Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirecting


  • This topic is locked This topic is locked
71 replies to this topic

#1 immediate1

immediate1

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 18 February 2012 - 12:24 AM

Hello, lately I've been dealing with the irritating redirect virus. Here is some background information I can provide.

Back in November of last year, I was infected with the Vista Antivirus 2012 virus. I managed to remove that by ending its process via task manager and deleting whatever other malwares came with it using MBAM. All except for the redirect virus and of course the redirects started to appear afterward. I got redirected to sites like "get-answers-fast", "lexolis",and "ampnetwork".

I realized consrv.dll was the main problem so I deleted it and rebooted my computer two or three times before I realized these actions were preventing my computer from restarting. I tried several other methods in an attempt to get rid of it: editing the registry from the recovery console (where the consrv.dll values weren't existant), fixing with aswmbr.exe, using MBAM and programs of the like in hopes of detecting the rootkits. All no luck. I figured I shouldn't use Combofix because I felt I might screw up my computer even more so I finally decided to ask for professional help.

I don't know if I can provide any other information that might seem important. Here are a few more issues I've noticed: a pop-up saying "nslookup has stopped working", pop-up about TCP/IP protocol not working, and Windows Firewall not being able to display its settings "due to an unidentified problem".


I followed the preparation guide and I have the DDS log below and the attach log attached. Firewall wasn't functioning normally so I couldn't enable that. I skipped the GMER step since I'm running a 64-bit.

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.19088
Run by A at 22:03:11 on 2012-02-17
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.6133.2421 [GMT -6:00]
.
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinDaemon.exe
C:\Program Files\Google\Google Pinyin 2\GooglePinyinService.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\PROGRA~1\HEWLET~1\HPREMO~1\HPREMO~1.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
D:\PPS.tv\PPStream\PPSAP.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe
C:\Users\A\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
D:\PPS.tv\PPStream\PPStream.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Users\A\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\servicing\TrustedInstaller.exe
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\ping.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
uInternet Settings,ProxyOverride = 127.0.0.1:9421
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: US Job Search Toolbar: {f409caa5-db4f-48aa-a238-ca307c481237} - C:\Program Files (x86)\usjobsearchtoolbar\vmntemplateX.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\coIEPlg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: US Job Search Toolbar: {f409caa5-db4f-48aa-a238-ca307c481237} - C:\Program Files (x86)\usjobsearchtoolbar\vmntemplateX.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW,SYSTRAY
uRun: [Google Update] "C:\Users\A\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [PPS Accelerator] D:\PPS.tv\PPStream\ppsap.exe
uRun: [PPAP] "C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe" -background
uRun: [Akamai NetSession Interface] "C:\Users\A\AppData\Local\Akamai\netsession_win.exe"
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun: [DVDAgent] "c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Microsoft Default Manager] "c:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [4StoryPrePatch] C:\Program Files\4Story_US\PrePatch.exe
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\A\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\PPS.lnk - D:\PPS.tv\PPStream\PPStream.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PPTV.lnk - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
LSP: mswsock.dll
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/62.12/uploader2.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab
DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{23910CEA-C965-46E4-B5BA-3D11043DE351} : DhcpNameServer = 192.168.1.1
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
BHO-X64: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO-X64: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: US Job Search Toolbar: {f409caa5-db4f-48aa-a238-ca307c481237} - C:\Program Files (x86)\usjobsearchtoolbar\vmntemplateX.dll
BHO-X64: US Job Search Toolbar - No File
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: Microsoft Live Search Toolbar: {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\coIEPlg.dll
TB-X64: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB-X64: US Job Search Toolbar: {f409caa5-db4f-48aa-a238-ca307c481237} - C:\Program Files (x86)\usjobsearchtoolbar\vmntemplateX.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
mRun-x64: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun-x64: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun-x64: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [UpdateLBPShortCut] "c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
mRun-x64: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
mRun-x64: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
mRun-x64: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
mRun-x64: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
mRun-x64: [DVDAgent] "c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [Microsoft Default Manager] "c:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [4StoryPrePatch] C:\Program Files\4Story_US\PrePatch.exe
mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
IE-X64: {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
Hosts: 66.197.194.231 www.google-analytics.com.
Hosts: 66.197.194.231 ad-emea.doubleclick.net.
Hosts: 66.197.194.231 www.statcounter.com.
Hosts: 69.72.252.254 www.google-analytics.com.
Hosts: 69.72.252.254 ad-emea.doubleclick.net.
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1008030.006\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1008030.006\SYMEFA64.SYS [?]
R1 BHDrvx64;Symantec Heuristics Driver;C:\Windows\system32\Drivers\NISx64\1008030.006\BHDrvx64.sys --> C:\Windows\system32\Drivers\NISx64\1008030.006\BHDrvx64.sys [?]
R1 ccHP;Symantec Hash Provider;C:\Windows\system32\Drivers\NISx64\1008030.006\ccHPx64.sys --> C:\Windows\system32\Drivers\NISx64\1008030.006\ccHPx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSviA64.sys [2009-9-16 466480]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2008-1-20 21504]
R2 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe [2011-10-10 117648]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-27 135664]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-8-26 132656]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-2-27 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 npggsvc;nProtect GameGuard Service;C:\Windows\system32\GameMon.des -service --> C:\Windows\system32\GameMon.des -service [?]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-8-17 93184]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-02-05 14:22:12 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-01-31 00:15:29 6656 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\BC27.tmp
.
==================== Find3M ====================
.
2011-12-21 23:36:23 3587128 ----a-w- C:\Windows\System32\GooglePinyin2.ime
2011-12-21 23:36:23 2504760 ----a-w- C:\Windows\SysWow64\GooglePinyin2.ime
2011-12-10 21:24:08 23152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-11-28 21:41:58 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-03-19 15:31:29 195632 ----a-w- C:\Program Files\Uninst_Notation Player 2.6.exe
2010-10-27 01:29:50 1337016015 ----a-w- C:\Program Files\4Story10092702_full.exe
2010-10-16 21:51:26 819112408 ----a-w- C:\Program Files\FistsOfFuSetup-10.0.121.exe
.
============= FINISH: 22:06:01.67 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:40 AM

Posted 18 February 2012 - 02:49 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Please do me a favor and post the aswMBR.exe log file, and the MalwareBytes' Anti-Malware log files for me to review. Please number them 1a & 1b. :)


==============

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


NEXT:



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue => Reboot now to finish the cleaning process.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:



Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.


Please let me know how the above scans go.

Kindest Regards,
Agent ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 immediate1

immediate1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 18 February 2012 - 12:17 PM

Hi, Agent ST! Thank you for replying so soon. =)
I followed the steps you gave me and I've attached all the logs you've asked for (I think that's all of it). I'm going to respond to your questions respectively with its numberings.

1. I've attached the Malwarebytes and aswmbr.exe logs. Did you want me to copy and paste logs content or attach the logs? I ask this because pasting ALL of it in this one post really slowed my browser down a lot. At the moment, I do not have any other specific questions or comments.
2. TDSSKiller log attached (I couldn't find the exact location of the file, so I just clicked on the report button and copied and pasted that into another document tdsskillerreport.txt)
3. Farbar Service Scanner log attached
4. OTL.txt and Extras.txt logs attached
5. Currently, the computer appears to be in the same state it was back when the redirects first started appearing. Redirects do seem a bit more persistent lately than they have been. I even clicked on your website profile and I was redirected to some other site!


aswMBR version 0.9.9.1532 Copyright© 2011 AVAST Software
Run date: 2012-02-18 10:15:30
-----------------------------
10:15:30.927 OS Version: Windows x64 6.0.6001 Service Pack 1
10:15:30.927 Number of processors: 2 586 0x170A
10:15:30.928 ComputerName: A-PC UserName: A
10:15:34.772 Initialize success
10:20:46.277 AVAST engine defs: 12021800
10:21:44.497 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:21:44.502 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 8
10:21:44.517 Disk 0 MBR read successfully
10:21:44.521 Disk 0 MBR scan
10:21:44.529 Disk 0 unknown MBR code
10:21:44.537 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 596475 MB offset 63
10:21:44.575 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 14001 MB offset 1221582600
10:21:44.586 Service scanning
10:21:45.794 Modules scanning
10:21:45.798 Disk 0 trace - called modules:
10:21:45.802 ntoskrnl.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
10:21:45.806 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80061da790]
10:21:45.809 3 CLASSPNP.SYS[fffffa6000fcdb3a] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80060e9050]
10:21:47.891 AVAST engine scan C:\Windows
10:21:52.307 AVAST engine scan C:\Windows\system32
10:22:03.184 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
10:23:53.071 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
10:23:55.830 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
10:25:41.368 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
10:25:41.411 File: C:\Windows\assembly\temp\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
10:26:01.835 AVAST engine scan C:\Windows\system32\drivers
10:26:33.586 AVAST engine scan C:\Users\A
10:28:54.901 Disk 0 MBR has been saved successfully to "C:\Users\A\Desktop\MBR.dat"
10:28:54.914 The log file has been saved successfully to "C:\Users\A\Desktop\1a.txt"



Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.18.06

Windows Vista Service Pack 1 x64 NTFS
Internet Explorer 8.0.6001.19088
A :: A-PC [administrator]

2/18/2012 10:31:22 AM
mbam-log-2012-02-18 (10-31-22).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 188782
Time elapsed: 6 minute(s), 39 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

