:58:32.0571 3468 VgaSave - ok
05:58:32.0602 3468 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
05:58:32.0634 3468 vhdmp - ok
05:58:32.0696 3468 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
05:58:32.0727 3468 viaagp - ok
05:58:32.0743 3468 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
05:58:32.0790 3468 ViaC7 - ok
05:58:32.0821 3468 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
05:58:32.0821 3468 viaide - ok
05:58:32.0852 3468 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
05:58:32.0868 3468 volmgr - ok
05:58:32.0899 3468 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
05:58:32.0930 3468 volmgrx - ok
05:58:32.0946 3468 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
05:58:32.0961 3468 volsnap - ok
05:58:33.0024 3468 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
05:58:33.0055 3468 vsmraid - ok
05:58:33.0086 3468 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
05:58:33.0133 3468 vwifibus - ok
05:58:33.0148 3468 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
05:58:33.0180 3468 vwififlt - ok
05:58:33.0226 3468 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
05:58:33.0258 3468 WacomPen - ok
05:58:33.0320 3468 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
05:58:33.0398 3468 WANARP - ok
05:58:33.0398 3468 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
05:58:33.0429 3468 Wanarpv6 - ok
05:58:33.0476 3468 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
05:58:33.0492 3468 Wd - ok
05:58:33.0523 3468 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
05:58:33.0538 3468 Wdf01000 - ok
05:58:33.0648 3468 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
05:58:33.0694 3468 WfpLwf - ok
05:58:33.0726 3468 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
05:58:33.0741 3468 WIMMount - ok
05:58:33.0788 3468 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
05:58:33.0819 3468 WmiAcpi - ok
05:58:33.0850 3468 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
05:58:33.0897 3468 ws2ifsl - ok
05:58:33.0928 3468 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
05:58:33.0975 3468 WudfPf - ok
05:58:34.0038 3468 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
05:58:34.0116 3468 WUDFRd - ok
05:58:34.0194 3468 yukonw7 (b07c5b7efdf936ff93d4f540938725be) C:\Windows\system32\DRIVERS\yk62x86.sys
05:58:34.0225 3468 yukonw7 - ok
05:58:34.0240 3468 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
05:58:34.0365 3468 \Device\Harddisk0\DR0 - ok
05:58:34.0365 3468 Boot (0x1200) (d7d933a49197152884c888eb4593c521) \Device\Harddisk0\DR0\Partition0
05:58:34.0365 3468 \Device\Harddisk0\DR0\Partition0 - ok
05:58:34.0396 3468 Boot (0x1200) (93f8a9c36939df8b933bbe603f7ab4ce) \Device\Harddisk0\DR0\Partition1
05:58:34.0396 3468 \Device\Harddisk0\DR0\Partition1 - ok
05:58:34.0428 3468 Boot (0x1200) (dad96510eb6ec1510aded25ab1a814cd) \Device\Harddisk0\DR0\Partition2
05:58:34.0428 3468 \Device\Harddisk0\DR0\Partition2 - ok
05:58:34.0443 3468 Boot (0x1200) (fb43780570d4e5ac129afaad4c483091) \Device\Harddisk0\DR0\Partition3
05:58:34.0443 3468 \Device\Harddisk0\DR0\Partition3 - ok
05:58:34.0443 3468 ============================================================
05:58:34.0443 3468 Scan finished
05:58:34.0443 3468 ============================================================
05:58:34.0459 3064 Detected object count: 0
05:58:34.0459 3064 Actual detected object count: 0
05:58:46.0814 5768 Deinitialize success

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:03 PM

Posted 16 February 2012 - 02:37 AM

Hi again,

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 babas87

babas87
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 16 February 2012 - 04:48 PM

Hi, here's the ComboFix log:



ComboFix 12-02-16.02 - Sebastien 2/02/17 周五 2:31.4.4 - x86
Microsoft Windows 7 家庭普通版 6.1.7601.1.936.86.2052.18.1910.949 [GMT 8:00]
执行位置: c:\users\Sebastien\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2EAA32A5-1EE1-1B22-95DA-337730C6E984}
FW: Kaspersky Internet Security *Disabled* {1691B380-548E-1A7A-BE85-9A42CE15AEFF}
SP: Kaspersky Internet Security *Disabled/Updated* {95CBD341-38DB-14AC-AF6A-08054B41A339}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* 成功创造新还原点
.
Error: Cfiles.dat
.
((((((((((((((((((((((((( 2012-01-16 至 2012-02-16 的新的档案 )))))))))))))))))))))))))))))))
.
.
2012-02-16 18:38 . 2012-02-16 18:38 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-15 02:32 . 2011-12-30 05:27 478720 ----a-w- c:\windows\system32\timedate.cpl
2012-02-15 02:32 . 2011-12-16 07:52 690688 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 02:32 . 2012-01-04 08:58 442880 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-15 02:32 . 2012-01-14 03:35 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 01:45 . 2012-02-15 04:37 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A50D55E7-4F96-4219-8EE4-C79FCB2B6B95}\offreg.dll
2012-02-14 09:04 . 2012-01-06 04:19 6557240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A50D55E7-4F96-4219-8EE4-C79FCB2B6B95}\mpengine.dll
2012-02-13 21:00 . 2012-02-13 21:00 -------- d-----w- c:\users\Sebastien\AppData\Roaming\WinPatrol
2012-02-13 21:00 . 2012-02-13 21:00 -------- d-----w- c:\programdata\InstallMate
2012-02-13 21:00 . 2012-02-13 21:00 -------- d-----w- c:\program files\BillP Studios
2012-02-12 15:03 . 2012-02-12 15:03 17 ----a-w- c:\windows\system32\sho408C.tmp
2012-02-09 17:13 . 2012-02-09 17:13 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-02-09 17:03 . 2012-02-11 12:37 -------- dc----w- c:\windows\system32\DRVSTORE
2012-02-09 17:03 . 2012-02-09 17:03 -------- d-----w- c:\program files\Lavasoft
2012-02-09 17:03 . 2012-02-11 12:37 -------- d-----w- c:\programdata\Lavasoft
2012-02-08 22:27 . 2012-02-08 22:27 -------- d-----w- c:\program files\Common Files\xing shared
2012-02-08 22:26 . 2012-02-08 22:27 -------- d-----w- c:\program files\Real
2012-02-06 00:05 . 2012-02-06 00:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-06 00:05 . 2011-12-10 07:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-05 22:27 . 2012-02-05 22:27 -------- d-----w- c:\programdata\Yahoo! Companion
2012-02-05 20:26 . 2012-02-05 21:09 97961 ----a-w- c:\windows\system32\drivers\klick.dat
2012-02-05 20:26 . 2012-02-05 21:09 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2012-02-05 20:25 . 2012-02-16 17:55 -------- d-----w- c:\programdata\Kaspersky Lab
2012-02-05 20:25 . 2012-02-05 20:25 -------- d-----w- c:\program files\Kaspersky Lab
2012-02-05 14:07 . 2012-02-05 14:07 -------- d-----w- c:\users\Sebastien\AppData\Local\ElevatedDiagnostics
2012-02-02 22:17 . 2012-02-02 22:17 -------- d-----w- c:\users\Sebastien\AppData\Roaming\SUPERAntiSpyware.com
2012-02-02 22:16 . 2012-02-02 22:16 -------- d-----w- c:\programdata\!SASCORE
2012-02-02 22:16 . 2012-02-02 22:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-02 22:16 . 2012-02-02 22:16 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-02 22:12 . 2012-02-05 22:27 -------- d-----w- c:\users\Sebastien\AppData\Roaming\Yahoo!
2012-02-02 21:53 . 2012-02-02 21:53 -------- d-----w- c:\program files\Common Files\Java
2012-02-02 21:52 . 2012-02-02 21:52 -------- d-----w- c:\program files\Java
2012-01-31 22:47 . 2012-01-31 22:47 -------- d-----w- c:\programdata\ATI
2012-01-31 22:01 . 2010-04-01 06:06 139776 ----a-w- c:\windows\system32\aestacap.dll
2012-01-31 22:01 . 2009-10-09 16:45 380928 ----a-w- c:\windows\system32\aestecap.dll
2012-01-31 22:01 . 2009-03-02 17:57 61440 ----a-w- c:\windows\system32\aestaren.dll
2012-01-31 22:01 . 2011-02-08 05:27 4644864 ----a-w- c:\windows\system32\stlang.dll
2012-01-31 22:01 . 2011-01-24 17:57 536668 ----a-w- c:\windows\sttray.exe
2012-01-31 22:01 . 2011-01-24 17:57 536576 ----a-w- c:\windows\system32\idtmini1.exe
2012-01-31 22:01 . 2011-01-24 17:57 12734556 ----a-w- c:\windows\system32\idtcpl.cpl
2012-01-31 22:01 . 2009-03-02 17:47 86016 ----a-w- c:\windows\system32\AESTCom.dll
2012-01-31 22:01 . 2011-01-24 17:57 179712 ----a-w- c:\windows\system32\staco.dll
2012-01-31 22:00 . 2011-01-24 17:57 949760 ----a-w- c:\windows\system32\stapo.dll
2012-01-31 22:00 . 2011-01-24 17:57 532480 ------w- c:\windows\system32\stapi32.dll
2012-01-31 22:00 . 2011-01-24 17:57 435200 ----a-w- c:\windows\system32\drivers\stwrt.sys
2012-01-31 22:00 . 2011-01-24 17:57 405504 ----a-w- c:\windows\system32\stcplx.dll
2012-01-27 11:18 . 2012-01-27 11:18 -------- d-----w- c:\users\Sebastien\AppData\Roaming\CyberLink
2012-01-25 23:46 . 2012-01-25 23:46 -------- d-----r- C:\MSOCache
2012-01-22 01:27 . 2012-01-22 01:27 -------- d-----w- c:\programdata\VirtualizedApplications
2012-01-21 19:28 . 2012-01-21 19:28 -------- d-----w- c:\users\Sebastien\AppData\Local\SoftGrid Client
2012-01-21 19:27 . 2012-02-16 11:23 -------- d-----w- c:\users\Sebastien\AppData\Roaming\SoftGrid Client
2012-01-21 19:22 . 2012-02-15 03:00 -------- d-----w- c:\program files\Microsoft Application Virtualization Client
2012-01-21 19:22 . 2012-01-21 19:28 -------- d-----w- c:\users\Sebastien\AppData\Roaming\TP
