Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Blocked in IE


  • This topic is locked This topic is locked
20 replies to this topic

#1 TiminIndy

TiminIndy

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 12 February 2012 - 11:26 AM

I'm trying to clean up a friend's Windows 7 laptop PC. He had a variety of toolbars and "fix it" programs installed that I don't trust, including DropBox, Juniper Networks, Uniblue Registry Booster, ARO 2011, PC Pitstop, RadioRage, Ask Toolbar, WebSearch, etc...; the PC was locking up and barely usable. I uninstalled everything I could - had to use Revo Uninstaller to force uninstall of Uniblue. Was unable to uninstall Ask Toolbar even with that because of a missing .msi file; I know that one is relatively harmless so I just disabled it.

I downloaded MBAM, SUPERAntispyware, Spybot S & D, & CCleaner on my PC and transferred with flash drive and installed on this. Scanned with each in Safe Mode and removed a variety of Trojan Horses, etc.. and registry errors you will see in logs. The only thing that keeps returning on the scans is "svchost.exe", which MBAM identifies as a Trojan and Spybot idetnitifes as "Smitfraud-C.generic". The only remaining visible problem is that in IE, I cannot go to Google; it doesn't redirect, I just get the "Internet Explorer cannot display the webpage" and 'Diagnose Connection Problems' doesn't find anything.

He has Safari installed and I can go to Google on that. I plan to install Firefox w/ ABP once this issue is resolved and will encourage him not to use IE when he doesn't have to, but this still needs addressed. I checked Internet Options and under LAN settings, 'Use a proxy server' was checked, so I unchecked it and changed it 'automatically detect', but even after restarts, the issue was still there. I checked the hosts file and there isn't extra garbage in there, but I did notice the entries without a # were at the top, unlike examples I saw online. I moved them to the bottom, but after restarts I see they are at the top again:

127.0.0.1 localhost
::1 localhost
# Copyright © 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost


I went to properties on the Local Area Connection and Wireless Connection and under TCP/IPv4 they are both set to 'Obtain an IP address automatically' and 'Obtain DNS server address automatically'. I also tried removing IE, restarting, and added it back in, and that didn't work either. I also read that these rogue proxy connections often come from a rootkit, so I installed 'unhackme', which is supposed to detect and remove these, but it didn't find anything.

I am fairly novice, but I have had a lot of success with the above tools removing threats from friends and family's PC's, based on research from sites like this. Thanks in advance for any help anyone can give me - I am out of ideas. I've come this far with it and would much rather beat this then reformat. I did backup all his pictures and documents just in case, but I'm not sure if he has his recovery disk. Here's the HiJackThis and MBAM logs; I can't find CCleaner logs, but it found hundreds of registry errors and supposedly fixed them:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:05:23 AM, on 2/12/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=c:\windows\syswow64\userinit.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {78ba36c9-6036-482b-b48d-ecca6f964b84} - (no file)
O3 - Toolbar: (no name) - {5911488E-9D1E-40ec-8CBB-06B231CC153F} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eric
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eric
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eric
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: lxdn_device - Unknown owner - C:\Windows\system32\lxdncoms.exe (file missing)
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
O23 - Service: McciCMService64 - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8814 bytes


----------------------------------------------------------------------------------------------------------------------------


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.11.06

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.7601.17514
aaron :: ERIC [administrator]

2/11/2012 12:17:25 PM
mbam-log-2012-02-11 (12-17-25).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 312340
Time elapsed: 35 minute(s), 13 second(s)

Memory Processes Detected: 1
C:\WINDOWS\svchost.exe (Trojan.Agent) -> 1112 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 66
HKLM\SYSTEM\CurrentControlSet\Services\RadioRage_4jService (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{48909954-14fb-4971-a7b3-47e7af10b38a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48909954-14FB-4971-A7B3-47E7AF10B38A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{48909954-14FB-4971-A7B3-47E7AF10B38A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{48909954-14FB-4971-A7B3-47E7AF10B38A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RadioRage_4jbar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{3c35ad63-af1d-4e21-b484-b6651a8efcf9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{5848763c-2668-44ca-adbe-2999a6ee2858} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5848763C-2668-44CA-ADBE-2999A6EE2858} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{5848763C-2668-44CA-ADBE-2999A6EE2858} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5848763C-2668-44CA-ADBE-2999A6EE2858} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{ecef0d95-32fa-48d3-8a2d-d6453b5b7361} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{4a50e810-71eb-43a8-a665-19ed8ccd1630} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{3C8E293A-99C8-45E1-93A3-77DAB6BB7928} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{6562e272-88e1-4dff-8ff8-fe1a05323d36} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{d0e90465-cf35-480d-b520-e1e3bde802f5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{6D32BB6F-7969-48BF-836A-C14CDFC72D72} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{7e7abf2a-8c44-4562-895d-dbca3cddd1a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.DynamicBarButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.DynamicBarButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{e23760be-23a3-4cef-9304-66af079f53db} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{597494da-c59f-4edf-b2d1-ce137e2db9e4} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{516434A0-985D-4312-843C-C92B3E19FC2D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.FeedManager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.FeedManager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{68122f44-3a4a-4edb-b28f-0c0e07f89bd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{4dd9eb5d-8657-4856-a804-535841b09d73} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{A93A372A-0AD5-4939-A228-7F4152124EA6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.HTMLPanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.HTMLPanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{68122F44-3A4A-4EDB-B28F-0C0E07F89BD0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{581C7D7D-F809-4E03-A631-74C069D5F04A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.HTMLMenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.HTMLMenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{581C7D7D-F809-4E03-A631-74C069D5F04A} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{d740ad89-baf4-47d5-9b5e-343d30f07a7a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{0978c5fa-83c0-4118-a54f-99dacceecb8c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{2FDB59A0-4024-4CED-94CF-B01E217DE4E5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{f69fe1be-09c3-460c-ac89-8ccd9d3df1cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.MultipleButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.MultipleButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{434fa5e9-253e-4bd0-adb6-7ce4cea114ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{9e18e695-c9af-4369-8cc3-93141c2928af} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{057DDEC7-1C8A-4C24-A896-92485CC45459} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.XMLSessionPlugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.XMLSessionPlugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{434FA5E9-253E-4BD0-ADB6-7CE4CEA114CA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{00a2b7c6-7487-4b99-9f6c-1fdf57fe130b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.Radio.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.Radio (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{11d4b723-18ca-48c6-ba13-965488f19a70} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.ScriptButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.ScriptButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{53855564-cf81-410c-9c1c-321c7e067816} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{1fdad7f1-b87c-4e79-9150-de235ff80b3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{30AE6757-B1D4-4CD5-8FEC-A9B6A545EF64} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{53855564-CF81-410C-9C1C-321C7E067816} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{60b34f47-3fdd-46f8-ab6c-aaabea55c3d6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\TypeLib\{569a9014-22e3-4f11-a243-ca4e3d95aded} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\Interface\{38C1B7DA-9876-4DEA-B740-19C4F57CE8E8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.ThirdPartyInstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.ThirdPartyInstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{60B34F47-3FDD-46F8-AB6C-AAABEA55C3D6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\CLSID\{ca41198f-c3c5-47d8-99e1-1ab199e81723} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.UrlAlertButton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCR\RadioRage_4j.UrlAlertButton (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|RadioRage_4j Browser Plugin Loader (Adware.MyWebSearch) -> Data: C:\PROGRA~2\RADIOR~2\bar\1.bin\4jbrmon.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{3C35AD63-AF1D-4E21-B484-B6651A8EFCF9} (Adware.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings|ProxyServer (PUM.Bad.Proxy) -> Data: http=127.0.0.1:62586 -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 45
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jbrmon.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jbarsvc.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jbar.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jSrcAs.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\3B514\lvvm.exe (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LP\2C72\3111.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files (x86)\LP\2C72\8D03.tmp (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jauxstb.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jbrstub.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jdatact.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jdlghk.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jdyn.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jfeedmg.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jhighin.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jhtml.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jhtmlmu.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jhttpct.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jidle.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jieovr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jimpipe.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jmedint.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jmlbtn.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jmsg.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jPlugin.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jradio.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jregfft.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jregiet.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jscript.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jskin.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jskplay.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4jtpinst.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\4juabtn.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\NP4jStub.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files (x86)\RadioRage_4j\bar\1.bin\T8RES.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\aaron\AppData\Local\Temp\36F7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\aaron\AppData\Local\Temp\acD45wJT9QrpGP.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\aaron\AppData\Local\Temp\jpr.exe (Adware.Dropper.SISN) -> Quarantined and deleted successfully.
C:\Users\aaron\AppData\LocalLow\RadioRage_4jEI\Installr\Cache\0112F838.exe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Users\aaron\AppData\Roaming\Microsoft\2C72\E72.tmp (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\WINDOWS\System32\config\systemprofile\AppData\Roaming\2A93B\C912C.exe (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Roaming\2A93B\C912C.exe (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\79F0.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\chromeupdtr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\hieivvzne.exe (Trojan.Dropper.PE4) -> Quarantined and deleted successfully.
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

-----------------------------------------------------------------------------------------------------------------------------------------------


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.11.06

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 9.0.8112.16421
aaron :: ERIC [administrator]

2/11/2012 5:19:25 PM
mbam-log-2012-02-11 (17-19-25).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 299480
Time elapsed: 33 minute(s), 3 second(s)

Memory Processes Detected: 1
C:\WINDOWS\svchost.exe (Trojan.Agent) -> 1268 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\svchost.exe (Trojan.Agent) -> Delete on reboot.