10:40:41.0461 6200 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
10:40:41.0777 6200 ============================================================
10:40:41.0777 6200 Current date / time: 2012/02/18 10:40:41.0777
10:40:41.0777 6200 SystemInfo:
10:40:41.0777 6200
10:40:41.0777 6200 OS Version: 6.0.6001 ServicePack: 1.0
10:40:41.0777 6200 Product type: Workstation
10:40:41.0777 6200 ComputerName: A-PC
10:40:41.0777 6200 UserName: A
10:40:41.0777 6200 Windows directory: C:\Windows
10:40:41.0777 6200 System windows directory: C:\Windows
10:40:41.0777 6200 Running under WOW64
10:40:41.0777 6200 Processor architecture: Intel x64
10:40:41.0777 6200 Number of processors: 2
10:40:41.0777 6200 Page size: 0x1000
10:40:41.0777 6200 Boot type: Normal boot
10:40:41.0778 6200 ============================================================
10:40:42.0071 6200 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
10:40:42.0102 6200 \Device\Harddisk0\DR0:
10:40:42.0103 6200 MBR used
10:40:42.0103 6200 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x48CFDEC9
10:40:42.0103 6200 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x48CFDF08, BlocksNum 0x1B58FB9
10:40:42.0181 6200 Initialize success
10:40:42.0181 6200 ============================================================
10:40:53.0842 7680 ============================================================
10:40:53.0842 7680 Scan started
10:40:53.0842 7680 Mode: Manual; SigCheck; TDLFS;
10:40:53.0842 7680 ============================================================
10:40:54.0272 7680 ACPI (375243251c24028da6c9761645b43f21) C:\Windows\system32\drivers\acpi.sys
10:40:54.0371 7680 ACPI - ok
10:40:54.0439 7680 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
10:40:54.0461 7680 adp94xx - ok
10:40:54.0518 7680 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
10:40:54.0535 7680 adpahci - ok
10:40:54.0569 7680 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
10:40:54.0580 7680 adpu160m - ok
10:40:54.0618 7680 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
10:40:54.0630 7680 adpu320 - ok
10:40:54.0754 7680 AFD (9bb97042fa331a0fb4bdd98b9280a50a) C:\Windows\system32\drivers\afd.sys
10:40:54.0863 7680 AFD - ok
10:40:54.0930 7680 AgereSoftModem (1cd4b03012d62962274e1c9eb8670a10) C:\Windows\system32\DRIVERS\agrsm64.sys
10:40:55.0006 7680 AgereSoftModem - ok
10:40:55.0049 7680 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
10:40:55.0060 7680 agp440 - ok
10:40:55.0120 7680 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
10:40:55.0132 7680 aic78xx - ok
10:40:55.0191 7680 aliide (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys
10:40:55.0200 7680 aliide - ok
10:40:55.0226 7680 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
10:40:55.0236 7680 amdide - ok
10:40:55.0270 7680 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
10:40:55.0430 7680 AmdK8 - ok
10:40:55.0492 7680 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
10:40:55.0502 7680 arc - ok
10:40:55.0550 7680 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
10:40:55.0563 7680 arcsas - ok
10:40:55.0604 7680 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
10:40:55.0647 7680 AsyncMac - ok
10:40:55.0686 7680 atapi (1898fae8e07d97f2f6c2d5326c633fac) C:\Windows\system32\drivers\atapi.sys
10:40:55.0695 7680 atapi - ok
10:40:55.0823 7680 BHDrvx64 (4d7f8401eae7eaa4ef702fa6f4153269) C:\Windows\System32\Drivers\NISx64\1008030.006\BHDrvx64.sys
10:40:55.0858 7680 BHDrvx64 - ok
10:40:55.0950 7680 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
10:40:56.0018 7680 blbdrive - ok
10:40:56.0083 7680 bowser (f0f035fcec3554cc1b70c5611bd87951) C:\Windows\system32\DRIVERS\bowser.sys
10:40:56.0127 7680 bowser - ok
10:40:56.0195 7680 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
10:40:56.0298 7680 BrFiltLo - ok
10:40:56.0332 7680 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
10:40:56.0367 7680 BrFiltUp - ok
10:40:56.0414 7680 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
10:40:56.0612 7680 Brserid - ok
10:40:56.0653 7680 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
10:40:56.0707 7680 BrSerWdm - ok
10:40:56.0724 7680 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
10:40:56.0776 7680 BrUsbMdm - ok
10:40:56.0800 7680 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
10:40:56.0856 7680 BrUsbSer - ok
10:40:56.0875 7680 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
10:40:56.0935 7680 BTHMODEM - ok
10:40:57.0017 7680 ccHP (a2e6ab452b9393ca8d11d28827e0e1a1) C:\Windows\System32\Drivers\NISx64\1008030.006\ccHPx64.sys
10:40:57.0048 7680 ccHP - ok
10:40:57.0082 7680 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
10:40:57.0125 7680 cdfs - ok
10:40:57.0146 7680 cdrom (3b2fb35363423ed60c8fbf15fc8680bd) C:\Windows\system32\DRIVERS\cdrom.sys
10:40:57.0198 7680 cdrom - ok
10:40:57.0236 7680 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys
10:40:57.0268 7680 circlass - ok
10:40:57.0303 7680 CLFS (319e4e9a68303f60cbc813ef19f3cf84) C:\Windows\system32\CLFS.sys
10:40:57.0323 7680 CLFS - ok
10:40:57.0410 7680 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
10:40:57.0420 7680 cmdide - ok
10:40:57.0440 7680 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\drivers\compbatt.sys
10:40:57.0450 7680 Compbatt - ok
10:40:57.0471 7680 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
10:40:57.0481 7680 crcdisk - ok
10:40:57.0555 7680 DfsC (3725c43c9e90731eca651d506cc599a3) C:\Windows\system32\Drivers\dfsc.sys
10:40:57.0592 7680 DfsC - ok
10:40:57.0669 7680 disk (2dc415fc05fb8a079f896cbbacb19324) C:\Windows\system32\drivers\disk.sys
10:40:57.0679 7680 disk - ok
10:40:57.0723 7680 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
10:40:57.0759 7680 drmkaud - ok
10:40:57.0865 7680 dump_wmimmc - ok
10:40:57.0903 7680 DXGKrnl (412964040ce920ff83aff6b5b551bf99) C:\Windows\System32\drivers\dxgkrnl.sys
10:40:58.0008 7680 DXGKrnl - ok
10:40:58.0047 7680 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
10:40:58.0088 7680 E1G60 - ok
10:40:58.0114 7680 Ecache (7343d950a34a95dcb7441642e3e6beef) C:\Windows\system32\drivers\ecache.sys
10:40:58.0126 7680 Ecache - ok
10:40:58.0187 7680 eeCtrl (8ecb5d35f400706016931bd25ae1b554) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
10:40:58.0206 7680 eeCtrl - ok
10:40:58.0245 7680 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
10:40:58.0266 7680 elxstor - ok
10:40:58.0325 7680 EraserUtilRebootDrv (8adb1fab20d285088ceb1215f5d22080) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
10:40:58.0335 7680 EraserUtilRebootDrv - ok
10:40:58.0354 7680 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys
10:40:58.0384 7680 ErrDev - ok
10:40:58.0426 7680 exfat (2a546b9a84658b0554b1ec35cd9adaf5) C:\Windows\system32\drivers\exfat.sys
10:40:58.0470 7680 exfat - ok
10:40:58.0492 7680 fastfat (fe731d345ed9eeabbc72a59b35941834) C:\Windows\system32\drivers\fastfat.sys
10:40:58.0533 7680 fastfat - ok
10:40:58.0558 7680 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
10:40:58.0600 7680 fdc - ok
10:40:58.0626 7680 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
10:40:58.0637 7680 FileInfo - ok
10:40:58.0664 7680 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
10:40:58.0721 7680 Filetrace - ok
10:40:58.0741 7680 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
10:40:58.0779 7680 flpydisk - ok
10:40:58.0791 7680 FltMgr (7dacf1a3a4219575070c6dc7c957428a) C:\Windows\system32\drivers\fltmgr.sys
10:40:58.0806 7680 FltMgr - ok
10:40:58.0832 7680 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys
10:40:58.0873 7680 Fs_Rec - ok
10:40:58.0903 7680 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
10:40:58.0913 7680 gagp30kx - ok
10:40:58.0967 7680 HDAudBus (0c0d0f8a3ff09ecc81963d09ec6a0a84) C:\Windows\system32\DRIVERS\HDAudBus.sys
10:40:59.0014 7680 HDAudBus - ok
10:40:59.0043 7680 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
10:40:59.0114 7680 HidBth - ok
10:40:59.0133 7680 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys
10:40:59.0205 7680 HidIr - ok
10:40:59.0232 7680 HidUsb (128e2da8483fdd4dd0c7b3f9abd6f323) C:\Windows\system32\DRIVERS\hidusb.sys
10:40:59.0277 7680 HidUsb - ok
10:40:59.0323 7680 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
10:40:59.0333 7680 HpCISSs - ok
10:40:59.0407 7680 HTTP (e690736da6c543f5d99c8fa27bea31db) C:\Windows\system32\drivers\HTTP.sys
10:40:59.0486 7680 HTTP - ok
10:40:59.0534 7680 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
10:40:59.0545 7680 i2omp - ok
10:40:59.0597 7680 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
10:40:59.0641 7680 i8042prt - ok
10:40:59.0684 7680 iaStor (8eacf469269fb1509561961a3188f670) C:\Windows\system32\drivers\iastor.sys
10:40:59.0701 7680 iaStor - ok
10:40:59.0739 7680 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
10:40:59.0766 7680 iaStorV - ok
10:40:59.0858 7680 IDSVia64 (864604171706345a547918efac681280) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090916.003\IDSvia64.sys
10:40:59.0874 7680 IDSVia64 - ok
10:41:00.0102 7680 igfx (a124c87cd0b39c9e510e138534468383) C:\Windows\system32\DRIVERS\igdkmd64.sys
10:41:00.0605 7680 igfx - ok
10:41:00.0942 7680 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
10:41:00.0951 7680 iirsp - ok
10:41:01.0234 7680 IntcAzAudAddService (1edab7f9b9de4424beccdef950ce2ff0) C:\Windows\system32\drivers\RTKVHD64.sys
10:41:01.0288 7680 IntcAzAudAddService - ok
10:41:01.0364 7680 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys
10:41:01.0373 7680 intelide - ok
10:41:01.0403 7680 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
10:41:01.0434 7680 intelppm - ok
10:41:01.0490 7680 IpFilterDriver (99b821f5bebd6a3cc3fe564f802ae0fd) C:\Windows\system32\DRIVERS\ipfltdrv.sys
10:41:01.0533 7680 IpFilterDriver - ok
10:41:01.0542 7680 IpInIp - ok
10:41:01.0570 7680 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
10:41:01.0654 7680 IPMIDRV - ok
10:41:01.0700 7680 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
10:41:01.0745 7680 IPNAT - ok
10:41:01.0787 7680 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
10:41:01.0829 7680 IRENUM - ok
10:41:01.0891 7680 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
10:41:01.0901 7680 isapnp - ok
10:41:01.0962 7680 iScsiPrt (49e4ccbf74783fce5d2cc1ff6480e1f4) C:\Windows\system32\DRIVERS\msiscsi.sys
10:41:01.0975 7680 iScsiPrt - ok
10:41:02.0009 7680 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
10:41:02.0018 7680 iteatapi - ok
10:41:02.0103 7680 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
10:41:02.0112 7680 iteraid - ok
10:41:02.0147 7680 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
10:41:02.0157 7680 kbdclass - ok
10:41:02.0208 7680 kbdhid (bf8783a5066cfecf45095459e8010fa7) C:\Windows\system32\DRIVERS\kbdhid.sys
10:41:02.0247 7680 kbdhid - ok
10:41:02.0318 7680 KSecDD (ccdcce6224e1e207e953af826b98a9d9) C:\Windows\system32\Drivers\ksecdd.sys
10:41:02.0352 7680 KSecDD - ok
10:41:02.0361 7680 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
10:41:02.0424 7680 ksthunk - ok
10:41:02.0531 7680 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
10:41:02.0576 7680 lltdio - ok
10:41:02.0651 7680 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
10:41:02.0671 7680 LSI_FC - ok
10:41:02.0696 7680 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
10:41:02.0709 7680 LSI_SAS - ok
10:41:02.0731 7680 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
10:41:02.0742 7680 LSI_SCSI - ok
10:41:02.0775 7680 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
10:41:02.0821 7680 luafv - ok
10:41:02.0866 7680 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
10:41:02.0876 7680 megasas - ok
10:41:02.0907 7680 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
10:41:02.0927 7680 MegaSR - ok
10:41:02.0959 7680 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
10:41:03.0001 7680 Modem - ok
10:41:03.0023 7680 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
10:41:03.0061 7680 monitor - ok
10:41:03.0079 7680 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
10:41:03.0089 7680 mouclass - ok
10:41:03.0114 7680 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
10:41:03.0144 7680 mouhid - ok
10:41:03.0183 7680 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
10:41:03.0196 7680 MountMgr - ok
10:41:03.0249 7680 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
10:41:03.0268 7680 mpio - ok
10:41:03.0289 7680 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
10:41:03.0319 7680 mpsdrv - ok
10:41:03.0341 7680 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
10:41:03.0351 7680 Mraid35x - ok
10:41:03.0361 7680 MRxDAV (fe2706c15f8345c342820e4e4583fea0) C:\Windows\system32\drivers\mrxdav.sys
10:41:03.0419 7680 MRxDAV - ok
10:41:03.0482 7680 mrxsmb (b698eb9acc7ecd4927d99d268918f912) C:\Windows\system32\DRIVERS\mrxsmb.sys
10:41:03.0517 7680 mrxsmb - ok
10:41:03.0582 7680 mrxsmb10 (9a797e27fd28500ee13d43000c931435) C:\Windows\system32\DRIVERS\mrxsmb10.sys
10:41:03.0605 7680 mrxsmb10 - ok
10:41:03.0625 7680 mrxsmb20 (f9425d610712533107a264e2d5b2154b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
10:41:03.0652 7680 mrxsmb20 - ok
10:41:03.0675 7680 msahci (1ac860612b85d8e85ee257d372e39f4d) C:\Windows\system32\drivers\msahci.sys
10:41:03.0685 7680 msahci - ok
10:41:03.0706 7680 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
10:41:03.0717 7680 msdsm - ok
10:41:03.0747 7680 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
10:41:03.0786 7680 Msfs - ok
10:41:03.0809 7680 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
10:41:03.0818 7680 msisadrv - ok