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 22:27 . 2010-02-22 09:24 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-02-08 22:27 . 2010-02-22 09:24 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-02-05 22:27 . 2012-01-06 18:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-02 21:53 . 2012-01-06 23:12 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-26 16:21 . 2012-01-06 18:09 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-06 20:08 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-01-06 18:18 . 2011-03-28 10:36 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-01-06 18:11 . 2012-01-06 18:11 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-01-06 18:11 . 2012-01-06 18:11 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-01-06 18:11 . 2012-01-06 18:11 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-01-06 18:11 . 2012-01-06 18:11 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-01-06 18:11 . 2012-01-06 18:11 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-01-06 18:11 . 2012-01-06 18:11 367104 ----a-w- c:\windows\system32\html.iec
2012-01-06 18:11 . 2012-01-06 18:11 161792 ----a-w- c:\windows\system32\msls31.dll
2012-01-06 18:11 . 2012-01-06 18:11 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-01-06 18:11 . 2012-01-06 18:11 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-01-06 18:11 . 2012-01-06 18:11 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-01-06 18:11 . 2012-01-06 18:11 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-01-06 18:11 . 2012-01-06 18:11 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-01-06 18:11 . 2012-01-06 18:11 152064 ----a-w- c:\windows\system32\wextract.exe
2012-01-06 18:11 . 2012-01-06 18:11 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-01-06 18:11 . 2012-01-06 18:11 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-01-06 18:11 . 2012-01-06 18:11 11776 ----a-w- c:\windows\system32\mshta.exe
2012-01-06 18:11 . 2012-01-06 18:11 101888 ----a-w- c:\windows\system32\admparse.dll
2011-12-28 04:35 . 2011-12-28 04:35 516096 ----a-w- c:\windows\system32\Funshion.scr
2011-11-19 14:01 . 2012-01-10 19:28 67072 ----a-w- c:\windows\system32\packager.dll
.
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-11-20 2363392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Quick Launch"="c:\program files\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe" [2010-01-18 572416]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-01-22 1684776]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2009-12-23 284696]
"AmIcoSinglun"="c:\program files\AmIcoSingLun\AmIcoSinglun.exe" [2009-08-17 233472]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe" [2009-12-16 8192]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2010-01-20 568888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-01-24 536668]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-07-28 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-07-28 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-07-28 170520]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-01-26 98304]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe" [2011-04-24 202296]
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" [2012-02-08 296056]
.
c:\users\Sebastien\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVH.EXE [2012-1-4 3208032]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-01-03 18:47 6497592 ----a-w- c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [2010-01-18 17920]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS [2009-08-17 25600]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-11-06 230912]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [2009-07-13 311296]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [2011-03-04 11352]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [2011-03-10 23856]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2012-02-02 116608]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [2009-03-02 81920]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-01-26 176128]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [2009-12-16 102968]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2011-05-13 26168]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2009-12-23 13336]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-18 2320920]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-01-26 6380544]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-01-26 222208]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]
S3 intelkmd;intelkmd;c:\windows\system32\DRIVERS\igdpmd32.sys [2010-07-28 9023488]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [2009-11-02 19984]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 579944]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-11-20 06:28 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
‘计划任务’ 文件夹 里的内容
.
2012-02-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2657288965-1140498775-825970497-1000Core.job
- c:\users\Sebastien\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-06 18:21]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2657288965-1140498775-825970497-1000UA.job
- c:\users\Sebastien\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-06 18:21]
.
.
------- 而外的扫描 -------
.
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
TCP: DhcpNameServer = 192.168.2.1 142.166.145.137
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
完成时间: 2012-02-17 02:41:13
ComboFix-quarantined-files.txt 2012-02-16 18:41
ComboFix2.txt 2012-02-11 16:00
.
Pre-Run: 13 个目录 273,020,690,432 可用字节
Post-Run: 15 个目录 273,198,006,272 可用字节
.
- - End Of File - - B7D81440F2DF0C694F84850DE7AE01DD