Edited by TiminIndy, 12 February 2012 - 11:35 AM.


BC AdBot (Login to Remove)

 


#2 TiminIndy

TiminIndy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 12 February 2012 - 01:16 PM

OK, I ran DeFogger, DDS, and GMER. GMER came up with nothing, then I noticed that was for 32 bit-versions only! I realize "svchost.exe" is a generic name for a variety of processes, so hopefully this will help you see what I still have. Here is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by aaron at 11:20:31 on 2012-02-12
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3032.1615 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Outdated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\lxdncoms.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\syswow64\userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {78ba36c9-6036-482b-b48d-ecca6f964b84} - No File
TB: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - No File
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [<NO NAME>]
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\Users\aaron\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{480DDCDA-3547-4FD0-825A-45F40569CF78} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{DCF24787-0576-4B5D-B9D0-D657109A6BD4} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{DCF24787-0576-4B5D-B9D0-D657109A6BD4}\15579636B635861627B6D27657563747 : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{DCF24787-0576-4B5D-B9D0-D657109A6BD4}\E4544574541425 : DhcpNameServer = 192.168.1.1
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
BHO-X64: Ask Toolbar BHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: {78ba36c9-6036-482b-b48d-ecca6f964b84} - No File
TB-X64: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - No File
TB-X64: Ask Toolbar: {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [(Default)]
mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-8-11 140672]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 lxdn_device;lxdn_device;C:\Windows\system32\lxdncoms.exe -service --> C:\Windows\system32\lxdncoms.exe -service [?]
R2 McciCMService64;McciCMService64;C:\Program Files\Common Files\Motive\McciCMService.exe [2011-10-24 517632]
R2 SftService;SoftThinks Agent Service;C:\Program Files (x86)\Dell DataSafe Local Backup\SftService.exe [2010-6-5 1692480]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-9 136176]
S2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2012-2-11 1153368]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-11-9 136176]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 Revoflt;Revoflt;C:\Windows\system32\DRIVERS\revoflt.sys --> C:\Windows\system32\DRIVERS\revoflt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-02-12 13:56:34 388096 ----a-r- C:\Users\aaron\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-12 13:56:34 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-02-12 02:38:25 -------- d-----w- C:\Program Files (x86)\UnHackMe
2012-02-12 02:13:46 -------- d-----w- C:\Program Files (x86)\Ask.com
2012-02-12 01:32:40 -------- d-----w- C:\Users\aaron\AppData\Local\VS Revo Group
2012-02-12 01:32:37 31800 ----a-w- C:\Windows\System32\drivers\revoflt.sys
2012-02-12 01:32:34 -------- d-----w- C:\Program Files\VS Revo Group
2012-02-12 01:18:41 -------- d-----w- C:\Python27
2012-02-12 01:08:18 20480 ----a-w- C:\Windows\svchost.exe
2012-02-11 23:06:28 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-11 22:11:59 89088 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2012-02-11 21:36:57 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-02-11 21:36:57 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2012-02-11 20:23:06 -------- d-----w- C:\Users\aaron\AppData\Roaming\SUPERAntiSpyware.com
2012-02-11 20:22:35 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-02-11 20:22:35 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-02-11 19:05:53 -------- d-----w- C:\Program Files\CCleaner
2012-02-11 18:15:51 -------- d-----w- C:\Users\aaron\AppData\Roaming\Malwarebytes
2012-02-11 18:15:39 -------- d-----w- C:\ProgramData\Malwarebytes
2012-02-11 18:15:38 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-02-11 18:15:38 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-02-11 14:49:40 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{9056DB31-33F4-4FD1-9FA8-47DC2B558039}\gapaengine.dll
2012-02-11 14:49:30 8602168 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{692A27FE-BE03-4D18-AAA8-DD381EDDC08C}\mpengine.dll
2012-02-11 12:28:38 -------- d-----w- C:\Users\aaron\AppData\Roaming\3B514
2012-02-11 12:28:04 -------- d-----w- C:\Users\aaron\AppData\Roaming\2A93B
2012-02-11 12:13:47 -------- d-----w- C:\Program Files (x86)\3B514
2012-02-11 12:13:12 -------- d-----w- C:\Program Files (x86)\LP
2012-02-08 13:23:24 6656 ---ha-w- C:\ProgramData\Microsoft\Windows\DRM\2874.tmp
2012-02-08 13:23:24 6656 ---ha-w- C:\ProgramData\Microsoft\Windows\DRM\2873.tmp
2012-01-23 16:33:40 -------- d-----w- C:\Program Files (x86)\Uniblue
2012-01-23 16:09:42 -------- d-----w- C:\Users\aaron\AppData\Local\ElevatedDiagnostics
2012-01-19 19:50:10 -------- d--h--w- C:\Users\aaron\AppData\Local\{0B083960-5F4D-49D6-912E-1CD8B54DF31A}
2012-01-19 15:47:40 -------- d-----w- C:\Windows\System32\SPReview
2012-01-19 15:46:27 -------- d-----w- C:\Windows\System32\EventProviders
2012-01-19 15:35:54 -------- d-----w- C:\Users\aaron\AppData\Roaming\PC Unleashed Online
2012-01-19 15:35:54 -------- d-----w- C:\Users\aaron\AppData\Roaming\DriverCure
2012-01-19 15:35:44 -------- d--h--w- C:\ProgramData\PC Unleashed Online
2012-01-18 14:20:39 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-14 16:29:43 737072 ----a-w- C:\ProgramData\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
.
==================== Find3M ====================
.
2012-02-11 22:12:01 74752 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2012-02-11 22:12:01 161792 ----a-w- C:\Windows\SysWow64\msls31.dll
2012-02-11 22:12:01 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-11 22:12:00 86528 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2012-02-11 22:12:00 76800 ----a-w- C:\Windows\SysWow64\SetIEInstalledDate.exe
2012-02-11 22:12:00 74752 ----a-w- C:\Windows\SysWow64\iesetup.dll
2012-02-11 22:12:00 63488 ----a-w- C:\Windows\SysWow64\tdc.ocx
2012-02-11 22:12:00 48640 ----a-w- C:\Windows\SysWow64\mshtmler.dll
2012-02-11 22:12:00 367104 ----a-w- C:\Windows\SysWow64\html.iec
2012-02-11 22:12:00 1798144 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-11 22:12:00 110592 ----a-w- C:\Windows\SysWow64\IEAdvpack.dll
2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-19 16:01:20 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-01-19 16:01:20 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-11-24 04:52:09 3145216 ----a-w- C:\Windows\System32\win32k.sys
2011-11-19 14:58:00 77312 ----a-w- C:\Windows\System32\packager.dll
2011-11-19 14:01:00 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2011-11-17 06:49:14 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2011-11-17 06:49:14 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2011-11-17 06:44:43 459232 ----a-w- C:\Windows\System32\drivers\cng.sys
2011-11-17 06:41:18 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2011-11-17 06:35:28 395776 ----a-w- C:\Windows\System32\webio.dll
2011-11-17 06:35:26 29184 ----a-w- C:\Windows\System32\sspisrv.dll
2011-11-17 06:35:26 136192 ----a-w- C:\Windows\System32\sspicli.dll
2011-11-17 06:35:25 340992 ----a-w- C:\Windows\System32\schannel.dll
2011-11-17 06:35:25 28160 ----a-w- C:\Windows\System32\secur32.dll
2011-11-17 06:35:19 1447936 ----a-w- C:\Windows\System32\lsasrv.dll
2011-11-17 06:33:55 31232 ----a-w- C:\Windows\System32\lsass.exe
2011-11-17 05:38:39 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2011-11-17 05:35:02 314880 ----a-w- C:\Windows\SysWow64\webio.dll
2011-11-17 05:34:52 224768 ----a-w- C:\Windows\SysWow64\schannel.dll
2011-11-17 05:34:52 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2011-11-17 05:28:48 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
.
============= FINISH: 11:21:45.80 ===============

Attached Files



#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 AM

Posted 16 February 2012 - 10:27 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 TiminIndy

TiminIndy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 16 February 2012 - 11:26 AM

Gringo-

Thanks for your help. I Disabled Microsoft Security Essentials according to the instructions in the link provided, then tried to run ComboFix. I got a warning that MSE was still active and I verified that it was disabled and proceeded. While ComboFix was running, after about Stage 4 of the scan, I got an error that said something like "PEV.exe has stopped working" with a button to close program. The scan still appeared to be running so I left it alone. I walked away for a minute and returned and PC had restarted and I got a message that 'Windows has recovered from an unexpected shutdown'. I verified MSE was disabled and tried to run CF again, and after Stage 4 I got a BSOD that went too quick to get the error message, and upon restart, I got the same 'Windows has recovered from an unexpected shutdown', and here are the 'Problem details':

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 1e
BCP1: FFFFFFFFC0000005
BCP2: FFFFF80002CA6F6B
BCP3: 0000000000000000
BCP4: 000000007EFA0000
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
C:\WINDOWS\Minidump\021612-24616-01.dmp
C:\Users\aaron\AppData\Local\Temp\WER-61635-0.sysdata.xml

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Edited by TiminIndy, 16 February 2012 - 11:27 AM.