10:41:03.0854 7680 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
10:41:03.0892 7680 MSKSSRV - ok
10:41:03.0918 7680 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
10:41:03.0959 7680 MSPCLOCK - ok
10:41:03.0976 7680 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
10:41:04.0013 7680 MSPQM - ok
10:41:04.0039 7680 MsRPC (b8e32e6103fbba9fbb1d0c11ff0d13b5) C:\Windows\system32\drivers\MsRPC.sys
10:41:04.0054 7680 MsRPC - ok
10:41:04.0077 7680 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
10:41:04.0089 7680 mssmbios - ok
10:41:04.0113 7680 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
10:41:04.0162 7680 MSTEE - ok
10:41:04.0172 7680 Mup (ddf133501f68d6988a0f55dfa88637b4) C:\Windows\system32\Drivers\mup.sys
10:41:04.0182 7680 Mup - ok
10:41:04.0225 7680 NativeWifiP (73b99c98fa3a2ed1566e02d6fe1913a5) C:\Windows\system32\DRIVERS\nwifi.sys
10:41:04.0262 7680 NativeWifiP - ok
10:41:04.0308 7680 NAVENG - ok
10:41:04.0324 7680 NAVEX15 - ok
10:41:04.0354 7680 NDIS (2a2ee457af36c5c9a6808c768bd3a12b) C:\Windows\system32\drivers\ndis.sys
10:41:04.0389 7680 NDIS - ok
10:41:04.0435 7680 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
10:41:04.0468 7680 NdisTapi - ok
10:41:04.0487 7680 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
10:41:04.0528 7680 Ndisuio - ok
10:41:04.0545 7680 NdisWan (52e3e8e35101399be9b2938c992aa087) C:\Windows\system32\DRIVERS\ndiswan.sys
10:41:04.0585 7680 NdisWan - ok
10:41:04.0603 7680 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
10:41:04.0637 7680 NDProxy - ok
10:41:04.0661 7680 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
10:41:04.0701 7680 NetBIOS - ok
10:41:04.0723 7680 netbt (7a29ca243a629230799754162d80120f) C:\Windows\system32\DRIVERS\netbt.sys
10:41:04.0757 7680 netbt - ok
10:41:04.0792 7680 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
10:41:04.0801 7680 nfrd960 - ok
10:41:04.0817 7680 Npfs (b06154e2a2c91e9be5599fca53bc4cd0) C:\Windows\system32\drivers\Npfs.sys
10:41:04.0878 7680 Npfs - ok
10:41:04.0887 7680 NPPTNT2 - ok
10:41:04.0914 7680 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
10:41:04.0956 7680 nsiproxy - ok
10:41:05.0001 7680 Ntfs (fe86ba5ac3b50e2ca911e9c60c07b638) C:\Windows\system32\drivers\Ntfs.sys
10:41:05.0054 7680 Ntfs - ok
10:41:05.0063 7680 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
10:41:05.0131 7680 Null - ok
10:41:05.0153 7680 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
10:41:05.0164 7680 nvraid - ok
10:41:05.0186 7680 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
10:41:05.0196 7680 nvstor - ok
10:41:05.0215 7680 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
10:41:05.0226 7680 nv_agp - ok
10:41:05.0236 7680 NwlnkFlt - ok
10:41:05.0246 7680 NwlnkFwd - ok
10:41:05.0285 7680 ohci1394 (1b30103fde512915a9214b108b6e7a9c) C:\Windows\system32\DRIVERS\ohci1394.sys
10:41:05.0325 7680 ohci1394 - ok
10:41:05.0369 7680 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
10:41:05.0432 7680 Parport - ok
10:41:05.0451 7680 partmgr (5ab40c36894f4c06bdab0c9a2fba282d) C:\Windows\system32\drivers\partmgr.sys
10:41:05.0461 7680 partmgr - ok
10:41:05.0475 7680 pci (2a5b2a51559066ea84742909b5b2cd69) C:\Windows\system32\drivers\pci.sys
10:41:05.0487 7680 pci - ok
10:41:05.0506 7680 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys
10:41:05.0514 7680 pciide - ok
10:41:05.0532 7680 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
10:41:05.0544 7680 pcmcia - ok
10:41:05.0573 7680 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
10:41:05.0689 7680 PEAUTH - ok
10:41:05.0759 7680 PptpMiniport (f5739f2c6db2534c384ad5150808e8f5) C:\Windows\system32\DRIVERS\raspptp.sys
10:41:05.0796 7680 PptpMiniport - ok
10:41:05.0814 7680 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
10:41:05.0846 7680 Processor - ok
10:41:05.0888 7680 PSched (0e0e205a296095fe4c631e6a4775ad6c) C:\Windows\system32\DRIVERS\pacer.sys
10:41:05.0916 7680 PSched - ok
10:41:05.0958 7680 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
10:41:06.0009 7680 ql2300 - ok
10:41:06.0066 7680 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
10:41:06.0077 7680 ql40xx - ok
10:41:06.0103 7680 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
10:41:06.0117 7680 QWAVEdrv - ok
10:41:06.0132 7680 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
10:41:06.0170 7680 RasAcd - ok
10:41:06.0200 7680 Rasl2tp (3b9085f91ef00abd15a6f36570e90e12) C:\Windows\system32\DRIVERS\rasl2tp.sys
10:41:06.0242 7680 Rasl2tp - ok
10:41:06.0267 7680 RasPppoe (2ce1703c27196094fb6e4c6e439f2c21) C:\Windows\system32\DRIVERS\raspppoe.sys
10:41:06.0306 7680 RasPppoe - ok
10:41:06.0324 7680 RasSstp (fcd04fa67e8b40fa0ad361dd38593942) C:\Windows\system32\DRIVERS\rassstp.sys
10:41:06.0359 7680 RasSstp - ok
10:41:06.0389 7680 rdbss (33fa5b6136d92ee0f53f021c79091300) C:\Windows\system32\DRIVERS\rdbss.sys
10:41:06.0466 7680 rdbss - ok
10:41:06.0474 7680 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
10:41:06.0513 7680 RDPCDD - ok
10:41:06.0564 7680 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
10:41:06.0626 7680 rdpdr - ok
10:41:06.0635 7680 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
10:41:06.0668 7680 RDPENCDD - ok
10:41:06.0697 7680 RDPWD (7747082f672aa2846235c9cea42e2e72) C:\Windows\system32\drivers\RDPWD.sys
10:41:06.0739 7680 RDPWD - ok
10:41:06.0786 7680 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
10:41:06.0818 7680 rspndr - ok
10:41:06.0863 7680 RTL8169 (d53c84ec99ab4d78a90001e5ce5386ec) C:\Windows\system32\DRIVERS\Rtlh64.sys
10:41:06.0925 7680 RTL8169 - ok
10:41:07.0000 7680 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
10:41:07.0010 7680 sbp2port - ok
10:41:07.0060 7680 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
10:41:07.0106 7680 secdrv - ok
10:41:07.0135 7680 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys
10:41:07.0193 7680 Serenum - ok
10:41:07.0227 7680 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys
10:41:07.0299 7680 Serial - ok
10:41:07.0319 7680 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
10:41:07.0357 7680 sermouse - ok
10:41:07.0386 7680 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
10:41:07.0426 7680 sffdisk - ok
10:41:07.0443 7680 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
10:41:07.0473 7680 sffp_mmc - ok
10:41:07.0488 7680 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
10:41:07.0532 7680 sffp_sd - ok
10:41:07.0548 7680 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
10:41:07.0601 7680 sfloppy - ok
10:41:07.0626 7680 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
10:41:07.0636 7680 SiSRaid2 - ok
10:41:07.0662 7680 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
10:41:07.0672 7680 SiSRaid4 - ok
10:41:07.0710 7680 Smb (41eb2e8e005feedcafce301983eff932) C:\Windows\system32\DRIVERS\smb.sys
10:41:07.0749 7680 Smb - ok
10:41:07.0781 7680 spldr (f9cb0672162f7f04248e2b82c1ff4617) C:\Windows\system32\drivers\spldr.sys
10:41:07.0790 7680 spldr - ok
10:41:07.0863 7680 SRTSP (9e399476e5d5e0d3c8822c857a7e9a9a) C:\Windows\System32\Drivers\NISx64\1008030.006\SRTSP64.SYS
10:41:07.0882 7680 SRTSP - ok
10:41:07.0919 7680 SRTSPX (3d7717b582f0365e75071556936e5a6b) C:\Windows\system32\drivers\NISx64\1008030.006\SRTSPX64.SYS
10:41:07.0926 7680 SRTSPX - ok
10:41:07.0988 7680 srv (a8abd7d0d907b45cf3831f4dd8644349) C:\Windows\system32\DRIVERS\srv.sys
10:41:08.0063 7680 srv - ok
10:41:08.0116 7680 srv2 (6c72eea39e1c37b436a6d1532999f9ec) C:\Windows\system32\DRIVERS\srv2.sys
10:41:08.0154 7680 srv2 - ok
10:41:08.0216 7680 srvnet (7f69bcf9e6fa3d93c82ee6b87812666d) C:\Windows\system32\DRIVERS\srvnet.sys
10:41:08.0240 7680 srvnet - ok
10:41:08.0264 7680 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
10:41:08.0273 7680 swenum - ok
10:41:08.0294 7680 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
10:41:08.0304 7680 Symc8xx - ok
10:41:08.0312 7680 SYMDNS - ok
10:41:08.0341 7680 SymEFA (4f87bb5389a93778ebc363b28271a65b) C:\Windows\system32\drivers\NISx64\1008030.006\SYMEFA64.SYS
10:41:08.0362 7680 SymEFA - ok
10:41:08.0418 7680 SymEvent (7e4d281982e19abd06728c7ee9ac40a8) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
10:41:08.0428 7680 SymEvent - ok
10:41:08.0485 7680 SYMFW - ok
10:41:08.0546 7680 SymIM (212bbf5a964513980d5de9397381534f) C:\Windows\system32\DRIVERS\SymIMv.sys
10:41:08.0554 7680 SymIM - ok
10:41:08.0563 7680 SYMNDISV - ok
10:41:08.0573 7680 SYMREDRV - ok
10:41:08.0613 7680 SYMTDI (33b37cb0a74f1f4b78a665ece9184095) C:\Windows\System32\Drivers\NISx64\1008030.006\SYMTDI.SYS
10:41:08.0626 7680 SYMTDI - ok
10:41:08.0649 7680 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
10:41:08.0659 7680 Sym_hi - ok
10:41:08.0680 7680 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
10:41:08.0689 7680 Sym_u3 - ok
10:41:08.0696 7680 szkg5 - ok
10:41:08.0777 7680 Tcpip (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\drivers\tcpip.sys
10:41:08.0830 7680 Tcpip - ok
10:41:08.0890 7680 Tcpip6 (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\DRIVERS\tcpip.sys
10:41:08.0940 7680 Tcpip6 - ok
10:41:08.0999 7680 tcpipreg (c29d4b3b08ad0b7e8564814e4ff6a57b) C:\Windows\system32\drivers\tcpipreg.sys
10:41:09.0029 7680 tcpipreg - ok
10:41:09.0045 7680 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
10:41:09.0089 7680 TDPIPE - ok
10:41:09.0109 7680 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
10:41:09.0154 7680 TDTCP - ok
10:41:09.0173 7680 tdx (8c39c72e0e853de04748c0337d9b9216) C:\Windows\system32\DRIVERS\tdx.sys
10:41:09.0218 7680 tdx - ok
10:41:09.0233 7680 TermDD (3f0ebf6ee609f2a276c0d5faf244ec90) C:\Windows\system32\DRIVERS\termdd.sys
10:41:09.0243 7680 TermDD - ok
10:41:09.0279 7680 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
10:41:09.0321 7680 tssecsrv - ok
10:41:09.0347 7680 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
10:41:09.0377 7680 tunmp - ok
10:41:09.0434 7680 tunnel (2dc2c423572946e9a3131425bda73cb6) C:\Windows\system32\DRIVERS\tunnel.sys
10:41:09.0467 7680 tunnel - ok
10:41:09.0491 7680 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
10:41:09.0502 7680 uagp35 - ok
10:41:09.0553 7680 udfs (655156d84ec37559ee230b888a4f23c5) C:\Windows\system32\DRIVERS\udfs.sys
10:41:09.0582 7680 udfs - ok
10:41:09.0616 7680 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
10:41:09.0626 7680 uliagpkx - ok
10:41:09.0658 7680 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
10:41:09.0672 7680 uliahci - ok
10:41:09.0700 7680 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
10:41:09.0711 7680 UlSata - ok
10:41:09.0749 7680 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
10:41:09.0761 7680 ulsata2 - ok
10:41:09.0794 7680 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
10:41:09.0834 7680 umbus - ok
10:41:09.0881 7680 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
10:41:09.0914 7680 usbccgp - ok
10:41:09.0939 7680 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
10:41:10.0004 7680 usbcir - ok
10:41:10.0020 7680 usbehci (da6d8d8ed0a53c63ac6f4bd40fe83fbe) C:\Windows\system32\DRIVERS\usbehci.sys
10:41:10.0058 7680 usbehci - ok
10:41:10.0083 7680 usbhub (99045369ae3216216573d0775fd7ed56) C:\Windows\system32\DRIVERS\usbhub.sys
10:41:10.0130 7680 usbhub - ok
10:41:10.0150 7680 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
10:41:10.0211 7680 usbohci - ok
10:41:10.0265 7680 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys
10:41:10.0295 7680 usbprint - ok
10:41:10.0352 7680 USBSTOR (586d9876a4945779c8eea926c0d16889) C:\Windows\system32\DRIVERS\USBSTOR.SYS
10:41:10.0383 7680 USBSTOR - ok
10:41:10.0399 7680 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
10:41:10.0429 7680 usbuhci - ok
10:41:10.0465 7680 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
10:41:10.0509 7680 vga - ok
10:41:10.0519 7680 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
10:41:10.0559 7680 VgaSave - ok
10:41:10.0582 7680 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
10:41:10.0590 7680 viaide - ok
10:41:10.0612 7680 volmgr (793d9b32a1c462c91f6f70358283ac97) C:\Windows\system32\drivers\volmgr.sys
10:41:10.0622 7680 volmgr - ok
10:41:10.0643 7680 volmgrx (5aa217da5dc4ff5b9ac9ab86563b3223) C:\Windows\system32\drivers\volmgrx.sys
10:41:10.0664 7680 volmgrx - ok
10:41:10.0717 7680 volsnap (de4307412d98050239026e56a7dff3c0) C:\Windows\system32\drivers\volsnap.sys
10:41:10.0732 7680 volsnap - ok
10:41:10.0763 7680 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
10:41:10.0774 7680 vsmraid - ok
10:41:10.0829 7680 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
10:41:10.0894 7680 WacomPen - ok
10:41:10.0951 7680 Wanarp (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys
10:41:11.0097 7680 Wanarp - ok
10:41:11.0102 7680 Wanarpv6 (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys
10:41:11.0135 7680 Wanarpv6 - ok
10:41:11.0209 7680 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
10:41:11.0218 7680 Wd - ok
10:41:11.0279 7680 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys
10:41:11.0316 7680 Wdf01000 - ok
10:41:11.0390 7680 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\drivers\wmiacpi.sys
10:41:11.0410 7680 WmiAcpi - ok
10:41:11.0559 7680 WpdUsb (6329d1990db931073b86ab5946d8e317) C:\Windows\system32\DRIVERS\wpdusb.sys
10:41:11.0592 7680 WpdUsb - ok
10:41:11.0632 7680 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
10:41:11.0670 7680 ws2ifsl - ok
10:41:11.0762 7680 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
10:41:11.0803 7680 WUDFRd - ok
10:41:11.0919 7680 X6va003 - ok
10:41:11.0969 7680 MBR (0x1B8) (81cd5ec01db0ce57edd853f82462ef27) \Device\Harddisk0\DR0