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:03 PM

Posted 17 February 2012 - 06:28 AM

How is your computer running at this point, what problems do you still have left?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 babas87

babas87
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 17 February 2012 - 10:33 AM

Yes I still have the same issues. My computer still freezes without me doing nothing. Did the combofix find the rootkit that GMER mentionned??? Thanks

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:03 PM

Posted 17 February 2012 - 11:14 AM

I am not sure this is an actual rootkit, so lets further investigate.

OTL
-----
Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the NONE button.
  • Copy and Paste the following code into the Posted Image textbox.
    netsvcs
  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 babas87

babas87
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 17 February 2012 - 01:36 PM

Hello, here's the OTL logs you asked:

OTL logfile created on: 2012/2/18 2:34:29 - Run 1
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Users\Sebastien\Desktop
Home Basic Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000804 | Country: 中华人民共和国 | Language: CHS | Date Format: yyyy/M/d

1.87 Gb Total Physical Memory | 1.14 Gb Available Physical Memory | 61.14% Memory free
3.73 Gb Paging File | 2.36 Gb Available in Paging File | 63.20% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 283.51 Gb Total Space | 254.67 Gb Free Space | 89.83% Space Free | Partition Type: NTFS
Drive D: | 14.29 Gb Total Space | 2.04 Gb Free Space | 14.29% Space Free | Partition Type: NTFS
Drive E: | 99.34 Mb Total Space | 90.78 Mb Free Space | 91.38% Space Free | Partition Type: FAT32

Computer Name: SEBASTIEN-PC | User Name: Sebastien | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

< End of report >







Thanks




#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:03 PM

Posted 17 February 2012 - 01:54 PM

Can you reboot in Safe mode with Networking and see if you have similar issues there or if things run fine there.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 babas87

babas87
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 17 February 2012 - 03:11 PM

Yes, I have the same problem. I opened google chrome and it froze. However it did unfroze after a while. If there is nothing how come GMER found a rootkit? It's really weird.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:03 PM

Posted 17 February 2012 - 03:21 PM

Do you use Microsoft OneNote software? If not frequently, could you uninstall it and rerun GMER?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 babas87

babas87
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 17 February 2012 - 08:40 PM

How to uninstall microsoft onenote separately from the other microsoft office tools? Thanks

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:03 PM

Posted 18 February 2012 - 04:24 AM

See here: http://office.microsoft.com/en-us/onenote-help/install-or-remove-individual-components-in-office-HP005274169.aspx

After selecting Change, you can select individual components to uninstall; select OneNote and continue.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 babas87

babas87
  • Topic Starter

  • Members
  • 71 posts
  • OFFLINE
  •  
  • Local time:06:03 AM

Posted 18 February 2012 - 12:35 PM

Well I completely uninstall microsoft office. I did the GMER scan and it did not find anything. But what about my computer keep freezing? I am sure there is something you don't see.