#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 AM

Posted 16 February 2012 - 11:49 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 TiminIndy

TiminIndy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 16 February 2012 - 12:32 PM

Thanks again, Gringo! I know your instructions say to not do anything else until we are done, so I thought I should tell you that when I shutdown the PC to wait for your next reply, Windows wanted to install updates and I decided to allow that. When I restarted, apparently it ran the Malicious Software removal Tool, and it reported that it partially removed Trojan: DOS/Alureon.A. After that, I ran TDSSKiller & aswMBR - here are the results:

11:04:36.0822 2444 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
11:04:37.0181 2444 ============================================================
11:04:37.0181 2444 Current date / time: 2012/02/16 11:04:37.0181
11:04:37.0181 2444 SystemInfo:
11:04:37.0181 2444
11:04:37.0181 2444 OS Version: 6.1.7601 ServicePack: 1.0
11:04:37.0181 2444 Product type: Workstation
11:04:37.0181 2444 ComputerName: ERIC
11:04:37.0181 2444 UserName: aaron
11:04:37.0181 2444 Windows directory: C:\Windows
11:04:37.0181 2444 System windows directory: C:\Windows
11:04:37.0181 2444 Running under WOW64
11:04:37.0181 2444 Processor architecture: Intel x64
11:04:37.0181 2444 Number of processors: 2
11:04:37.0181 2444 Page size: 0x1000
11:04:37.0181 2444 Boot type: Normal boot
11:04:37.0181 2444 ============================================================
11:04:39.0303 2444 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
11:04:39.0318 2444 \Device\Harddisk0\DR0:
11:04:39.0318 2444 MBR used
11:04:39.0318 2444 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x1D4C000
11:04:39.0318 2444 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1D60000, BlocksNum 0x1B465170
11:04:39.0349 2444 Initialize success
11:04:39.0349 2444 ============================================================
11:04:46.0759 1096 ============================================================
11:04:46.0759 1096 Scan started
11:04:46.0759 1096 Mode: Manual;
11:04:46.0759 1096 ============================================================
11:04:47.0430 1096 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
11:04:47.0430 1096 1394ohci - ok
11:04:47.0602 1096 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
11:04:47.0602 1096 ACPI - ok
11:04:47.0727 1096 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
11:04:47.0727 1096 AcpiPmi - ok
11:04:47.0898 1096 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
11:04:47.0898 1096 adp94xx - ok
11:04:48.0039 1096 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
11:04:48.0070 1096 adpahci - ok
11:04:48.0273 1096 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
11:04:48.0288 1096 adpu320 - ok
11:04:48.0444 1096 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\Windows\system32\drivers\afd.sys
11:04:48.0460 1096 AFD - ok
11:04:48.0600 1096 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
11:04:48.0600 1096 agp440 - ok
11:04:48.0772 1096 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
11:04:48.0787 1096 aliide - ok
11:04:48.0897 1096 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
11:04:48.0897 1096 amdide - ok
11:04:49.0006 1096 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
11:04:49.0006 1096 AmdK8 - ok
11:04:49.0115 1096 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
11:04:49.0115 1096 AmdPPM - ok
11:04:49.0224 1096 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
11:04:49.0240 1096 amdsata - ok
11:04:49.0365 1096 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
11:04:49.0365 1096 amdsbs - ok
11:04:49.0489 1096 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
11:04:49.0489 1096 amdxata - ok
11:04:49.0614 1096 ApfiltrService (9b0b7fde049cb283fabe5877a49f2611) C:\Windows\system32\DRIVERS\Apfiltr.sys
11:04:49.0630 1096 ApfiltrService - ok
11:04:49.0770 1096 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
11:04:49.0770 1096 AppID - ok
11:04:49.0957 1096 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
11:04:49.0957 1096 arc - ok
11:04:50.0082 1096 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
11:04:50.0082 1096 arcsas - ok
11:04:50.0191 1096 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
11:04:50.0191 1096 AsyncMac - ok
11:04:50.0316 1096 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
11:04:50.0316 1096 atapi - ok
11:04:50.0503 1096 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
11:04:50.0503 1096 b06bdrv - ok
11:04:50.0644 1096 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
11:04:50.0644 1096 b57nd60a - ok
11:04:50.0769 1096 BCM42RLY (e001dd475a7c27ebe5a0db45c11bad71) C:\Windows\system32\drivers\BCM42RLY.sys
11:04:50.0769 1096 BCM42RLY - ok
11:04:50.0940 1096 BCM43XX (37394d3553e220fb732c21e217e1bd8b) C:\Windows\system32\DRIVERS\bcmwl664.sys
11:04:50.0971 1096 BCM43XX - ok
11:04:51.0096 1096 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
11:04:51.0096 1096 Beep - ok
11:04:51.0237 1096 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
11:04:51.0237 1096 blbdrive - ok
11:04:51.0393 1096 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
11:04:51.0393 1096 bowser - ok
11:04:52.0001 1096 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
11:04:52.0001 1096 BrFiltLo - ok
11:04:52.0188 1096 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
11:04:52.0204 1096 BrFiltUp - ok
11:04:52.0375 1096 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
11:04:52.0375 1096 BridgeMP - ok
11:04:52.0485 1096 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
11:04:52.0485 1096 Brserid - ok
11:04:52.0625 1096 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
11:04:52.0625 1096 BrSerWdm - ok
11:04:52.0750 1096 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
11:04:52.0750 1096 BrUsbMdm - ok
11:04:52.0859 1096 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
11:04:52.0859 1096 BrUsbSer - ok
11:04:52.0984 1096 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
11:04:52.0984 1096 BTHMODEM - ok
11:04:53.0155 1096 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
11:04:53.0155 1096 cdfs - ok
11:04:53.0311 1096 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\drivers\cdrom.sys
11:04:53.0311 1096 cdrom - ok
11:04:53.0452 1096 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
11:04:53.0452 1096 circlass - ok
11:04:53.0545 1096 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
11:04:53.0561 1096 CLFS - ok
11:04:53.0717 1096 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
11:04:53.0717 1096 CmBatt - ok
11:04:53.0779 1096 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
11:04:53.0779 1096 cmdide - ok
11:04:53.0857 1096 CNG (c4943b6c962e4b82197542447ad599f4) C:\Windows\system32\Drivers\cng.sys
11:04:53.0857 1096 CNG - ok
11:04:53.0967 1096 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
11:04:53.0967 1096 Compbatt - ok
11:04:54.0107 1096 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
11:04:54.0107 1096 CompositeBus - ok
11:04:54.0247 1096 cpuz134 - ok
11:04:54.0357 1096 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
11:04:54.0357 1096 crcdisk - ok
11:04:54.0544 1096 CtClsFlt (ed5cf92396a62f4c15110dcdb5e854d9) C:\Windows\system32\DRIVERS\CtClsFlt.sys
11:04:54.0544 1096 CtClsFlt - ok
11:04:54.0684 1096 dc3d (76e02db615a03801d698199a2bc4a06a) C:\Windows\system32\DRIVERS\dc3d.sys
11:04:54.0684 1096 dc3d - ok
11:04:54.0825 1096 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
11:04:54.0825 1096 DfsC - ok
11:04:54.0918 1096 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
11:04:54.0934 1096 discache - ok
11:04:55.0074 1096 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
11:04:55.0074 1096 Disk - ok
11:04:55.0527 1096 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
11:04:55.0558 1096 drmkaud - ok
11:04:55.0698 1096 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
11:04:55.0698 1096 DXGKrnl - ok
11:04:55.0932 1096 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
11:04:56.0010 1096 ebdrv - ok
11:04:56.0135 1096 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
11:04:56.0135 1096 elxstor - ok
11:04:56.0244 1096 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
11:04:56.0244 1096 ErrDev - ok
11:04:56.0385 1096 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
11:04:56.0385 1096 exfat - ok
11:04:56.0463 1096 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
11:04:56.0463 1096 fastfat - ok
11:04:56.0603 1096 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
11:04:56.0603 1096 fdc - ok
11:04:56.0712 1096 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
11:04:56.0712 1096 FileInfo - ok
11:04:56.0743 1096 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
11:04:56.0743 1096 Filetrace - ok
11:04:56.0837 1096 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
11:04:56.0837 1096 flpydisk - ok
11:04:56.0946 1096 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
11:04:56.0946 1096 FltMgr - ok
11:04:57.0024 1096 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
11:04:57.0040 1096 FsDepends - ok
11:04:57.0133 1096 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
11:04:57.0133 1096 Fs_Rec - ok
11:04:57.0211 1096 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
11:04:57.0211 1096 fvevol - ok
11:04:57.0243 1096 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
11:04:57.0243 1096 gagp30kx - ok
11:04:57.0399 1096 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
11:04:57.0399 1096 GEARAspiWDM - ok
11:04:57.0492 1096 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
11:04:57.0492 1096 hcw85cir - ok
11:04:57.0633 1096 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
11:04:57.0633 1096 HDAudBus - ok
11:04:57.0711 1096 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
11:04:57.0711 1096 HidBatt - ok
11:04:57.0726 1096 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
11:04:57.0742 1096 HidBth - ok
11:04:57.0804 1096 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
11:04:57.0804 1096 HidIr - ok
11:04:57.0929 1096 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
11:04:57.0929 1096 HidUsb - ok
11:04:58.0038 1096 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
11:04:58.0038 1096 HpSAMD - ok
11:04:58.0101 1096 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
11:04:58.0116 1096 HTTP - ok
11:04:58.0210 1096 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
11:04:58.0210 1096 hwpolicy - ok
11:04:58.0335 1096 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