10:41:12.0245 7680 \Device\Harddisk0\DR0 - ok
10:41:12.0249 7680 Boot (0x1200) (cac45b40762a02666d6f86bf7e50f3be) \Device\Harddisk0\DR0\Partition0
10:41:12.0250 7680 \Device\Harddisk0\DR0\Partition0 - ok
10:41:12.0255 7680 Boot (0x1200) (a9e912919680b2694ec88933295647b9) \Device\Harddisk0\DR0\Partition1
10:41:12.0256 7680 \Device\Harddisk0\DR0\Partition1 - ok
10:41:12.0258 7680 ============================================================
10:41:12.0258 7680 Scan finished
10:41:12.0258 7680 ============================================================
10:41:12.0277 2160 Detected object count: 0
10:41:12.0277 2160 Actual detected object count: 0
10:41:35.0755 7320 ============================================================
10:41:35.0755 7320 Scan started
10:41:35.0755 7320 Mode: Manual; SigCheck; TDLFS;
10:41:35.0755 7320 ============================================================
10:41:36.0052 7320 ACPI (375243251c24028da6c9761645b43f21) C:\Windows\system32\drivers\acpi.sys
10:41:36.0074 7320 ACPI - ok
10:41:36.0120 7320 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
10:41:36.0136 7320 adp94xx - ok
10:41:36.0173 7320 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
10:41:36.0188 7320 adpahci - ok
10:41:36.0225 7320 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
10:41:36.0235 7320 adpu160m - ok
10:41:36.0265 7320 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
10:41:36.0276 7320 adpu320 - ok
10:41:36.0360 7320 AFD (9bb97042fa331a0fb4bdd98b9280a50a) C:\Windows\system32\drivers\afd.sys
10:41:36.0378 7320 AFD - ok
10:41:36.0435 7320 AgereSoftModem (1cd4b03012d62962274e1c9eb8670a10) C:\Windows\system32\DRIVERS\agrsm64.sys
10:41:36.0464 7320 AgereSoftModem - ok
10:41:36.0497 7320 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
10:41:36.0511 7320 agp440 - ok
10:41:36.0542 7320 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
10:41:36.0554 7320 aic78xx - ok
10:41:36.0588 7320 aliide (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys
10:41:36.0597 7320 aliide - ok
10:41:36.0623 7320 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
10:41:36.0632 7320 amdide - ok
10:41:36.0659 7320 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
10:41:36.0690 7320 AmdK8 - ok
10:41:36.0722 7320 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
10:41:36.0732 7320 arc - ok
10:41:36.0756 7320 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
10:41:36.0766 7320 arcsas - ok
10:41:36.0801 7320 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
10:41:36.0831 7320 AsyncMac - ok
10:41:36.0875 7320 atapi (1898fae8e07d97f2f6c2d5326c633fac) C:\Windows\system32\drivers\atapi.sys
10:41:36.0884 7320 atapi - ok
10:41:36.0979 7320 BHDrvx64 (4d7f8401eae7eaa4ef702fa6f4153269) C:\Windows\System32\Drivers\NISx64\1008030.006\BHDrvx64.sys
10:41:36.0994 7320 BHDrvx64 - ok
10:41:37.0039 7320 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
10:41:37.0069 7320 blbdrive - ok
10:41:37.0130 7320 bowser (f0f035fcec3554cc1b70c5611bd87951) C:\Windows\system32\DRIVERS\bowser.sys
10:41:37.0142 7320 bowser - ok
10:41:37.0192 7320 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
10:41:37.0214 7320 BrFiltLo - ok
10:41:37.0255 7320 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
10:41:37.0277 7320 BrFiltUp - ok
10:41:37.0311 7320 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
10:41:37.0358 7320 Brserid - ok
10:41:37.0392 7320 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
10:41:37.0438 7320 BrSerWdm - ok
10:41:37.0488 7320 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
10:41:37.0536 7320 BrUsbMdm - ok
10:41:37.0547 7320 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
10:41:37.0594 7320 BrUsbSer - ok
10:41:37.0614 7320 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
10:41:37.0660 7320 BTHMODEM - ok
10:41:37.0698 7320 ccHP (a2e6ab452b9393ca8d11d28827e0e1a1) C:\Windows\System32\Drivers\NISx64\1008030.006\ccHPx64.sys
10:41:37.0714 7320 ccHP - ok
10:41:37.0746 7320 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
10:41:37.0776 7320 cdfs - ok
10:41:37.0794 7320 cdrom (3b2fb35363423ed60c8fbf15fc8680bd) C:\Windows\system32\DRIVERS\cdrom.sys
10:41:37.0825 7320 cdrom - ok
10:41:37.0850 7320 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys
10:41:37.0880 7320 circlass - ok
10:41:37.0917 7320 CLFS (319e4e9a68303f60cbc813ef19f3cf84) C:\Windows\system32\CLFS.sys
10:41:37.0933 7320 CLFS - ok
10:41:37.0975 7320 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
10:41:37.0983 7320 cmdide - ok
10:41:38.0004 7320 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\drivers\compbatt.sys
10:41:38.0012 7320 Compbatt - ok
10:41:38.0025 7320 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
10:41:38.0036 7320 crcdisk - ok
10:41:38.0103 7320 DfsC (3725c43c9e90731eca651d506cc599a3) C:\Windows\system32\Drivers\dfsc.sys
10:41:38.0115 7320 DfsC - ok
10:41:38.0175 7320 disk (2dc415fc05fb8a079f896cbbacb19324) C:\Windows\system32\drivers\disk.sys
10:41:38.0184 7320 disk - ok
10:41:38.0221 7320 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
10:41:38.0243 7320 drmkaud - ok
10:41:38.0323 7320 dump_wmimmc - ok
10:41:38.0368 7320 DXGKrnl (412964040ce920ff83aff6b5b551bf99) C:\Windows\System32\drivers\dxgkrnl.sys
10:41:38.0392 7320 DXGKrnl - ok
10:41:38.0435 7320 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
10:41:38.0466 7320 E1G60 - ok
10:41:38.0501 7320 Ecache (7343d950a34a95dcb7441642e3e6beef) C:\Windows\system32\drivers\ecache.sys
10:41:38.0512 7320 Ecache - ok
10:41:38.0568 7320 eeCtrl (8ecb5d35f400706016931bd25ae1b554) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
10:41:38.0582 7320 eeCtrl - ok
10:41:38.0626 7320 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
10:41:38.0640 7320 elxstor - ok
10:41:38.0680 7320 EraserUtilRebootDrv (8adb1fab20d285088ceb1215f5d22080) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
10:41:38.0689 7320 EraserUtilRebootDrv - ok
10:41:38.0710 7320 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys
10:41:38.0721 7320 ErrDev - ok
10:41:38.0748 7320 exfat (2a546b9a84658b0554b1ec35cd9adaf5) C:\Windows\system32\drivers\exfat.sys
10:41:38.0780 7320 exfat - ok
10:41:38.0806 7320 fastfat (fe731d345ed9eeabbc72a59b35941834) C:\Windows\system32\drivers\fastfat.sys
10:41:38.0836 7320 fastfat - ok
10:41:38.0863 7320 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
10:41:38.0892 7320 fdc - ok
10:41:38.0910 7320 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
10:41:38.0921 7320 FileInfo - ok
10:41:38.0945 7320 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
10:41:38.0975 7320 Filetrace - ok
10:41:39.0005 7320 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
10:41:39.0034 7320 flpydisk - ok
10:41:39.0060 7320 FltMgr (7dacf1a3a4219575070c6dc7c957428a) C:\Windows\system32\drivers\fltmgr.sys
10:41:39.0073 7320 FltMgr - ok
10:41:39.0087 7320 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys
10:41:39.0110 7320 Fs_Rec - ok
10:41:39.0134 7320 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
10:41:39.0142 7320 gagp30kx - ok
10:41:39.0189 7320 HDAudBus (0c0d0f8a3ff09ecc81963d09ec6a0a84) C:\Windows\system32\DRIVERS\HDAudBus.sys
10:41:39.0219 7320 HDAudBus - ok
10:41:39.0249 7320 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
10:41:39.0296 7320 HidBth - ok
10:41:39.0331 7320 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys
10:41:39.0375 7320 HidIr - ok
10:41:39.0420 7320 HidUsb (128e2da8483fdd4dd0c7b3f9abd6f323) C:\Windows\system32\DRIVERS\hidusb.sys
10:41:39.0451 7320 HidUsb - ok
10:41:39.0479 7320 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
10:41:39.0488 7320 HpCISSs - ok
10:41:39.0546 7320 HTTP (e690736da6c543f5d99c8fa27bea31db) C:\Windows\system32\drivers\HTTP.sys
10:41:39.0567 7320 HTTP - ok
10:41:39.0598 7320 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
10:41:39.0606 7320 i2omp - ok
10:41:39.0645 7320 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
10:41:39.0667 7320 i8042prt - ok
10:41:39.0699 7320 iaStor (8eacf469269fb1509561961a3188f670) C:\Windows\system32\drivers\iastor.sys
10:41:39.0714 7320 iaStor - ok
10:41:39.0761 7320 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
10:41:39.0774 7320 iaStorV - ok
10:41:39.0872 7320 IDSVia64 (864604171706345a547918efac681280) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20090916.003\IDSvia64.sys
10:41:39.0886 7320 IDSVia64 - ok
10:41:40.0096 7320 igfx (a124c87cd0b39c9e510e138534468383) C:\Windows\system32\DRIVERS\igdkmd64.sys
10:41:40.0339 7320 igfx - ok
10:41:40.0381 7320 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
10:41:40.0391 7320 iirsp - ok
10:41:40.0456 7320 IntcAzAudAddService (1edab7f9b9de4424beccdef950ce2ff0) C:\Windows\system32\drivers\RTKVHD64.sys
10:41:40.0496 7320 IntcAzAudAddService - ok
10:41:40.0545 7320 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys
10:41:40.0554 7320 intelide - ok
10:41:40.0634 7320 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
10:41:40.0664 7320 intelppm - ok
10:41:40.0696 7320 IpFilterDriver (99b821f5bebd6a3cc3fe564f802ae0fd) C:\Windows\system32\DRIVERS\ipfltdrv.sys
10:41:40.0727 7320 IpFilterDriver - ok
10:41:40.0736 7320 IpInIp - ok
10:41:40.0759 7320 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
10:41:40.0790 7320 IPMIDRV - ok
10:41:40.0806 7320 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
10:41:40.0837 7320 IPNAT - ok
10:41:40.0859 7320 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
10:41:40.0890 7320 IRENUM - ok
10:41:40.0913 7320 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
10:41:40.0923 7320 isapnp - ok
10:41:40.0951 7320 iScsiPrt (49e4ccbf74783fce5d2cc1ff6480e1f4) C:\Windows\system32\DRIVERS\msiscsi.sys
10:41:40.0963 7320 iScsiPrt - ok
10:41:40.0989 7320 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
10:41:40.0999 7320 iteatapi - ok
10:41:41.0017 7320 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
10:41:41.0026 7320 iteraid - ok
10:41:41.0053 7320 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
10:41:41.0062 7320 kbdclass - ok
10:41:41.0080 7320 kbdhid (bf8783a5066cfecf45095459e8010fa7) C:\Windows\system32\DRIVERS\kbdhid.sys
10:41:41.0109 7320 kbdhid - ok
10:41:41.0149 7320 KSecDD (ccdcce6224e1e207e953af826b98a9d9) C:\Windows\system32\Drivers\ksecdd.sys
10:41:41.0169 7320 KSecDD - ok
10:41:41.0182 7320 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
10:41:41.0212 7320 ksthunk - ok
10:41:41.0262 7320 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
10:41:41.0291 7320 lltdio - ok
10:41:41.0327 7320 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
10:41:41.0338 7320 LSI_FC - ok
10:41:41.0360 7320 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
10:41:41.0370 7320 LSI_SAS - ok
10:41:41.0387 7320 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
10:41:41.0397 7320 LSI_SCSI - ok
10:41:41.0422 7320 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
10:41:41.0453 7320 luafv - ok
10:41:41.0480 7320 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
10:41:41.0489 7320 megasas - ok
10:41:41.0521 7320 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
10:41:41.0537 7320 MegaSR - ok
10:41:41.0573 7320 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
10:41:41.0603 7320 Modem - ok
10:41:41.0637 7320 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
10:41:41.0667 7320 monitor - ok
10:41:41.0685 7320 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
10:41:41.0695 7320 mouclass - ok
10:41:41.0712 7320 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
10:41:41.0742 7320 mouhid - ok
10:41:41.0754 7320 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
10:41:41.0764 7320 MountMgr - ok
10:41:41.0784 7320 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
10:41:41.0794 7320 mpio - ok
10:41:41.0810 7320 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
10:41:41.0833 7320 mpsdrv - ok
10:41:41.0856 7320 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
10:41:41.0866 7320 Mraid35x - ok
10:41:41.0882 7320 MRxDAV (fe2706c15f8345c342820e4e4583fea0) C:\Windows\system32\drivers\mrxdav.sys
10:41:41.0895 7320 MRxDAV - ok
10:41:41.0937 7320 mrxsmb (b698eb9acc7ecd4927d99d268918f912) C:\Windows\system32\DRIVERS\mrxsmb.sys
10:41:41.0950 7320 mrxsmb - ok
10:41:42.0006 7320 mrxsmb10 (9a797e27fd28500ee13d43000c931435) C:\Windows\system32\DRIVERS\mrxsmb10.sys
10:41:42.0022 7320 mrxsmb10 - ok
10:41:42.0039 7320 mrxsmb20 (f9425d610712533107a264e2d5b2154b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
10:41:42.0053 7320 mrxsmb20 - ok
10:41:42.0081 7320 msahci (1ac860612b85d8e85ee257d372e39f4d) C:\Windows\system32\drivers\msahci.sys
10:41:42.0090 7320 msahci - ok
10:41:42.0112 7320 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
10:41:42.0121 7320 msdsm - ok
10:41:42.0161 7320 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
10:41:42.0191 7320 Msfs - ok
10:41:42.0206 7320 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
10:41:42.0215 7320 msisadrv - ok
10:41:42.0244 7320 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
10:41:42.0275 7320 MSKSSRV - ok
10:41:42.0291 7320 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
10:41:42.0321 7320 MSPCLOCK - ok
10:41:42.0341 7320 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
10:41:42.0371 7320 MSPQM - ok
10:41:42.0395 7320 MsRPC (b8e32e6103fbba9fbb1d0c11ff0d13b5) C:\Windows\system32\drivers\MsRPC.sys
10:41:42.0408 7320 MsRPC - ok
10:41:42.0425 7320 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
10:41:42.0434 7320 mssmbios - ok
10:41:42.0502 7320 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
10:41:42.0535 7320 MSTEE - ok