GMER logs:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-19 01:32:25
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PC3O
Running: mx8og51f.exe; Driver: C:\Users\SEBAST~1\AppData\Local\Temp\kglyauoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0x8A78A28A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcConnectPort [0x8A7A4342]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcCreatePort [0x8A7A4678]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwAlpcSendWaitReceivePort [0x8A7A49EE]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwClose [0x8A78AD04]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwConnectPort [0x8A7A402A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateEvent [0x8A78B276]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateMutant [0x8A78B164]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreatePort [0x8A7A44E8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSection [0x8A78A046]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSemaphore [0x8A78B38E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0x8A7A58D0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThread [0x8A78A8BA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateThreadEx [0x8A78AA2A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateUserProcess [0x8A78B4A6]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwCreateWaitablePort [0x8A7A45B0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDebugActiveProcess [0x8A78B74E]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0x8A78AD46]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwDuplicateObject [0x8A78C750]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwLoadDriver [0x8A78B840]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwMapViewOfSection [0x8A7A58F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwNotifyChangeKey [0x8A7A2840]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenEvent [0x8A78B308]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenMutant [0x8A78B1F0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenProcess [0x8A78A4C4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSection [0x8A78BB90]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenSemaphore [0x8A78B420]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwOpenThread [0x8A78A3B8]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwPlugPlayControl [0x8A7A58E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryDirectoryObject [0x8A78B55C]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueryObject [0x8A7A2A38]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQuerySection [0x8A78C0D2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwQueueApcThread [0x8A78B9E0]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyPort [0x8A7A47DC]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwReplyWaitReceivePort [0x8A7A472A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0x8A7A4848]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwResumeThread [0x8A78C5F2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSecureConnectPort [0x8A7A41B2]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetContextThread [0x8A78ABA4]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetInformationToken [0x8A78B5FA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSetSystemInformation [0x8A78C222]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendProcess [0x8A78C316]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSuspendThread [0x8A78C450]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwSystemDebugControl [0x8A78B670]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateProcess [0x8A78A664]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwTerminateThread [0x8A78A5BA]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwUnmapViewOfSection [0x8A78BF8A]
SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wlh_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0x8A78A750]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKey + 13D1 84048369 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 84081D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10D7 84088D8C 4 Bytes [8A, A2, 78, 8A]
.text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 84088DB4 8 Bytes [42, 43, 7A, 8A, 78, 46, 7A, ...] {INC EDX; INC EBX; JP 0xffffffffffffff8e; JS 0x4c; JP 0xffffffffffffff92}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1143 84088DF8 4 Bytes [EE, 49, 7A, 8A] {OUT DX, AL ; DEC ECX; JP 0xffffffffffffff8e}
.text ntkrnlpa.exe!KeRemoveQueueEx + 116F 84088E24 4 Bytes [04, AD, 78, 8A] {ADD AL, 0xad; JS 0xffffffffffffff8e}
.text ntkrnlpa.exe!KeRemoveQueueEx + 1193 84088E48 4 Bytes [2A, 40, 7A, 8A]
.text ...
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92610000, 0x341EAE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[1928] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[1928] ntdll.dll!NtProtectVirtualMemory 77CA5F18 5 Bytes JMP 6AC91765 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\ushata.dll (Ushata module/Kaspersky Lab ZAO)
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[1928] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[1928] USER32.dll!NotifyWinEvent + 6AE 7754D66C 4 Bytes [E0, 13, 54, 67]
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[4664] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch;
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[4664] ntdll.dll!NtProtectVirtualMemory 77CA5F18 5 Bytes JMP 6AC91765 C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\ushata.dll (Ushata module/Kaspersky Lab ZAO)
? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[4664] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll
.text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[4664] USER32.dll!NotifyWinEvent + 6AE 7754D66C 4 Bytes [E0, 13, 54, 67]
.text C:\Program Files\Real\RealPlayer\Update\realsched.exe[4732] kernel32.dll!SetUnhandledExceptionFilter 7736F4FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (内核模式驱动程序框架运行时/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (内核模式驱动程序框架运行时/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \Driver\tdx \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab ZAO)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft 文件系统筛选器管理器/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{4ebae07d-fbfa-4b48-a4b8-e8abd3c5ed46} 0 bytes
File C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{4ebae07d-fbfa-4b48-a4b8-e8abd3c5ed46}\snapshot.etl 294912 bytes
File C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{f19bba65-f374-450c-a526-9fe35b1fd1ae} 0 bytes
File C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{f19bba65-f374-450c-a526-9fe35b1fd1ae}\snapshot.etl 327680 bytes

---- EOF - GMER 1.0.15 ----







0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users