11:04:58.0335 1096 i8042prt - ok
11:04:58.0584 1096 iaStor (4f6fb2cdbdeefc47e7d2066e78254580) C:\Windows\system32\DRIVERS\iaStor.sys
11:04:58.0600 1096 iaStor - ok
11:04:58.0693 1096 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
11:04:58.0709 1096 iaStorV - ok
11:04:59.0005 1096 igfx (babd5f9b2bcc82ce556a0baf1ae208a7) C:\Windows\system32\DRIVERS\igdkmd64.sys
11:04:59.0177 1096 igfx - ok
11:04:59.0286 1096 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
11:04:59.0286 1096 iirsp - ok
11:04:59.0395 1096 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
11:04:59.0411 1096 intelide - ok
11:04:59.0551 1096 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
11:04:59.0551 1096 intelppm - ok
11:04:59.0676 1096 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
11:04:59.0676 1096 IpFilterDriver - ok
11:04:59.0801 1096 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
11:04:59.0817 1096 IPMIDRV - ok
11:04:59.0895 1096 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
11:04:59.0895 1096 IPNAT - ok
11:05:00.0019 1096 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
11:05:00.0035 1096 IRENUM - ok
11:05:00.0129 1096 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
11:05:00.0129 1096 isapnp - ok
11:05:00.0253 1096 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
11:05:00.0253 1096 iScsiPrt - ok
11:05:00.0378 1096 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
11:05:00.0378 1096 kbdclass - ok
11:05:00.0487 1096 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
11:05:00.0487 1096 kbdhid - ok
11:05:00.0612 1096 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\Windows\system32\Drivers\ksecdd.sys
11:05:00.0612 1096 KSecDD - ok
11:05:00.0721 1096 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\Windows\system32\Drivers\ksecpkg.sys
11:05:00.0737 1096 KSecPkg - ok
11:05:00.0846 1096 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
11:05:00.0846 1096 ksthunk - ok
11:05:00.0955 1096 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
11:05:00.0955 1096 lltdio - ok
11:05:01.0002 1096 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
11:05:01.0002 1096 LSI_FC - ok
11:05:01.0065 1096 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
11:05:01.0065 1096 LSI_SAS - ok
11:05:01.0174 1096 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
11:05:01.0174 1096 LSI_SAS2 - ok
11:05:01.0283 1096 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
11:05:01.0283 1096 LSI_SCSI - ok
11:05:01.0377 1096 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
11:05:01.0377 1096 luafv - ok
11:05:01.0470 1096 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
11:05:01.0470 1096 megasas - ok
11:05:01.0517 1096 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
11:05:01.0533 1096 MegaSR - ok
11:05:01.0626 1096 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
11:05:01.0642 1096 Modem - ok
11:05:01.0813 1096 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
11:05:01.0813 1096 monitor - ok
11:05:01.0923 1096 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
11:05:01.0923 1096 mouclass - ok
11:05:02.0016 1096 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
11:05:02.0016 1096 mouhid - ok
11:05:02.0110 1096 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
11:05:02.0125 1096 mountmgr - ok
11:05:02.0235 1096 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\Windows\system32\DRIVERS\MpFilter.sys
11:05:02.0235 1096 MpFilter - ok
11:05:02.0344 1096 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
11:05:02.0344 1096 mpio - ok
11:05:02.0437 1096 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\Windows\system32\DRIVERS\MpNWMon.sys
11:05:02.0437 1096 MpNWMon - ok
11:05:02.0531 1096 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
11:05:02.0531 1096 mpsdrv - ok
11:05:02.0671 1096 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS
11:05:02.0671 1096 MREMP50 - ok
11:05:02.0734 1096 MREMP50a64 - ok
11:05:02.0749 1096 MREMPR5 - ok
11:05:02.0749 1096 MRENDIS5 - ok
11:05:02.0874 1096 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS
11:05:02.0874 1096 MRESP50 - ok
11:05:02.0937 1096 MRESP50a64 - ok
11:05:03.0061 1096 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
11:05:03.0061 1096 MRxDAV - ok
11:05:03.0186 1096 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
11:05:03.0186 1096 mrxsmb - ok
11:05:03.0295 1096 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
11:05:03.0295 1096 mrxsmb10 - ok
11:05:03.0405 1096 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
11:05:03.0405 1096 mrxsmb20 - ok
11:05:03.0451 1096 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
11:05:03.0451 1096 msahci - ok
11:05:03.0545 1096 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
11:05:03.0545 1096 msdsm - ok
11:05:03.0670 1096 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
11:05:03.0670 1096 Msfs - ok
11:05:03.0748 1096 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
11:05:03.0748 1096 mshidkmdf - ok
11:05:03.0779 1096 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
11:05:03.0779 1096 msisadrv - ok
11:05:03.0919 1096 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
11:05:03.0919 1096 MSKSSRV - ok
11:05:04.0029 1096 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
11:05:04.0044 1096 MSPCLOCK - ok
11:05:04.0122 1096 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
11:05:04.0138 1096 MSPQM - ok
11:05:04.0231 1096 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
11:05:04.0247 1096 MsRPC - ok
11:05:04.0341 1096 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
11:05:04.0341 1096 mssmbios - ok
11:05:04.0434 1096 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
11:05:04.0434 1096 MSTEE - ok
11:05:04.0465 1096 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
11:05:04.0465 1096 MTConfig - ok
11:05:04.0512 1096 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
11:05:04.0512 1096 Mup - ok
11:05:04.0637 1096 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
11:05:04.0637 1096 NativeWifiP - ok
11:05:04.0793 1096 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
11:05:04.0824 1096 NDIS - ok
11:05:04.0918 1096 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
11:05:04.0918 1096 NdisCap - ok
11:05:05.0027 1096 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
11:05:05.0027 1096 NdisTapi - ok
11:05:05.0152 1096 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
11:05:05.0152 1096 Ndisuio - ok
11:05:05.0245 1096 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
11:05:05.0245 1096 NdisWan - ok
11:05:05.0355 1096 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
11:05:05.0355 1096 NDProxy - ok
11:05:05.0448 1096 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
11:05:05.0448 1096 NetBIOS - ok
11:05:05.0479 1096 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
11:05:05.0495 1096 NetBT - ok
11:05:05.0620 1096 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
11:05:05.0620 1096 nfrd960 - ok
11:05:05.0698 1096 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
11:05:05.0698 1096 NisDrv - ok
11:05:05.0807 1096 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
11:05:05.0807 1096 Npfs - ok
11:05:05.0916 1096 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
11:05:05.0932 1096 nsiproxy - ok
11:05:06.0088 1096 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
11:05:06.0119 1096 Ntfs - ok
11:05:06.0244 1096 NuidFltr (4c08a14d04e62963e96e0bb57bbc953b) C:\Windows\system32\DRIVERS\NuidFltr.sys
11:05:06.0244 1096 NuidFltr - ok
11:05:06.0337 1096 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
11:05:06.0337 1096 Null - ok
11:05:06.0447 1096 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
11:05:06.0447 1096 nvraid - ok
11:05:06.0556 1096 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
11:05:06.0556 1096 nvstor - ok
11:05:06.0665 1096 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
11:05:06.0665 1096 nv_agp - ok
11:05:06.0759 1096 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
11:05:06.0774 1096 ohci1394 - ok
11:05:06.0852 1096 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
11:05:06.0852 1096 Parport - ok
11:05:06.0961 1096 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
11:05:06.0961 1096 partmgr - ok
11:05:07.0086 1096 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
11:05:07.0086 1096 pci - ok
11:05:07.0211 1096 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
11:05:07.0211 1096 pciide - ok
11:05:07.0289 1096 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
11:05:07.0289 1096 pcmcia - ok
11:05:07.0383 1096 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
11:05:07.0383 1096 pcw - ok
11:05:07.0429 1096 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
11:05:07.0445 1096 PEAUTH - ok
11:05:07.0585 1096 Point64 (b8d8ec78b0f9ed8e220506181274f3d3) C:\Windows\system32\DRIVERS\point64.sys
11:05:07.0585 1096 Point64 - ok
11:05:07.0695 1096 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
11:05:07.0695 1096 PptpMiniport - ok
11:05:07.0788 1096 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
11:05:07.0788 1096 Processor - ok
11:05:07.0897 1096 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
11:05:07.0897 1096 Psched - ok
11:05:08.0085 1096 PxHlpa64 (4712cc14e720ecccc0aa16949d18aaf1) C:\Windows\system32\Drivers\PxHlpa64.sys
11:05:08.0085 1096 PxHlpa64 - ok
11:05:08.0257 1096 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
11:05:08.0288 1096 ql2300 - ok
11:05:08.0382 1096 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
11:05:08.0398 1096 ql40xx - ok
11:05:08.0476 1096 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
11:05:08.0476 1096 QWAVEdrv - ok
11:05:08.0538 1096 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
11:05:08.0538 1096 RasAcd - ok
11:05:08.0600 1096 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
11:05:08.0600 1096 RasAgileVpn - ok
11:05:08.0710 1096 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
11:05:08.0725 1096 Rasl2tp - ok
11:05:08.0819 1096 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
11:05:08.0834 1096 RasPppoe - ok
11:05:08.0959 1096 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
11:05:08.0959 1096 RasSstp - ok
11:05:09.0100 1096 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
11:05:09.0115 1096 rdbss - ok
11:05:09.0224 1096 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
11:05:09.0224 1096 rdpbus - ok
11:05:09.0318 1096 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
11:05:09.0318 1096 RDPCDD - ok
11:05:09.0427 1096 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
11:05:09.0427 1096 RDPENCDD - ok