10:41:42.0550 7320 Mup (ddf133501f68d6988a0f55dfa88637b4) C:\Windows\system32\Drivers\mup.sys
10:41:42.0560 7320 Mup - ok
10:41:42.0647 7320 NativeWifiP (73b99c98fa3a2ed1566e02d6fe1913a5) C:\Windows\system32\DRIVERS\nwifi.sys
10:41:42.0659 7320 NativeWifiP - ok
10:41:42.0739 7320 NAVENG - ok
10:41:42.0755 7320 NAVEX15 - ok
10:41:42.0793 7320 NDIS (2a2ee457af36c5c9a6808c768bd3a12b) C:\Windows\system32\drivers\ndis.sys
10:41:42.0815 7320 NDIS - ok
10:41:42.0849 7320 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
10:41:42.0872 7320 NdisTapi - ok
10:41:42.0926 7320 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
10:41:42.0956 7320 Ndisuio - ok
10:41:42.0984 7320 NdisWan (52e3e8e35101399be9b2938c992aa087) C:\Windows\system32\DRIVERS\ndiswan.sys
10:41:43.0017 7320 NdisWan - ok
10:41:43.0051 7320 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
10:41:43.0073 7320 NDProxy - ok
10:41:43.0117 7320 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
10:41:43.0146 7320 NetBIOS - ok
10:41:43.0187 7320 netbt (7a29ca243a629230799754162d80120f) C:\Windows\system32\DRIVERS\netbt.sys
10:41:43.0218 7320 netbt - ok
10:41:43.0265 7320 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
10:41:43.0275 7320 nfrd960 - ok
10:41:43.0301 7320 Npfs (b06154e2a2c91e9be5599fca53bc4cd0) C:\Windows\system32\drivers\Npfs.sys
10:41:43.0332 7320 Npfs - ok
10:41:43.0345 7320 NPPTNT2 - ok
10:41:43.0378 7320 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
10:41:43.0407 7320 nsiproxy - ok
10:41:43.0449 7320 Ntfs (fe86ba5ac3b50e2ca911e9c60c07b638) C:\Windows\system32\drivers\Ntfs.sys
10:41:43.0516 7320 Ntfs - ok
10:41:43.0528 7320 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
10:41:43.0559 7320 Null - ok
10:41:43.0600 7320 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
10:41:43.0610 7320 nvraid - ok
10:41:43.0634 7320 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
10:41:43.0643 7320 nvstor - ok
10:41:43.0662 7320 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
10:41:43.0673 7320 nv_agp - ok
10:41:43.0681 7320 NwlnkFlt - ok
10:41:43.0691 7320 NwlnkFwd - ok
10:41:43.0724 7320 ohci1394 (1b30103fde512915a9214b108b6e7a9c) C:\Windows\system32\DRIVERS\ohci1394.sys
10:41:43.0755 7320 ohci1394 - ok
10:41:43.0791 7320 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
10:41:43.0838 7320 Parport - ok
10:41:43.0865 7320 partmgr (5ab40c36894f4c06bdab0c9a2fba282d) C:\Windows\system32\drivers\partmgr.sys
10:41:43.0875 7320 partmgr - ok
10:41:43.0888 7320 pci (2a5b2a51559066ea84742909b5b2cd69) C:\Windows\system32\drivers\pci.sys
10:41:43.0901 7320 pci - ok
10:41:43.0920 7320 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys
10:41:43.0929 7320 pciide - ok
10:41:43.0946 7320 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
10:41:43.0956 7320 pcmcia - ok
10:41:43.0988 7320 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
10:41:44.0043 7320 PEAUTH - ok
10:41:44.0123 7320 PptpMiniport (f5739f2c6db2534c384ad5150808e8f5) C:\Windows\system32\DRIVERS\raspptp.sys
10:41:44.0153 7320 PptpMiniport - ok
10:41:44.0170 7320 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
10:41:44.0200 7320 Processor - ok
10:41:44.0236 7320 PSched (0e0e205a296095fe4c631e6a4775ad6c) C:\Windows\system32\DRIVERS\pacer.sys
10:41:44.0247 7320 PSched - ok
10:41:44.0289 7320 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
10:41:44.0321 7320 ql2300 - ok
10:41:44.0364 7320 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
10:41:44.0374 7320 ql40xx - ok
10:41:44.0417 7320 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
10:41:44.0431 7320 QWAVEdrv - ok
10:41:44.0446 7320 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
10:41:44.0477 7320 RasAcd - ok
10:41:44.0497 7320 Rasl2tp (3b9085f91ef00abd15a6f36570e90e12) C:\Windows\system32\DRIVERS\rasl2tp.sys
10:41:44.0528 7320 Rasl2tp - ok
10:41:44.0548 7320 RasPppoe (2ce1703c27196094fb6e4c6e439f2c21) C:\Windows\system32\DRIVERS\raspppoe.sys
10:41:44.0580 7320 RasPppoe - ok
10:41:44.0596 7320 RasSstp (fcd04fa67e8b40fa0ad361dd38593942) C:\Windows\system32\DRIVERS\rassstp.sys
10:41:44.0628 7320 RasSstp - ok
10:41:44.0645 7320 rdbss (33fa5b6136d92ee0f53f021c79091300) C:\Windows\system32\DRIVERS\rdbss.sys
10:41:44.0679 7320 rdbss - ok
10:41:44.0692 7320 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
10:41:44.0723 7320 RDPCDD - ok
10:41:44.0762 7320 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
10:41:44.0795 7320 rdpdr - ok
10:41:44.0823 7320 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
10:41:44.0853 7320 RDPENCDD - ok
10:41:44.0879 7320 RDPWD (7747082f672aa2846235c9cea42e2e72) C:\Windows\system32\drivers\RDPWD.sys
10:41:44.0911 7320 RDPWD - ok
10:41:44.0942 7320 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
10:41:44.0972 7320 rspndr - ok
10:41:45.0011 7320 RTL8169 (d53c84ec99ab4d78a90001e5ce5386ec) C:\Windows\system32\DRIVERS\Rtlh64.sys
10:41:45.0036 7320 RTL8169 - ok
10:41:45.0073 7320 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
10:41:45.0083 7320 sbp2port - ok
10:41:45.0124 7320 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
10:41:45.0169 7320 secdrv - ok
10:41:45.0199 7320 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys
10:41:45.0244 7320 Serenum - ok
10:41:45.0274 7320 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys
10:41:45.0320 7320 Serial - ok
10:41:45.0358 7320 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
10:41:45.0388 7320 sermouse - ok
10:41:45.0426 7320 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
10:41:45.0456 7320 sffdisk - ok
10:41:45.0474 7320 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
10:41:45.0505 7320 sffp_mmc - ok
10:41:45.0519 7320 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
10:41:45.0549 7320 sffp_sd - ok
10:41:45.0570 7320 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
10:41:45.0615 7320 sfloppy - ok
10:41:45.0640 7320 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
10:41:45.0652 7320 SiSRaid2 - ok
10:41:45.0684 7320 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
10:41:45.0695 7320 SiSRaid4 - ok
10:41:45.0741 7320 Smb (41eb2e8e005feedcafce301983eff932) C:\Windows\system32\DRIVERS\smb.sys
10:41:45.0771 7320 Smb - ok
10:41:45.0804 7320 spldr (f9cb0672162f7f04248e2b82c1ff4617) C:\Windows\system32\drivers\spldr.sys
10:41:45.0814 7320 spldr - ok
10:41:45.0878 7320 SRTSP (9e399476e5d5e0d3c8822c857a7e9a9a) C:\Windows\System32\Drivers\NISx64\1008030.006\SRTSP64.SYS
10:41:45.0893 7320 SRTSP - ok
10:41:45.0933 7320 SRTSPX (3d7717b582f0365e75071556936e5a6b) C:\Windows\system32\drivers\NISx64\1008030.006\SRTSPX64.SYS
10:41:45.0940 7320 SRTSPX - ok
10:41:45.0993 7320 srv (a8abd7d0d907b45cf3831f4dd8644349) C:\Windows\system32\DRIVERS\srv.sys
10:41:46.0010 7320 srv - ok
10:41:46.0063 7320 srv2 (6c72eea39e1c37b436a6d1532999f9ec) C:\Windows\system32\DRIVERS\srv2.sys
10:41:46.0076 7320 srv2 - ok
10:41:46.0138 7320 srvnet (7f69bcf9e6fa3d93c82ee6b87812666d) C:\Windows\system32\DRIVERS\srvnet.sys
10:41:46.0151 7320 srvnet - ok
10:41:46.0178 7320 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
10:41:46.0187 7320 swenum - ok
10:41:46.0209 7320 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
10:41:46.0218 7320 Symc8xx - ok
10:41:46.0225 7320 SYMDNS - ok
10:41:46.0255 7320 SymEFA (4f87bb5389a93778ebc363b28271a65b) C:\Windows\system32\drivers\NISx64\1008030.006\SYMEFA64.SYS
10:41:46.0268 7320 SymEFA - ok
10:41:46.0332 7320 SymEvent (7e4d281982e19abd06728c7ee9ac40a8) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
10:41:46.0341 7320 SymEvent - ok
10:41:46.0352 7320 SYMFW - ok
10:41:46.0377 7320 SymIM (212bbf5a964513980d5de9397381534f) C:\Windows\system32\DRIVERS\SymIMv.sys
10:41:46.0385 7320 SymIM - ok
10:41:46.0393 7320 SYMNDISV - ok
10:41:46.0404 7320 SYMREDRV - ok
10:41:46.0436 7320 SYMTDI (33b37cb0a74f1f4b78a665ece9184095) C:\Windows\System32\Drivers\NISx64\1008030.006\SYMTDI.SYS
10:41:46.0447 7320 SYMTDI - ok
10:41:46.0472 7320 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
10:41:46.0483 7320 Sym_hi - ok
10:41:46.0511 7320 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
10:41:46.0524 7320 Sym_u3 - ok
10:41:46.0533 7320 szkg5 - ok
10:41:46.0616 7320 Tcpip (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\drivers\tcpip.sys
10:41:46.0652 7320 Tcpip - ok
10:41:46.0707 7320 Tcpip6 (7d86275fb640011b372fd566c0eafa8d) C:\Windows\system32\DRIVERS\tcpip.sys
10:41:46.0745 7320 Tcpip6 - ok
10:41:46.0789 7320 tcpipreg (c29d4b3b08ad0b7e8564814e4ff6a57b) C:\Windows\system32\drivers\tcpipreg.sys
10:41:46.0819 7320 tcpipreg - ok
10:41:46.0835 7320 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
10:41:46.0865 7320 TDPIPE - ok
10:41:46.0889 7320 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
10:41:46.0922 7320 TDTCP - ok
10:41:46.0954 7320 tdx (8c39c72e0e853de04748c0337d9b9216) C:\Windows\system32\DRIVERS\tdx.sys
10:41:46.0987 7320 tdx - ok
10:41:46.0999 7320 TermDD (3f0ebf6ee609f2a276c0d5faf244ec90) C:\Windows\system32\DRIVERS\termdd.sys
10:41:47.0008 7320 TermDD - ok
10:41:47.0052 7320 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
10:41:47.0082 7320 tssecsrv - ok
10:41:47.0103 7320 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
10:41:47.0114 7320 tunmp - ok
10:41:47.0173 7320 tunnel (2dc2c423572946e9a3131425bda73cb6) C:\Windows\system32\DRIVERS\tunnel.sys
10:41:47.0185 7320 tunnel - ok
10:41:47.0231 7320 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
10:41:47.0240 7320 uagp35 - ok
10:41:47.0293 7320 udfs (655156d84ec37559ee230b888a4f23c5) C:\Windows\system32\DRIVERS\udfs.sys
10:41:47.0307 7320 udfs - ok
10:41:47.0339 7320 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
10:41:47.0349 7320 uliagpkx - ok
10:41:47.0380 7320 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
10:41:47.0392 7320 uliahci - ok
10:41:47.0414 7320 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
10:41:47.0425 7320 UlSata - ok
10:41:47.0447 7320 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
10:41:47.0458 7320 ulsata2 - ok
10:41:47.0483 7320 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
10:41:47.0513 7320 umbus - ok
10:41:47.0545 7320 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
10:41:47.0569 7320 usbccgp - ok
10:41:47.0603 7320 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
10:41:47.0649 7320 usbcir - ok
10:41:47.0684 7320 usbehci (da6d8d8ed0a53c63ac6f4bd40fe83fbe) C:\Windows\system32\DRIVERS\usbehci.sys
10:41:47.0714 7320 usbehci - ok
10:41:47.0748 7320 usbhub (99045369ae3216216573d0775fd7ed56) C:\Windows\system32\DRIVERS\usbhub.sys
10:41:47.0781 7320 usbhub - ok
10:41:47.0806 7320 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
10:41:47.0854 7320 usbohci - ok
10:41:47.0904 7320 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys
10:41:47.0933 7320 usbprint - ok
10:41:47.0991 7320 USBSTOR (586d9876a4945779c8eea926c0d16889) C:\Windows\system32\DRIVERS\USBSTOR.SYS
10:41:48.0022 7320 USBSTOR - ok
10:41:48.0038 7320 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
10:41:48.0061 7320 usbuhci - ok
10:41:48.0088 7320 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
10:41:48.0119 7320 vga - ok
10:41:48.0130 7320 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
10:41:48.0161 7320 VgaSave - ok
10:41:48.0187 7320 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
10:41:48.0197 7320 viaide - ok
10:41:48.0218 7320 volmgr (793d9b32a1c462c91f6f70358283ac97) C:\Windows\system32\drivers\volmgr.sys
10:41:48.0228 7320 volmgr - ok
10:41:48.0249 7320 volmgrx (5aa217da5dc4ff5b9ac9ab86563b3223) C:\Windows\system32\drivers\volmgrx.sys
10:41:48.0265 7320 volmgrx - ok
10:41:48.0306 7320 volsnap (de4307412d98050239026e56a7dff3c0) C:\Windows\system32\drivers\volsnap.sys
10:41:48.0319 7320 volsnap - ok
10:41:48.0352 7320 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
10:41:48.0363 7320 vsmraid - ok
10:41:48.0418 7320 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
10:41:48.0463 7320 WacomPen - ok
10:41:48.0499 7320 Wanarp (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys
10:41:48.0529 7320 Wanarp - ok
10:41:48.0534 7320 Wanarpv6 (aea75207e443c8623c36b8d03596f84f) C:\Windows\system32\DRIVERS\wanarp.sys
10:41:48.0566 7320 Wanarpv6 - ok
10:41:48.0590 7320 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
10:41:48.0600 7320 Wd - ok
10:41:48.0635 7320 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys
10:41:48.0659 7320 Wdf01000 - ok
10:41:48.0729 7320 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\drivers\wmiacpi.sys
10:41:48.0740 7320 WmiAcpi - ok
10:41:48.0806 7320 WpdUsb (6329d1990db931073b86ab5946d8e317) C:\Windows\system32\DRIVERS\wpdusb.sys
10:41:48.0828 7320 WpdUsb - ok
10:41:48.0854 7320 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
10:41:48.0885 7320 ws2ifsl - ok
10:41:48.0918 7320 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
10:41:48.0947 7320 WUDFRd - ok
10:41:48.0998 7320 X6va003 - ok
10:41:49.0017 7320 MBR (0x1B8) (81cd5ec01db0ce57edd853f82462ef27) \Device\Harddisk0\DR0
10:41:49.0276 7320 \Device\Harddisk0\DR0 - ok
10:41:49.0280 7320 Boot (0x1200) (cac45b40762a02666d6f86bf7e50f3be) \Device\Harddisk0\DR0\Partition0
10:41:49.0281 7320 \Device\Harddisk0\DR0\Partition0 - ok
10:41:49.0290 7320 Boot (0x1200) (a9e912919680b2694ec88933295647b9) \Device\Harddisk0\DR0\Partition1
10:41:49.0291 7320 \Device\Harddisk0\DR0\Partition1 - ok
10:41:49.0295 7320 ============================================================
10:41:49.0295 7320 Scan finished
10:41:49.0295 7320 ============================================================
10:41:49.0304 6964 Detected object count: 0
10:41:49.0304 6964 Actual detected object count: 0


Farbar Service Scanner Version: 14-02-2012
Ran by A (administrator) on 18-02-2012 at 10:45:05
Running from "C:\Users\A\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HUBV4JKP"
Microsoft® Windows Vista™ Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.

MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking LEGACY_MpsSvc: Attention! Unable to open LEGACY_MpsSvc\0000 registry key. The key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.
Checking LEGACY_bfe: Attention! Unable to open LEGACY_bfe\0000 registry key. The key does not exist.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============

File Check:
========
C:\Windows\System32\nsisvc.dll
[2008-01-20 20:49] - [2008-01-20 20:49] - 0024576 ____A (Microsoft Corporation) ACB62BAA1C319B17752553DF3026EEEB

C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcsvc.dll
[2008-01-20 20:50] - [2008-01-20 20:50] - 0268288 ____A (Microsoft Corporation) FDAA0EDFCFB70CD529589AD654651B40

C:\Windows\System32\drivers\afd.sys
[2011-06-15 16:58] - [2011-04-21 07:42] - 0407552 ____A (Microsoft Corporation) 9BB97042FA331A0FB4BDD98B9280A50A

C:\Windows\System32\drivers\tdx.sys
[2008-01-20 20:49] - [2008-01-20 20:49] - 0094208 ____A (Microsoft Corporation) 8C39C72E0E853DE04748C0337D9B9216

C:\Windows\System32\Drivers\tcpip.sys
[2010-08-12 07:21] - [2010-06-16 10:40] - 1420176 ____A (Microsoft Corporation) 7D86275FB640011B372FD566C0EAFA8D

C:\Windows\System32\dnsrslvr.dll
[2011-04-15 10:10] - [2011-03-02 09:10] - 0117760 ____A (Microsoft Corporation) DAF05293C1264E251D3A25E7E24B2DDF

C:\Windows\System32\mpssvc.dll
[2008-01-20 20:49] - [2008-01-20 20:49] - 0601088 ____A (Microsoft Corporation) 8A670648C755867A3AA38DA50BA569AA

C:\Windows\System32\bfe.dll
[2008-01-20 20:50] - [2008-01-20 20:50] - 0458240 ____A (Microsoft Corporation) BC4737AAFFA5964E4F8827C9B8C0EB8E

C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2008-01-20 20:47] - [2008-01-20 20:47] - 0128000 ____A (Microsoft Corporation) 4FF71B076A7760FE75EA5AE2D0EE0018

C:\Windows\System32\vssvc.exe
[2008-01-20 20:50] - [2008-01-20 20:50] - 1432576 ____A (Microsoft Corporation) 186BD53F8A408AD20F5A056C05678629

C:\Windows\System32\wscsvc.dll
[2008-01-20 20:47] - [2008-01-20 20:47] - 0074752 ____A (Microsoft Corporation) CB8EA6D95949384925CCFCA21CC6DFD8

C:\Windows\System32\wbem\WMIsvc.dll
[2008-01-20 20:50] - [2008-01-20 20:50] - 0221696 ____A (Microsoft Corporation) AC98F38FEAB066A8F983D54FF3F4FD4C

C:\Windows\System32\wuaueng.dll
[2009-10-01 14:41] - [2009-08-06 20:24] - 2424024 ____A (Microsoft Corporation) FB3796754FE00F0BDC87A36F164A5F4D

C:\Windows\System32\qmgr.dll
[2008-01-20 20:50] - [2008-01-20 20:50] - 1082368 ____A (Microsoft Corporation) D896A0D43F8AB81ECB1FC6C24DECFD58

C:\Windows\System32\es.dll
[2009-04-22 04:41] - [2009-04-22 04:41] - 0361984 ____A (Microsoft Corporation) 6B1A97BF9FEFBDC83F3C7C7D0F826C66

C:\Windows\System32\cryptsvc.dll
[2008-01-20 20:49] - [2008-01-20 20:49] - 0165376 ____A (Microsoft Corporation) 4374F784121D8B3BB466B03F5E5EBD33

C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll
[2009-08-17 13:28] - [2009-03-02 22:57] - 0718336 ____A (Microsoft Corporation) 52CDADE8289FF21F1F2215FF51A5F36C



**** End of log ****


OTL logfile created on: 2/18/2012 10:47:58 AM - Run 1
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Users\A\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.99 Gb Total Physical Memory | 1.66 Gb Available Physical Memory | 27.73% Memory free
12.15 Gb Paging File | 8.13 Gb Available in Paging File | 66.88% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 582.50 Gb Total Space | 381.43 Gb Free Space | 65.48% Space Free | Partition Type: NTFS
Drive D: | 13.67 Gb Total Space | 1.88 Gb Free Space | 13.71% Space Free | Partition Type: NTFS

Computer Name: A-PC | User Name: A | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - File not found --
PRC - [2012/02/18 10:47:17 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\A\Desktop\OTL.exe
PRC - [2012/02/02 02:44:30 | 003,329,824 | ---- | M] (Akamai Technologies, Inc) -- C:\Users\A\AppData\Local\Akamai\netsession_win.exe
PRC - [2012/01/10 20:49:05 | 000,307,312 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2011/11/28 15:41:58 | 000,247,968 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
PRC - [2011/09/21 18:35:57 | 000,117,648 | R--- | M] (Symantec Corporation) -- C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
PRC - [2011/03/01 00:09:56 | 000,189,880 | ---- | M] (PPLive Corporation) -- C:\Program Files (x86)\PPLive\PPTV\PPLive.exe
PRC - [2011/03/01 00:09:56 | 000,189,880 | ---- | M] (PPLive Corporation) -- C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe
PRC - [2011/02/28 02:44:12 | 005,826,952 | ---- | M] (PPStream Inc.) -- D:\PPS.tv\PPStream\PPStream.exe
PRC - [2010/08/23 20:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2010/02/23 21:25:30 | 000,214,408 | ---- | M] (PPStream Inc) -- D:\PPS.tv\PPStream\PPSAP.exe
PRC - [2009/04/10 00:26:02 | 001,328,424 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
PRC - [2009/04/10 00:22:06 | 000,185,640 | ---- | M] (CyberLink) -- C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
PRC - [2009/03/19 11:54:52 | 001,148,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
PRC - [2009/01/08 06:36:42 | 002,521,464 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
PRC - [2008/12/04 12:00:26 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2008/12/04 12:00:20 | 000,186,904 | ---- | M] (Intel Corporation) -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2008/11/20 11:47:28 | 000,062,768 | ---- | M] (Hewlett-Packard) -- C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
PRC - [2008/01/20 20:49:49 | 000,015,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\PING.EXE