11:05:09.0536 1096 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
11:05:09.0536 1096 RDPREFMP - ok
11:05:09.0630 1096 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
11:05:09.0630 1096 RDPWD - ok
11:05:09.0739 1096 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
11:05:09.0739 1096 rdyboost - ok
11:05:09.0895 1096 Revoflt (9c3ac71a9934b884fac567a8807e9c4d) C:\Windows\system32\DRIVERS\revoflt.sys
11:05:09.0895 1096 Revoflt - ok
11:05:10.0020 1096 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
11:05:10.0020 1096 rspndr - ok
11:05:10.0160 1096 RSUSBSTOR (4a25dc970c58104602ed274dacafd784) C:\Windows\system32\Drivers\RtsUStor.sys
11:05:10.0160 1096 RSUSBSTOR - ok
11:05:10.0238 1096 SASDIFSV (3289766038db2cb14d07dc84392138d5) C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
11:05:10.0238 1096 SASDIFSV - ok
11:05:10.0254 1096 SASKUTIL (58a38e75f3316a83c23df6173d41f2b5) C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
11:05:10.0254 1096 SASKUTIL - ok
11:05:10.0379 1096 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
11:05:10.0379 1096 sbp2port - ok
11:05:10.0660 1096 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
11:05:10.0660 1096 scfilter - ok
11:05:10.0769 1096 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
11:05:10.0769 1096 secdrv - ok
11:05:10.0909 1096 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
11:05:10.0909 1096 Serenum - ok
11:05:11.0034 1096 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
11:05:11.0034 1096 Serial - ok
11:05:11.0159 1096 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
11:05:11.0159 1096 sermouse - ok
11:05:11.0284 1096 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
11:05:11.0284 1096 sffdisk - ok
11:05:11.0408 1096 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
11:05:11.0408 1096 sffp_mmc - ok
11:05:11.0533 1096 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
11:05:11.0533 1096 sffp_sd - ok
11:05:11.0642 1096 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
11:05:11.0642 1096 sfloppy - ok
11:05:11.0783 1096 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
11:05:11.0783 1096 SiSRaid2 - ok
11:05:11.0876 1096 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
11:05:11.0876 1096 SiSRaid4 - ok
11:05:11.0986 1096 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
11:05:11.0986 1096 Smb - ok
11:05:12.0110 1096 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
11:05:12.0110 1096 spldr - ok
11:05:12.0266 1096 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
11:05:12.0266 1096 srv - ok
11:05:12.0376 1096 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
11:05:12.0376 1096 srv2 - ok
11:05:12.0485 1096 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
11:05:12.0485 1096 srvnet - ok
11:05:12.0610 1096 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
11:05:12.0610 1096 stexstor - ok
11:05:12.0719 1096 STHDA (02e784fa49032f84964db90a3ed81890) C:\Windows\system32\DRIVERS\stwrt64.sys
11:05:12.0719 1096 STHDA - ok
11:05:13.0249 1096 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
11:05:13.0249 1096 swenum - ok
11:05:14.0249 1096 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
11:05:14.0280 1096 Tcpip - ok
11:05:14.0515 1096 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
11:05:14.0530 1096 TCPIP6 - ok
11:05:14.0655 1096 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
11:05:14.0655 1096 tcpipreg - ok
11:05:14.0780 1096 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
11:05:14.0780 1096 TDPIPE - ok
11:05:14.0905 1096 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
11:05:14.0920 1096 TDTCP - ok
11:05:15.0123 1096 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
11:05:15.0139 1096 tdx - ok
11:05:15.0248 1096 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
11:05:15.0248 1096 TermDD - ok
11:05:15.0357 1096 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
11:05:15.0357 1096 tssecsrv - ok
11:05:15.0498 1096 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
11:05:15.0498 1096 TsUsbFlt - ok
11:05:15.0638 1096 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
11:05:15.0638 1096 tunnel - ok
11:05:15.0732 1096 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
11:05:15.0747 1096 uagp35 - ok
11:05:15.0778 1096 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
11:05:15.0794 1096 udfs - ok
11:05:15.0903 1096 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
11:05:15.0903 1096 uliagpkx - ok
11:05:16.0012 1096 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
11:05:16.0012 1096 umbus - ok
11:05:16.0122 1096 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
11:05:16.0122 1096 UmPass - ok
11:05:16.0231 1096 USBAAPL64 (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows\system32\Drivers\usbaapl64.sys
11:05:16.0231 1096 USBAAPL64 - ok
11:05:16.0262 1096 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
11:05:16.0278 1096 usbccgp - ok
11:05:16.0372 1096 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
11:05:16.0372 1096 usbcir - ok
11:05:16.0466 1096 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
11:05:16.0466 1096 usbehci - ok
11:05:16.0591 1096 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
11:05:16.0591 1096 usbhub - ok
11:05:16.0684 1096 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
11:05:16.0684 1096 usbohci - ok
11:05:16.0762 1096 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
11:05:16.0762 1096 usbprint - ok
11:05:16.0793 1096 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
11:05:16.0793 1096 usbscan - ok
11:05:16.0840 1096 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
11:05:16.0840 1096 USBSTOR - ok
11:05:16.0981 1096 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\DRIVERS\usbuhci.sys
11:05:16.0981 1096 usbuhci - ok
11:05:17.0121 1096 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows\System32\Drivers\usbvideo.sys
11:05:17.0121 1096 usbvideo - ok
11:05:17.0261 1096 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
11:05:17.0261 1096 vdrvroot - ok
11:05:17.0356 1096 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
11:05:17.0356 1096 vga - ok
11:05:17.0387 1096 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
11:05:17.0387 1096 VgaSave - ok
11:05:17.0496 1096 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
11:05:17.0496 1096 vhdmp - ok
11:05:17.0621 1096 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
11:05:17.0621 1096 viaide - ok
11:05:17.0699 1096 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
11:05:17.0699 1096 volmgr - ok
11:05:18.0042 1096 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
11:05:18.0042 1096 volmgrx - ok
11:05:18.0323 1096 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
11:05:18.0323 1096 volsnap - ok
11:05:18.0432 1096 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
11:05:18.0432 1096 vsmraid - ok
11:05:18.0542 1096 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
11:05:18.0542 1096 vwifibus - ok
11:05:18.0635 1096 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
11:05:18.0635 1096 vwififlt - ok
11:05:18.0791 1096 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
11:05:18.0791 1096 WacomPen - ok
11:05:18.0900 1096 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
11:05:18.0916 1096 WANARP - ok
11:05:18.0916 1096 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
11:05:18.0932 1096 Wanarpv6 - ok
11:05:19.0041 1096 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
11:05:19.0041 1096 Wd - ok
11:05:19.0088 1096 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
11:05:19.0088 1096 Wdf01000 - ok
11:05:19.0306 1096 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
11:05:19.0306 1096 WfpLwf - ok
11:05:19.0540 1096 WimFltr (b14ef15bd757fa488f9c970eee9c0d35) C:\Windows\system32\DRIVERS\wimfltr.sys
11:05:19.0556 1096 WimFltr - ok
11:05:19.0634 1096 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
11:05:19.0634 1096 WIMMount - ok
11:05:19.0774 1096 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUsb.sys
11:05:19.0774 1096 WinUsb - ok
11:05:19.0899 1096 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
11:05:19.0899 1096 WmiAcpi - ok
11:05:20.0039 1096 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
11:05:20.0039 1096 ws2ifsl - ok
11:05:20.0180 1096 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
11:05:20.0180 1096 WudfPf - ok
11:05:20.0273 1096 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
11:05:20.0289 1096 WUDFRd - ok
11:05:20.0460 1096 yukonw7 (64f88af327aa74e03658ae32b48ccb8b) C:\Windows\system32\DRIVERS\yk62x64.sys
11:05:20.0476 1096 yukonw7 - ok
11:05:20.0523 1096 MBR (0x1B8) (c0dcf0ac171db02db8b0014c5d767cf1) \Device\Harddisk0\DR0
11:05:20.0554 1096 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
11:05:20.0554 1096 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
11:05:20.0632 1096 Boot (0x1200) (85af29dac008a8545c9ba2eaad7df661) \Device\Harddisk0\DR0\Partition0
11:05:20.0632 1096 \Device\Harddisk0\DR0\Partition0 - ok
11:05:20.0648 1096 Boot (0x1200) (e56fed525d0659bb6d48e7aafde4df58) \Device\Harddisk0\DR0\Partition1
11:05:20.0648 1096 \Device\Harddisk0\DR0\Partition1 - ok
11:05:20.0663 1096 ============================================================
11:05:20.0663 1096 Scan finished
11:05:20.0663 1096 ============================================================
11:05:20.0679 4244 Detected object count: 1
11:05:20.0679 4244 Actual detected object count: 1
11:05:34.0799 4244 \Device\Harddisk0\DR0\# - copied to quarantine
11:05:34.0799 4244 \Device\Harddisk0\DR0 - copied to quarantine
11:05:34.0830 4244 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
11:05:34.0830 4244 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
11:05:34.0861 4244 \Device\Harddisk0\DR0\TDLFS\xh.dll - copied to quarantine
11:05:34.0861 4244 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
11:05:34.0877 4244 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
11:05:34.0877 4244 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
11:05:34.0877 4244 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
11:05:34.0877 4244 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
11:05:34.0877 4244 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
11:05:34.0877 4244 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
11:05:34.0877 4244 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
11:05:34.0908 4244 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
11:05:34.0908 4244 \Device\Harddisk0\DR0 - ok
11:05:35.0126 4244 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
11:05:44.0221 4300 Deinitialize success