========== Modules (No Company Name) ==========

MOD - [2012/02/02 02:01:44 | 000,349,608 | ---- | M] () -- C:\Program Files (x86)\Common Files\PPLiveNetwork\tipsclient.dll
MOD - [2011/11/30 22:27:03 | 000,038,328 | ---- | M] () -- C:\Program Files (x86)\Common Files\PPLiveNetwork\tipsstatistic.dll
MOD - [2011/11/02 01:00:36 | 000,030,056 | ---- | M] () -- C:\Program Files (x86)\Common Files\PPLiveNetwork\tipsdone.dll
MOD - [2011/10/11 02:10:23 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\e3180b4230f052996adb81da3dc64ad0\System.Management.ni.dll
MOD - [2011/10/11 02:10:04 | 000,368,128 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\6bebfe5b7776c84cb38efdb2a7c9d447\PresentationFramework.Aero.ni.dll
MOD - [2011/10/11 02:09:54 | 014,327,808 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\415ef2ec8cbd9f3368da6ade10beae26\PresentationFramework.ni.dll
MOD - [2011/10/11 02:09:43 | 000,187,904 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationTypes\8837c17e16a1ebba04a1f625977bc907\UIAutomationTypes.ni.dll
MOD - [2011/10/11 02:09:42 | 012,216,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\c1498ba4652483d5adddd4c5d3927170\PresentationCore.ni.dll
MOD - [2011/10/11 02:09:32 | 003,313,664 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\29d729043903b7b4b2ea695db220d866\WindowsBase.ni.dll
MOD - [2011/10/11 02:09:26 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\381fb23cb39e1a61e13b8770eb9800ba\System.Windows.Forms.ni.dll
MOD - [2011/10/11 02:09:14 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\f1aa2385c0109f3059e0e6ba8b58ff68\System.Drawing.ni.dll
MOD - [2011/10/11 02:09:13 | 011,800,576 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\0a1195c6b5fab213527364c9e8b26ef0\System.Web.ni.dll
MOD - [2011/10/11 02:09:08 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\1ba19f8efcff8ad7f972aa38ab9a15f5\System.Runtime.Remoting.ni.dll
MOD - [2011/10/11 02:09:05 | 006,616,576 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\ca69ec9d6589d3526ee38212ef28e2bb\System.Data.ni.dll
MOD - [2011/10/11 02:08:58 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\cfb60f99da570cc494e27e0e8ee747e2\System.Xml.ni.dll
MOD - [2011/10/11 02:08:55 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\aa3e053d433c48e1e8c3f436b4de1ed3\System.Configuration.ni.dll
MOD - [2011/10/11 02:08:52 | 007,950,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9dff86a62a525ec8dc827fe9f50298b7\System.ni.dll
MOD - [2011/10/11 02:08:48 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\0309936a8e1672d39b9cf14463ce69f9\mscorlib.ni.dll
MOD - [2011/06/24 09:13:16 | 000,081,920 | ---- | M] () -- C:\Program Files (x86)\usjobsearchtoolbar\vmntemplateX.dll
MOD - [2011/05/11 03:30:10 | 001,402,296 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\components\chctrl.dll
MOD - [2011/05/10 00:52:10 | 000,851,816 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\components\NCList.dll
MOD - [2011/05/09 04:41:22 | 000,704,360 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\PPP.dll
MOD - [2011/05/09 04:41:16 | 000,545,640 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\components\PPFrame.dll
MOD - [2011/05/09 04:41:08 | 000,226,752 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\components\IEBrowser.dll
MOD - [2011/05/09 04:40:48 | 000,941,416 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\admodule.dll
MOD - [2011/05/06 05:06:00 | 000,636,352 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\Plugin\mframe.dll
MOD - [2011/05/04 00:20:38 | 000,083,384 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\components\filepick.dll
MOD - [2011/04/27 06:55:38 | 000,921,448 | ---- | M] () -- C:\Program Files (x86)\Common Files\PPLiveNetwork\MngModule.dll
MOD - [2011/04/27 06:54:30 | 000,546,240 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\components\PPOptions.dll
MOD - [2011/03/23 19:47:18 | 000,234,952 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\components\IEProxy.dll
MOD - [2011/01/22 06:32:22 | 000,079,296 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\components\PPFlvCom.dll
MOD - [2011/01/22 06:32:20 | 000,270,696 | ---- | M] () -- C:\Program Files (x86)\PPLive\PPTV\components\PPChLocalManager.dll
MOD - [2010/09/19 23:07:14 | 000,516,864 | ---- | M] () -- C:\Program Files (x86)\Common Files\PPLiveNetwork\sqlite3.dll
MOD - [2010/09/19 23:06:58 | 000,143,720 | ---- | M] () -- C:\Program Files (x86)\Common Files\PPLiveNetwork\kernel\FWUpnp.dll
MOD - [2009/04/22 04:36:02 | 000,098,304 | ---- | M] () -- C:\Windows\assembly\GAC_MSIL\HP.ActiveSupportLibrary\2.0.0.1__01a974bc1760f423\HP.ActiveSupportLibrary.dll
MOD - [2009/04/10 00:22:04 | 000,906,536 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMediaLibrary.dll
MOD - [2009/04/03 18:23:44 | 000,061,440 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
MOD - [2009/04/03 18:23:42 | 000,131,072 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Pillars\ECenter\ECLibrary.dll
MOD - [2009/04/03 18:23:40 | 000,040,960 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingServer.dll
MOD - [2009/04/03 18:23:38 | 000,036,864 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingClients.dll
MOD - [2009/04/03 18:23:38 | 000,007,680 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\RemotingClient.dll
MOD - [2009/04/03 18:23:38 | 000,005,632 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingInterface.dll
MOD - [2009/04/03 18:23:36 | 000,028,672 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\MessagingMessages.dll
MOD - [2009/04/03 18:23:34 | 000,028,672 | ---- | M] () -- C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll
MOD - [2009/01/21 04:47:24 | 000,034,088 | ---- | M] () -- c:\Program Files (x86)\Cyberlink\Shared files\richvideops.dll
MOD - [2008/07/27 12:03:15 | 002,933,248 | ---- | M] () -- C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2008/01/20 20:48:39 | 000,223,232 | ---- | M] () -- \\?\globalroot\systemroot\syswow64\mswsock.dll
MOD - [2008/01/20 20:48:39 | 000,223,232 | ---- | M] () -- \\.\globalroot\systemroot\syswow64\mswsock.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - [2008/08/26 08:02:20 | 000,016,896 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Program Files\LSI SoftModem\agr64svc.exe -- (AgereModemAudio)
SRV:64bit: - [2008/01/20 20:50:24 | 000,006,656 | ---- | M] () [Auto | Running] -- C:\Windows\SysNative\AppnBase.dll -- (s116bus)
SRV - [2012/02/10 13:54:20 | 003,340,064 | ---- | M] () [Auto | Running] -- c:\program files (x86)\common files\akamai/netsession_win_7de0ed9.dll -- (Akamai)
SRV - [2011/09/21 18:35:57 | 000,117,648 | R--- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe -- (Norton Internet Security)
SRV - [2010/08/23 20:21:40 | 000,013,672 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/01/15 06:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2010/01/04 17:34:00 | 003,433,232 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\Windows\SysWow64\GameMon.des -- (npggsvc)
SRV - [2008/12/08 20:51:08 | 000,242,424 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\HP Games\HP Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/12/04 12:00:26 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2008/07/27 12:03:13 | 000,069,632 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)


========== Driver Services (SafeList) ==========

DRV:64bit: - [2011/10/10 22:41:56 | 000,561,800 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\NISx64\1008030.006\ccHPx64.sys -- (ccHP)
DRV:64bit: - [2011/09/21 18:35:58 | 000,279,160 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\NISx64\1008030.006\SYMTDI.SYS -- (SYMTDI)
DRV:64bit: - [2009/09/10 21:22:08 | 000,172,592 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\SYMEVENT64x86.SYS -- (SymEvent)
DRV:64bit: - [2009/09/09 06:20:24 | 000,334,384 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\NISx64\1008030.006\BHDrvx64.sys -- (BHDrvx64)
DRV:64bit: - [2009/08/25 18:09:10 | 000,476,720 | ---- | M] () [File_System | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\NISx64\1008030.006\SRTSP64.SYS -- (SRTSP)
DRV:64bit: - [2009/08/25 18:09:10 | 000,402,992 | ---- | M] () [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\NISx64\1008030.006\SYMEFA64.SYS -- (SymEFA)
DRV:64bit: - [2009/08/25 18:09:10 | 000,032,304 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\drivers\NISx64\1008030.006\SRTSPX64.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV:64bit: - [2009/08/25 18:09:10 | 000,031,280 | R--- | M] () [Kernel | System | Running] -- C:\Windows\SysNative\DRIVERS\SymIMv.sys -- (SymIM)
DRV:64bit: - [2009/02/26 05:46:34 | 010,276,352 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\igdkmd64.sys -- (igfx)
DRV:64bit: - [2009/01/20 10:49:30 | 001,254,400 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\agrsm64.sys -- (AgereSoftModem)
DRV:64bit: - [2009/01/20 08:49:48 | 000,195,584 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\Rtlh64.sys -- (RTL8169)
DRV:64bit: - [2008/12/04 06:48:52 | 000,407,064 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\iastor.sys -- (iaStor)
DRV:64bit: - [2008/01/20 20:47:28 | 000,046,080 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV - [2009/09/11 18:49:50 | 000,466,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSviA64.sys -- (IDSVia64)
DRV - [2009/08/26 02:00:00 | 000,475,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)
DRV - [2009/08/26 02:00:00 | 000,132,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2005/01/03 09:43:08 | 000,004,682 | ---- | M] (INCA Internet Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\npptNT2.sys -- (NPPTNT2)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
IE - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://www.google.com/
IE - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Users\A\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll (Move Networks)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Users\A\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\A\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\A\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\A\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{7BA52691-1876-45ce-9EE6-54BCB3B04BBC}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\ [2011/10/14 06:04:00 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\A\AppData\Local\Google\Chrome\Application\17.0.963.56\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.5 (Enabled) = C:\Program Files (x86)\QuickTime\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.240.7 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U24 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\A\AppData\Local\Google\Chrome\Application\17.0.963.56\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\A\AppData\Local\Google\Chrome\Application\17.0.963.56\pdf.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Talk Plugin (Enabled) = C:\Users\A\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
CHR - plugin: Google Talk Plugin Video Accelerator (Enabled) = C:\Users\A\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: Pando Web Plugin (Enabled) = C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
CHR - plugin: Move Media Player 7 (Enabled) = C:\Users\A\AppData\Roaming\Move Networks\plugins\071802000001\npqmp071802000001.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\A\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.4_0\
CHR - Extension: Google Search = C:\Users\A\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.17_0\
CHR - Extension: Gmail = C:\Users\A\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2011/12/20 08:25:52 | 000,001,398 | RHS- | M]) - C:\Windows\SysNative\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 66.197.194.231 www.google-analytics.com.
O1 - Hosts: 66.197.194.231 ad-emea.doubleclick.net.
O1 - Hosts: 66.197.194.231 www.statcounter.com.
O1 - Hosts: 69.72.252.254 www.google-analytics.com.
O1 - Hosts: 69.72.252.254 ad-emea.doubleclick.net.
O1 - Hosts: 69.72.252.254 www.statcounter.com.
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg64.dll (Google Inc.)
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\IPSBHO.dll (Symantec Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll (Google Inc.)
O2 - BHO: (Microsoft Live Search Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll (Microsoft Corp.)
O2 - BHO: (US Job Search Toolbar) - {f409caa5-db4f-48aa-a238-ca307c481237} - C:\Program Files (x86)\usjobsearchtoolbar\vmntemplateX.dll ()
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Microsoft Live Search Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files (x86)\MSN\Toolbar\3.0.0552.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (US Job Search Toolbar) - {f409caa5-db4f-48aa-a238-ca307c481237} - C:\Program Files (x86)\usjobsearchtoolbar\vmntemplateX.dll ()
O3:64bit: - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll (Symantec Corporation)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe ()
O4:64bit: - HKLM..\Run: [HP Remote Software] C:\Program Files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe ()
O4:64bit: - HKLM..\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe ()
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe ()
O4:64bit: - HKLM..\Run: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe (Hewlett-Packard)
O4 - HKLM..\Run: [4StoryPrePatch] C:\Program Files\4Story_US\PrePatch.exe File not found
O4 - HKLM..\Run: [CLMLServer for HP TouchSmart] c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [DVDAgent] c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe (Hewlett-Packard)
O4 - HKLM..\Run: [hpsysdrv] c:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe (Hewlett-Packard)
O4 - HKLM..\Run: [TSMAgent] c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateLBPShortCut] c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePDIRShortCut] c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\SysWow64\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000..\Run: [Akamai NetSession Interface] C:\Users\A\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O4 - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000..\Run: [PPAP] C:\Program Files (x86)\Common Files\PPLiveNetwork\PPAP.exe (PPLive Corporation)
O4 - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000..\Run: [PPS Accelerator] D:\PPS.tv\PPStream\PPSAP.exe (PPStream Inc)
O4 - Startup: C:\Users\A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PPS.lnk = D:\PPS.tv\PPStream\PPStream.exe (PPStream Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\restrictions present
O7 - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\Software\Policies\Microsoft\Internet Explorer\control panel present
O7 - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\Software\Policies\Microsoft\Internet Explorer\restrictions present
O9 - Extra Button: PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe (PPLive Corporation)
O9 - Extra 'Tools' menuitem : PPLive - {95B3F550-91C4-4627-BCC4-521288C52977} - C:\Program Files (x86)\PPLive\PPTV\PPLive.exe (PPLive Corporation)
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000001 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000002 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000003 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000004 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000005 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000006 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000007 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000008 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000009 - mmswsock.dll File not found
O10:64bit: - Protocol_Catalog9\Catalog_Entries64\000000000010 - mmswsock.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O1364bit: - gopher Prefix: missing
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\..Trusted Domains: pps.tv ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\..Trusted Domains: ppstream.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\..Trusted Domains: webscache.com ([]http in Trusted sites)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} https://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab (HP Product Detection Control)
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} http://picasaweb.google.com/s/v/62.12/uploader2.cab (UploadListView Class)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.1.66.0.cab (SysInfo Class)
O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab (FamilyFeud Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{23910CEA-C965-46E4-B5BA-3D11043DE351}: DhcpNameServer = 192.168.1.1
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\oledb - No CLSID value found
O18:64bit: - Protocol\Handler\ms-itss - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap - No CLSID value found
O18:64bit: - Protocol\Handler\mso-offdap11 - No CLSID value found
O18:64bit: - Protocol\Handler\symres - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\symres {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.8.3.6\CoIEPlg.dll (Symantec Corporation)
O18:64bit: - Protocol\Filter\text/xml - No CLSID value found
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe ()
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (userinit.exe) - C:\Windows\SysWow64\userinit.exe (Microsoft Corporation)
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll ()
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img36.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img36.jpg
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-1163989138-1874164179-1159466216-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2012/02/18 10:47:15 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\A\Desktop\OTL.exe
[2012/02/18 10:40:18 | 002,060,336 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\A\Desktop\tdsskiller.exe
[2012/02/17 20:12:26 | 000,000,000 | ---D | C] -- C:\Users\A\Desktop\gmer
[2012/02/17 20:05:28 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\A\Desktop\dds.scr
[2012/02/08 15:43:10 | 004,733,440 | ---- | C] (AVAST Software) -- C:\Users\A\Desktop\iexplorer.exe
[2011/03/19 09:31:55 | 000,195,632 | ---- | C] (Notation Software, Inc.) -- C:\Program Files\Uninst_Notation Player 2.6.exe
[2010/10/16 15:41:36 | 819,112,408 | ---- | C] (Acresso Software Inc.) -- C:\Program Files\FistsOfFuSetup-10.0.121.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/02/18 10:47:17 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\A\Desktop\OTL.exe
[2012/02/18 10:40:25 | 002,060,336 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\A\Desktop\tdsskiller.exe
[2012/02/18 10:40:00 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000UA.job
[2012/02/18 10:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At22.job
[2012/02/18 10:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At21.job
[2012/02/18 10:28:54 | 000,000,512 | ---- | M] () -- C:\Users\A\Desktop\MBR.dat
[2012/02/18 09:52:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/02/18 09:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At20.job
[2012/02/18 09:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At19.job
[2012/02/18 09:25:20 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/02/18 09:25:20 | 000,003,616 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/02/18 08:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At18.job
[2012/02/18 08:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At17.job
[2012/02/18 07:30:03 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At16.job
[2012/02/18 07:30:03 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At15.job
[2012/02/18 06:40:00 | 000,000,840 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000Core.job
[2012/02/18 06:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At14.job
[2012/02/18 06:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At13.job
[2012/02/18 05:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At12.job
[2012/02/18 05:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At11.job
[2012/02/18 04:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At10.job
[2012/02/18 04:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At9.job
[2012/02/18 03:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At8.job
[2012/02/18 03:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At7.job
[2012/02/18 02:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At6.job
[2012/02/18 02:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At5.job
[2012/02/18 01:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At4.job
[2012/02/18 01:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At3.job
[2012/02/18 00:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At2.job
[2012/02/18 00:29:59 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At1.job
[2012/02/17 23:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At48.job
[2012/02/17 23:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At47.job
[2012/02/17 22:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At46.job
[2012/02/17 22:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At45.job
[2012/02/17 21:29:59 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At44.job
[2012/02/17 21:29:59 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At43.job
[2012/02/17 20:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At42.job
[2012/02/17 20:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At41.job
[2012/02/17 20:12:19 | 000,294,216 | ---- | M] () -- C:\Users\A\Desktop\gmer.zip
[2012/02/17 20:05:29 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\A\Desktop\dds.scr
[2012/02/17 20:00:09 | 000,000,000 | ---- | M] () -- C:\Users\A\defogger_reenable
[2012/02/17 19:59:31 | 000,050,477 | ---- | M] () -- C:\Users\A\Desktop\Defogger.exe
[2012/02/17 19:29:59 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At40.job
[2012/02/17 19:29:59 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At39.job
[2012/02/17 18:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At38.job
[2012/02/17 18:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At37.job
[2012/02/17 17:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At35.job
[2012/02/17 17:29:59 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At36.job
[2012/02/17 16:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At34.job
[2012/02/17 16:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At33.job
[2012/02/17 15:52:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/02/17 15:29:59 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At32.job
[2012/02/17 15:29:59 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At31.job
[2012/02/17 14:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At30.job
[2012/02/17 14:29:59 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At29.job
[2012/02/17 13:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At27.job
[2012/02/17 13:29:59 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At28.job
[2012/02/17 12:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At26.job
[2012/02/17 12:30:00 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At25.job
[2012/02/17 11:30:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At24.job
[2012/02/17 11:29:59 | 000,000,350 | ---- | M] () -- C:\Windows\tasks\At23.job
[2012/02/16 19:39:39 | 000,019,968 | ---- | M] () -- C:\Users\A\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/02/15 11:28:34 | 000,000,680 | ---- | M] () -- C:\Users\A\AppData\Local\d3d9caps.dat
[2012/02/15 11:25:25 | 000,000,000 | -HS- | M] () -- C:\Windows\SysNative\dds_trash_log.cmd
[2012/02/15 11:25:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/02/10 20:27:02 | 000,000,318 | ---- | M] () -- C:\Windows\tasks\HPCeeScheduleForA.job
[2012/02/08 15:51:31 | 753,166,619 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2012/02/08 15:43:17 | 004,733,440 | ---- | M] (AVAST Software) -- C:\Users\A\Desktop\iexplorer.exe
[2012/02/02 15:40:20 | 000,000,950 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/02/18 10:28:54 | 000,000,512 | ---- | C] () -- C:\Users\A\Desktop\MBR.dat
[2012/02/17 20:12:17 | 000,294,216 | ---- | C] () -- C:\Users\A\Desktop\gmer.zip
[2012/02/17 20:00:09 | 000,000,000 | ---- | C] () -- C:\Users\A\defogger_reenable
[2012/02/17 19:59:30 | 000,050,477 | ---- | C] () -- C:\Users\A\Desktop\Defogger.exe
[2012/02/05 08:22:12 | 000,000,000 | -HS- | C] () -- C:\Windows\SysNative\dds_trash_log.cmd
[2012/02/04 01:30:46 | 753,166,619 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2012/02/02 15:40:20 | 000,000,950 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2011/12/24 05:57:18 | 000,000,000 | ---- | C] () -- C:\ProgramData\28tmwoJ.dat
[2011/12/21 16:40:05 | 000,000,964 | ---- | C] () -- C:\Users\A\AppData\Roaming\SMRResults210.dat
[2011/12/19 19:07:23 | 000,011,828 | -HS- | C] () -- C:\Users\A\AppData\Local\orqlhn4s4qqj6vnp6mek5b306m2i
[2011/12/19 19:07:23 | 000,011,828 | -HS- | C] () -- C:\ProgramData\orqlhn4s4qqj6vnp6mek5b306m2i
[2011/10/29 18:38:32 | 000,157,492 | ---- | C] () -- C:\Windows\hphins26.dat
[2011/03/29 07:05:48 | 000,709,992 | ---- | C] () -- C:\Windows\SysWow64\kindling.dll
[2011/03/19 09:31:57 | 000,000,054 | ---- | C] () -- C:\Windows\Player.INI
[2010/10/26 18:57:29 | 1337,016,015 | ---- | C] () -- C:\Program Files\4Story10092702_full.exe
[2010/10/16 16:36:45 | 000,000,443 | ---- | C] () -- C:\Program Files\GameOptions.lua
[2010/10/16 16:04:20 | 000,001,256 | ---- | C] () -- C:\Program Files\log.htm
[2010/10/16 16:04:19 | 000,000,432 | ---- | C] () -- C:\Program Files\config.ini
[2010/10/16 15:53:50 | 000,230,752 | ---- | C] () -- C:\Windows\patchw32.dll
[2010/10/16 15:53:50 | 000,118,176 | ---- | C] () -- C:\Windows\patchw.dll
[2010/08/03 08:16:12 | 000,000,680 | ---- | C] () -- C:\Users\A\AppData\Local\d3d9caps.dat
[2010/05/11 17:15:04 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
[2010/01/31 11:06:18 | 000,008,046 | ---- | C] () -- C:\Program Files (x86)\Common Files\setupBanner.jpg
[2009/12/17 21:00:48 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/09/17 21:01:37 | 000,137,397 | ---- | C] () -- C:\Windows\HPHins15.dat
[2009/09/17 21:01:37 | 000,002,828 | ---- | C] () -- C:\Windows\hphmdl15.dat
[2009/08/26 18:57:32 | 000,019,968 | ---- | C] () -- C:\Users\A\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/25 10:31:39 | 000,005,986 | ---- | C] () -- C:\Users\A\AppData\Roaming\wklnhst.dat
[2009/04/22 04:40:27 | 000,106,605 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchema.bin
[2009/04/22 04:40:27 | 000,018,904 | ---- | C] () -- C:\Windows\SysWow64\StructuredQuerySchemaTrivial.bin
[2009/04/22 04:18:42 | 000,354,816 | ---- | C] () -- C:\Windows\SysWow64\pythoncom26.dll
[2009/04/22 04:18:42 | 000,108,032 | ---- | C] () -- C:\Windows\SysWow64\pywintypes26.dll
[2009/04/14 16:07:42 | 000,037,607 | ---- | C] () -- C:\Program Files (x86)\Common Files\license.rtf
[2008/01/20 20:50:05 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini
[2008/01/20 20:49:49 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2007/12/12 18:01:47 | 000,000,787 | ---- | C] () -- C:\Windows\hphmdl26.dat
[2006/11/02 09:37:05 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 06:37:14 | 000,215,943 | ---- | C] () -- C:\Windows\SysWow64\dssec.dat
[2006/11/02 06:24:17 | 000,000,741 | ---- | C] () -- C:\Windows\SysWow64\NOISE.DAT
[2006/11/02 06:18:17 | 000,673,088 | ---- | C] () -- C:\Windows\SysWow64\mlang.dat
[2006/11/02 03:47:54 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\SysWow64\OUTLPERF.INI