-----------------------------------------------------------------------------


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-16 11:09:05

-----------------------------
11:09:05.265 OS Version: Windows x64 6.1.7601 Service Pack 1
11:09:05.265 Number of processors: 2 586 0x170A
11:09:05.265 ComputerName: ERIC UserName:
11:09:05.921 Initialize success
11:10:08.485 AVAST engine defs: 12021600
11:10:27.704 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
11:10:27.704 Disk 0 Vendor: TOSHIBA_ GJ00 Size: 238475MB BusType: 3
11:10:27.720 Disk 0 MBR read successfully
11:10:27.736 Disk 0 MBR scan
11:10:27.736 Disk 0 Windows 7 default MBR code
11:10:27.751 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
11:10:27.751 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 81920
11:10:27.782 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 223434 MB offset 30801920
11:10:27.798 Service scanning
11:10:30.076 Service MpNWMon C:\Windows\system32\DRIVERS\MpNWMon.sys **LOCKED** 32
11:10:30.824 Modules scanning
11:10:30.824 Disk 0 trace - called modules:
11:10:30.840
11:10:33.086 AVAST engine scan C:\Windows
11:10:35.380 AVAST engine scan C:\Windows\system32
11:13:37.169 AVAST engine scan C:\Windows\system32\drivers
11:13:57.855 AVAST engine scan C:\Users\aaron
11:19:30.215 AVAST engine scan C:\ProgramData
11:19:50.230 File: C:\ProgramData\Microsoft\Windows\DRM\2873.tmp **INFECTED** Win32:Malware-gen
11:19:50.277 File: C:\ProgramData\Microsoft\Windows\DRM\2874.tmp **INFECTED** Win32:Malware-gen
11:20:12.803 Scan finished successfully
11:21:42.675 Disk 0 MBR has been saved successfully to "C:\Users\aaron\Desktop\MBR.dat"
11:21:42.675 The log file has been saved successfully to "C:\Users\aaron\Desktop\aswMBR.txt"

Edited by TiminIndy, 16 February 2012 - 12:36 PM.


#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 AM

Posted 16 February 2012 - 12:49 PM

Hello


looks like TDSSkiller removed a nasty rootkit - I want you to try and run combofix now for me


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 TiminIndy

TiminIndy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 16 February 2012 - 12:56 PM

Thanks again!

Yea - I saw that! I guess unhackme was wrong, as I suspected. I will try CF again now, but wanted to tell you that while I was waiting for a reply, I left PC on but had everything closed, and got another BSOD. Here are the 'Problem details' I got after restart:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7601.2.1.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 109
BCP1: A3A039D89B8AC627
BCP2: B3B7465EEE0901A5
BCP3: FFFFF80000B95080
BCP4: 0000000000000002
OS Version: 6_1_7601
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
C:\WINDOWS\Minidump\021612-18486-01.dmp
C:\Users\aaron\AppData\Local\Temp\WER-46847-0.sysdata.xml

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Edited by TiminIndy, 16 February 2012 - 12:58 PM.


#9 TiminIndy

TiminIndy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 16 February 2012 - 01:22 PM

OK, ComboFix ran all the way through. I had to transfer the log file over to my PC with a flash drive, because when I tried to open IE, I get the following error message:

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Illegal operation attempted on a registry key that has been marked for deletion.


I also noticed that the Start Menu settings have changed back to defaults. I will leave it on for now (unless I get another BSOD)

Here's the log:

ComboFix 12-02-16.02 - aaron 02/16/2012 11:59:50.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3032.1718 [GMT -5:00]
Running from: c:\users\aaron\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\LP
c:\program files (x86)\LP\2C72\3111.tmp
c:\program files (x86)\LP\2C72\45A7.tmp
c:\program files (x86)\LP\2C72\CBB9.tmp
c:\program files (x86)\RadioRage_4j
c:\program files (x86)\RadioRage_4j\bar\1.bin\CHROME.MANIFEST
c:\program files (x86)\RadioRage_4j\bar\1.bin\chrome\4jffxtbr.jar
c:\program files (x86)\RadioRage_4j\bar\1.bin\INSTALL.RDF
c:\program files (x86)\RadioRage_4j\bar\1.bin\LOGO.BMP
c:\program files (x86)\RadioRage_4j\bar\IE9Mesg\COMMON.T8S
c:\program files (x86)\RadioRage_4j\bar\Message\COMMON.T8S
c:\program files (x86)\RadioRage_4j\bar\Settings\s_pid.dat
c:\program files (x86)\RadioRage_4jEI
c:\windows\svchost.exe
c:\windows\system32\drivers\etc\hosts.txt
c:\windows\SysWow64\SET1B9B.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
.
.
2012-02-16 17:04 . 2012-02-16 17:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-16 16:05 . 2012-02-16 16:05 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-16 14:56 . 2012-01-06 03:15 8602168 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{32BF7979-BEB1-46D1-97A4-C01F3C3BC10C}\mpengine.dll
2012-02-16 14:52 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 14:52 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-16 14:52 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-16 14:52 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-16 14:52 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-16 14:52 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-16 14:52 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 14:52 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-12 13:56 . 2012-02-12 13:56 388096 ----a-r- c:\users\aaron\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-12 13:56 . 2012-02-12 13:56 -------- d-----w- c:\program files (x86)\Trend Micro
2012-02-12 02:38 . 2012-02-12 02:12 -------- d-----w- c:\program files (x86)\UnHackMe
2012-02-12 02:13 . 2012-02-12 02:12 -------- d-----w- c:\program files (x86)\Ask.com
2012-02-12 01:32 . 2012-02-12 01:32 -------- d-----w- c:\users\aaron\AppData\Local\VS Revo Group
2012-02-12 01:32 . 2009-12-30 16:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-02-12 01:32 . 2012-02-12 01:32 -------- d-----w- c:\program files\VS Revo Group
2012-02-12 01:18 . 2012-02-12 01:19 -------- d-----w- C:\Python27
2012-02-11 23:06 . 2012-02-11 23:06 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-11 23:06 . 2012-02-11 23:06 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-11 22:11 . 2012-02-11 22:11 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-02-11 21:36 . 2012-02-12 15:11 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-11 21:36 . 2012-02-11 21:40 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-11 20:23 . 2012-02-11 20:23 -------- d-----w- c:\users\aaron\AppData\Roaming\SUPERAntiSpyware.com
2012-02-11 20:22 . 2012-02-11 20:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-11 20:22 . 2012-02-11 20:22 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-11 19:05 . 2012-02-11 19:05 -------- d-----w- c:\program files\CCleaner
2012-02-11 18:15 . 2012-02-11 18:15 -------- d-----w- c:\users\aaron\AppData\Roaming\Malwarebytes
2012-02-11 18:15 . 2012-02-11 18:15 -------- d-----w- c:\programdata\Malwarebytes
2012-02-11 18:15 . 2012-02-11 18:15 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-11 18:15 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 14:49 . 2012-02-11 14:49 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9056DB31-33F4-4FD1-9FA8-47DC2B558039}\gapaengine.dll
2012-02-11 12:28 . 2012-02-11 15:01 -------- d-----w- c:\users\aaron\AppData\Roaming\3B514
2012-02-11 12:28 . 2012-02-11 15:01 -------- d-----w- c:\users\aaron\AppData\Roaming\2A93B
2012-02-11 12:13 . 2012-02-11 18:57 -------- d-----w- c:\program files (x86)\3B514
2012-02-09 12:08 . 2012-02-09 12:08 -------- d-----w- c:\windows\Sun
2012-02-08 13:23 . 2012-02-08 13:23 6656 ---ha-w- c:\programdata\Microsoft\Windows\DRM\2874.tmp
2012-02-08 13:23 . 2012-02-08 13:23 6656 ---ha-w- c:\programdata\Microsoft\Windows\DRM\2873.tmp
2012-01-23 16:33 . 2012-02-12 01:51 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-23 16:09 . 2012-02-11 22:41 -------- d-----w- c:\users\aaron\AppData\Local\ElevatedDiagnostics
2012-01-19 15:47 . 2012-01-19 15:47 -------- d-----w- c:\windows\system32\SPReview
2012-01-19 15:46 . 2012-01-19 15:46 -------- d-----w- c:\windows\system32\EventProviders
2012-01-19 15:35 . 2012-01-19 15:35 -------- d-----w- c:\users\aaron\AppData\Roaming\PC Unleashed Online
2012-01-19 15:35 . 2012-01-19 15:35 -------- d-----w- c:\users\aaron\AppData\Roaming\DriverCure
2012-01-19 15:35 . 2012-02-11 12:18 -------- d--h--w- c:\programdata\PC Unleashed Online
2012-01-18 14:20 . 2012-01-18 14:20 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2011-02-25 12:54 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-19 16:01 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-01-19 16:01 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-01-14 16:29 . 2012-01-14 16:29 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-01-06 03:15 . 2011-02-25 12:55 8602168 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-28 14:32 . 2011-12-28 14:32 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-12-28 14:32 . 2011-12-28 14:32 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-12-28 14:32 . 2011-12-28 14:32 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-12-28 14:32 . 2011-12-28 14:32 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-11-19 14:58 . 2012-01-11 13:04 77312 ----a-w- c:\windows\system32\packager.dll
2011-11-19 14:01 . 2012-01-11 13:04 67072 ----a-w- c:\windows\SysWow64\packager.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2012-01-03 22:31 1514152 ----a-w- c:\program files (x86)\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files (x86)\Ask.com\GenericAskToolbar.dll" [2012-01-03 1514152]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 559616]
.
c:\users\aaron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-09 136176]
R3 cpuz134;cpuz134;c:\users\aaron\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-09 136176]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [x]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-11-08 517632]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-09 21:52]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-09 21:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-01-18 368640]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-30 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-30 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-30 365080]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-07-02 3180624]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 2306448]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
AddRemove-{09FF4DB8-7DE9-4D47-B7DB-915DB7D9A8CA} - c:\programdata\{83C3B2FD-37EA-4C06-A228-E9B5E32FF0B1}\bm_installer.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-777622892-3633200403-3996829031-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-777622892-3633200403-3996829031-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
.
**************************************************************************
.
Completion time: 2012-02-16 12:11:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-16 17:11
.
Pre-Run: 187,882,090,496 bytes free
Post-Run: 187,619,110,912 bytes free
.
- - End Of File - - D177070343C916F5D49D58DF03BF31D6

Edited by TiminIndy, 16 February 2012 - 01:24 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 AM

Posted 16 February 2012 - 01:56 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

Folder::
c:\program files (x86)\Ask.com
c:\programdata\Microsoft\Windows\DRM

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 TiminIndy

TiminIndy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 16 February 2012 - 02:50 PM

OK - ran CF with the script. I got the error "Illegal operation attempted on a registery key that has been marked for deletion.", so I restarted. I am now able to go to Google, but I noticed it re-directs to https:, but I guess that won't hurt anything. Seems to be running fine. After my scans on 2/12, everything was running pretty good other than not being able to go to Google, but of course earlier today I was getting BSOD's. Here's the new CF log:

ComboFix 12-02-16.02 - aaron 02/16/2012 13:10:38.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3032.1814 [GMT -5:00]
Running from: c:\users\aaron\Desktop\ComboFix.exe
Command switches used :: c:\users\aaron\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Ask.com
c:\program files (x86)\Ask.com\cobrand.ico
c:\program files (x86)\Ask.com\favicon.ico
c:\program files (x86)\Ask.com\fv_5d36.ico
c:\program files (x86)\Ask.com\GenericAskToolbar.dll
c:\program files (x86)\Ask.com\precache.exe
c:\program files (x86)\Ask.com\SaUpdate.exe
c:\program files (x86)\Ask.com\Updater\Updater.exe
c:\program files (x86)\Ask.com\UpdateTask.exe
c:\programdata\Microsoft\Windows\DRM
c:\programdata\Microsoft\Windows\DRM\2873.tmp
c:\programdata\Microsoft\Windows\DRM\2874.tmp
c:\programdata\Microsoft\Windows\DRM\blackbox.bin
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv_SID_S-1-5-20\Indiv01_64.key
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv_SID_S-1-5-21-777622892-3633200403-3996829031-1000\Indiv01_64.key
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01.bla
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01.key
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01.tmp
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01_64.key
c:\programdata\Microsoft\Windows\DRM\drmstore.hds
c:\programdata\Microsoft\Windows\DRM\IndivBox.key
c:\programdata\Microsoft\Windows\DRM\IndivBox_64.key
c:\programdata\Microsoft\Windows\DRM\v2ksndv.bla
c:\programdata\Microsoft\Windows\DRM\v3ks.bla
c:\programdata\Microsoft\Windows\DRM\v3ks.sec
.
.
((((((((((((((((((((((((( Files Created from 2012-01-16 to 2012-02-16 )))))))))))))))))))))))))))))))
.
.
2012-02-16 18:15 . 2012-02-16 18:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-16 16:05 . 2012-02-16 16:05 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-16 14:56 . 2012-01-06 03:15 8602168 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{32BF7979-BEB1-46D1-97A4-C01F3C3BC10C}\mpengine.dll
2012-02-16 14:52 . 2012-01-04 10:44 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-02-16 14:52 . 2012-01-04 08:58 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-02-16 14:52 . 2011-12-30 06:26 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-02-16 14:52 . 2011-12-30 05:27 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2012-02-16 14:52 . 2012-01-14 04:06 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-02-16 14:52 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-02-16 14:52 . 2011-12-16 08:46 634880 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-16 14:52 . 2011-12-16 07:52 690688 ----a-w- c:\windows\SysWow64\msvcrt.dll
2012-02-12 13:56 . 2012-02-12 13:56 388096 ----a-r- c:\users\aaron\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-12 13:56 . 2012-02-12 13:56 -------- d-----w- c:\program files (x86)\Trend Micro
2012-02-12 02:38 . 2012-02-12 02:12 -------- d-----w- c:\program files (x86)\UnHackMe
2012-02-12 01:32 . 2012-02-12 01:32 -------- d-----w- c:\users\aaron\AppData\Local\VS Revo Group
2012-02-12 01:32 . 2009-12-30 16:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-02-12 01:32 . 2012-02-12 01:32 -------- d-----w- c:\program files\VS Revo Group
2012-02-12 01:18 . 2012-02-12 01:19 -------- d-----w- C:\Python27
2012-02-11 23:06 . 2012-02-11 23:06 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-02-11 23:06 . 2012-02-11 23:06 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-11 22:11 . 2012-02-11 22:11 89088 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-02-11 21:36 . 2012-02-12 15:11 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-02-11 21:36 . 2012-02-11 21:40 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2012-02-11 20:23 . 2012-02-11 20:23 -------- d-----w- c:\users\aaron\AppData\Roaming\SUPERAntiSpyware.com
2012-02-11 20:22 . 2012-02-11 20:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-11 20:22 . 2012-02-11 20:22 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-02-11 19:05 . 2012-02-11 19:05 -------- d-----w- c:\program files\CCleaner
2012-02-11 18:15 . 2012-02-11 18:15 -------- d-----w- c:\users\aaron\AppData\Roaming\Malwarebytes
2012-02-11 18:15 . 2012-02-11 18:15 -------- d-----w- c:\programdata\Malwarebytes
2012-02-11 18:15 . 2012-02-11 18:15 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-02-11 18:15 . 2011-12-10 21:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-11 14:49 . 2012-02-11 14:49 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9056DB31-33F4-4FD1-9FA8-47DC2B558039}\gapaengine.dll
2012-02-11 12:28 . 2012-02-11 15:01 -------- d-----w- c:\users\aaron\AppData\Roaming\3B514
2012-02-11 12:28 . 2012-02-11 15:01 -------- d-----w- c:\users\aaron\AppData\Roaming\2A93B
2012-02-11 12:13 . 2012-02-11 18:57 -------- d-----w- c:\program files (x86)\3B514
2012-02-09 12:08 . 2012-02-09 12:08 -------- d-----w- c:\windows\Sun
2012-01-23 16:33 . 2012-02-12 01:51 -------- d-----w- c:\program files (x86)\Uniblue
2012-01-23 16:09 . 2012-02-11 22:41 -------- d-----w- c:\users\aaron\AppData\Local\ElevatedDiagnostics
2012-01-19 15:47 . 2012-01-19 15:47 -------- d-----w- c:\windows\system32\SPReview
2012-01-19 15:46 . 2012-01-19 15:46 -------- d-----w- c:\windows\system32\EventProviders
2012-01-19 15:35 . 2012-01-19 15:35 -------- d-----w- c:\users\aaron\AppData\Roaming\PC Unleashed Online
2012-01-19 15:35 . 2012-01-19 15:35 -------- d-----w- c:\users\aaron\AppData\Roaming\DriverCure
2012-01-19 15:35 . 2012-02-11 12:18 -------- d--h--w- c:\programdata\PC Unleashed Online
2012-01-18 14:20 . 2012-01-18 14:20 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 12:44 . 2011-02-25 12:54 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-19 16:01 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-01-19 16:01 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
2012-01-14 16:29 . 2012-01-14 16:29 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-01-06 03:15 . 2011-02-25 12:55 8602168 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-12-28 14:32 . 2011-12-28 14:32 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2011-12-28 14:32 . 2011-12-28 14:32 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2011-12-28 14:32 . 2011-12-28 14:32 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2011-12-28 14:32 . 2011-12-28 14:32 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2011-11-19 14:58 . 2012-01-11 13:04 77312 ----a-w- c:\windows\system32\packager.dll
2011-11-19 14:01 . 2012-01-11 13:04 67072 ----a-w- c:\windows\SysWow64\packager.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-16_17.07.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-05 07:06 . 2012-02-16 18:05 51168 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-02-16 18:05 42994 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-12-30 15:00 . 2012-02-16 18:05 13382 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-777622892-3633200403-3996829031-1000_UserData.bin
+ 2010-12-10 18:09 . 2012-02-16 18:06 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-12-10 18:09 . 2012-02-16 16:57 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-12-10 18:09 . 2012-02-16 18:06 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-12-10 18:09 . 2012-02-16 16:57 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-02-16 16:57 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-02-16 18:06 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-02-16 17:06 . 2012-02-16 17:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-16 18:17 . 2012-02-16 18:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-16 18:17 . 2012-02-16 18:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-16 17:06 . 2012-02-16 17:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-02-16 16:54 626512 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-16 18:09 626512 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-02-16 18:09 107756 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-02-16 16:54 107756 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-02-16 17:04 285604 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-02-16 18:15 285604 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-02-11 22:52 . 2012-02-16 18:15 2690908 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-777622892-3633200403-3996829031-1000-4096.dat
- 2012-02-11 22:52 . 2012-02-16 17:04 2690908 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-777622892-3633200403-3996829031-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-10-14 559616]
.
c:\users\aaron\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-09 136176]
R3 cpuz134;cpuz134;c:\users\aaron\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [x]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-09 136176]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2011-07-22 14928]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2011-07-12 12368]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-08-11 140672]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe [x]
S2 McciCMService64;McciCMService64;c:\program files\Common Files\Motive\McciCMService.exe [2010-11-08 517632]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-09 21:52]
.
2012-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-09 21:52]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-01-18 368640]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2009-06-29 444416]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-06-30 165912]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-06-30 385560]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-06-30 365080]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 2306448]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files (x86)\Ask.com\GenericAskToolbar.dll
Toolbar-Locked - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files (x86)\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellIconOverlayIdentifiers-{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} - (no file)
ShellIconOverlayIdentifiers-{FB314EDC-A251-47B7-93E1-CDD82E34AF8B} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-777622892-3633200403-3996829031-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-777622892-3633200403-3996829031-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
.
**************************************************************************
.
Completion time: 2012-02-16 13:21:59 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-16 18:21
ComboFix2.txt 2012-02-16 17:11
.
Pre-Run: 187,706,204,160 bytes free
Post-Run: 187,619,147,776 bytes free
.
- - End Of File - - 26EB7D80AB496EF8A537E977161C97F0

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 AM

Posted 16 February 2012 - 03:04 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.5.0
Ask Toolbar
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 TiminIndy

TiminIndy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 16 February 2012 - 03:50 PM

*I tried to uninstall the Ask Toolbar on 2/12 with Revo Uninstaller and had the same problem when I tried today: after starting the uninstall, I get a Support.com Toolbar error message that says:

Error 1316, A network error occurred while attempting to read from the file C:\Windows\Installer\Ask Toolbar.msi

After the unsuccessful uninstall, I clicked on 'Scan' to search for leftover registry items and there were several dozen items. I decided to wait and check with you before deleting that many registry items.

**I uninstalled Adobe Reader with Revo Uninstaller per your instructions and installed the latest version.

***Here are the new MBAM & HiJackThis logs:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.16.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
aaron :: ERIC [administrator]

2/16/2012 2:39:06 PM
mbam-log-2012-02-16 (14-39-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 183603
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


----------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:48:32 PM, on 2/16/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eric
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eric
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eric
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: lxdn_device - Unknown owner - C:\Windows\system32\lxdncoms.exe (file missing)
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
O23 - Service: McciCMService64 - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9159 bytes

Edited by TiminIndy, 16 February 2012 - 03:52 PM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:22 AM

Posted 16 February 2012 - 10:19 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
      O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 TiminIndy

TiminIndy
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:22 AM

Posted 16 February 2012 - 11:41 PM

Thanks again for your help, Gringo!

I followed your suggestion and removed 3 of the 4 items from the Startup list. I left the Java updater on because I can't trust my friend to keep Java updated! Is there a reason it is better to do this with HiJackThis instead of just going to msconfig?

Question: What do you recommend about the unsuccessful uninstall of the Ask Toolbar? Is it possible to find a copy of the missing or corrupt file C:\Windows\Installer\Ask Toolbar.msi ? It seems that I need that for the uninstaller to work, and I was reluctant to manually delete all the registry keys and files without your advice.

Here is the ESET scan log:

(just when I thought we were about cleaned up, this found 15 more threats)

C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\ProgramData\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\2873.tmp.vir Win64/Olmarik.AD trojan
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\2874.tmp.vir Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\16.02.2012_11.04.37\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\16.02.2012_11.04.37\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\16.02.2012_11.04.37\mbr0000\tdlfs0000\tsk0002.dta Win32/Olmarik.AYG trojan
C:\TDSSKiller_Quarantine\16.02.2012_11.04.37\mbr0000\tdlfs0000\tsk0003.dta a variant of Win32/Rootkit.Kryptik.JG trojan
C:\TDSSKiller_Quarantine\16.02.2012_11.04.37\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AC trojan
C:\TDSSKiller_Quarantine\16.02.2012_11.04.37\mbr0000\tdlfs0000\tsk0008.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\16.02.2012_11.04.37\mbr0000\tdlfs0000\tsk0009.dta Win64/Olmarik.X trojan
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip Win32/Bagle.gen.zip worm
C:\Users\All Users\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip Win32/Bagle.gen.zip worm

Edited by TiminIndy, 16 February 2012 - 11:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users