========== Files - Unicode (All) ==========
[2012/01/06 21:19:54 | 000,324,096 | ---- | M] ()(C:\Users\A\Documents\????900?.doc) -- C:\Users\A\Documents\日常用语900句.doc
[2012/01/06 21:19:54 | 000,324,096 | ---- | C] ()(C:\Users\A\Documents\????900?.doc) -- C:\Users\A\Documents\日常用语900句.doc
[2012/01/04 20:34:31 | 022,241,280 | ---- | M] ()(C:\Users\A\Desktop\????(how to remove colored skin on face).doc) -- C:\Users\A\Desktop\祛斑办法(how to remove colored skin on face).doc
[2011/03/21 18:12:13 | 000,000,000 | ---D | M](C:\Users\A\Documents\CBox???) -- C:\Users\A\Documents\CBox加速器
[2011/03/21 18:12:13 | 000,000,000 | ---D | C](C:\Users\A\Documents\CBox???) -- C:\Users\A\Documents\CBox加速器
[2011/03/21 18:12:11 | 000,000,916 | ---- | M] ()(C:\Users\A\Application Data\Microsoft\Internet Explorer\Quick Launch\CNTV ???????.lnk) -- C:\Users\A\Application Data\Microsoft\Internet Explorer\Quick Launch\CNTV 网页点播加速器.lnk
[2011/03/21 18:12:11 | 000,000,916 | ---- | C] ()(C:\Users\A\Application Data\Microsoft\Internet Explorer\Quick Launch\CNTV ???????.lnk) -- C:\Users\A\Application Data\Microsoft\Internet Explorer\Quick Launch\CNTV 网页点播加速器.lnk
[2011/01/31 12:46:25 | 022,241,280 | ---- | C] ()(C:\Users\A\Desktop\????(how to remove colored skin on face).doc) -- C:\Users\A\Desktop\祛斑办法(how to remove colored skin on face).doc
[2011/01/16 20:01:28 | 000,051,200 | ---- | M] ()(C:\Users\A\Documents\???????????-???????? ?????????1-16-2011.doc) -- C:\Users\A\Documents\为李明亮癌症恢复的文章-直面癌症笑对人生 我的人生不会被打败1-16-2011.doc
[2011/01/16 20:01:27 | 000,051,200 | ---- | C] ()(C:\Users\A\Documents\???????????-???????? ?????????1-16-2011.doc) -- C:\Users\A\Documents\为李明亮癌症恢复的文章-直面癌症笑对人生 我的人生不会被打败1-16-2011.doc
[2010/01/17 15:02:20 | 000,069,120 | ---- | M] ()(C:\Users\A\Documents\-North Califonia house investment example 1(????????-).doc) -- C:\Users\A\Documents\-North Califonia house investment example 1(北加州投资房实例-).doc
[2010/01/17 15:02:20 | 000,069,120 | ---- | C] ()(C:\Users\A\Documents\-North Califonia house investment example 1(????????-).doc) -- C:\Users\A\Documents\-North Califonia house investment example 1(北加州投资房实例-).doc
(C:\ProgramData\Microsoft\Windows\Start Menu\Programs\???????-CNTV) -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\中国网络电视台-CNTV

========== Alternate Data Streams ==========

@Alternate Data Stream - 116 bytes -> C:\ProgramData\Temp:BEB15613
@Alternate Data Stream - 104 bytes -> C:\ProgramData\Temp:D1B5B4F1

< End of report >



OTL Extras logfile created on: 2/18/2012 10:47:58 AM - Run 1
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Users\A\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.99 Gb Total Physical Memory | 1.66 Gb Available Physical Memory | 27.73% Memory free
12.15 Gb Paging File | 8.13 Gb Available in Paging File | 66.88% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 582.50 Gb Total Space | 381.43 Gb Free Space | 65.48% Space Free | Partition Type: NTFS
Drive D: | 13.67 Gb Total Space | 1.88 Gb Free Space | 13.71% Space Free | Partition Type: NTFS

Computer Name: A-PC | User Name: A | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.url[@ = InternetShortcut] -- C:\Windows\SysNative\rundll32.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1163989138-1874164179-1159466216-1000\SOFTWARE\Classes\<extension>]
.exe [@ = exefile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" ()
InternetShortcut [open] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL %l ()
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" ()
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = 9F 9E 16 8C DC 5B C8 01 [binary data]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"oobe_av" = 1

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{4580B214-9BD6-4644-B66F-2662D48A75A7}" = lport=445 | protocol=6 | dir=in | app=system |
"{4D8FE54F-FDF6-43B4-9410-442B58B044C5}" = rport=139 | protocol=6 | dir=out | app=system |
"{55918A02-66DE-4445-8DF5-257A71AA7EE8}" = lport=139 | protocol=6 | dir=in | app=system |
"{55ABC3AB-05DD-4279-9675-75A68A9DC47D}" = lport=137 | protocol=17 | dir=in | app=system |
"{745D3C17-9B9B-4AC6-87C5-9707858309EE}" = rport=445 | protocol=6 | dir=out | app=system |
"{858CB9CD-440F-4673-B15C-EB0BFAAFCB4D}" = rport=80 | protocol=6 | dir=out | app=c:\program files (x86)\common files\intuit\update service\intuitupdateservice.exe |
"{918A0E65-FCD6-4C4E-9F66-0443FECF2D73}" = lport=8376 | protocol=17 | dir=in | name=league of legends launcher |
"{9A5935CC-AE5D-4EEB-9CE8-11E453009D42}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{9AA89522-2B2E-4301-82FE-4E505C9C81A1}" = rport=137 | protocol=17 | dir=out | app=system |
"{9D306AFA-CEFD-4BC1-82F2-5825735F326B}" = rport=80 | protocol=6 | dir=out | app=c:\program files (x86)\common files\intuit\update service\intuitupdater.exe |
"{C2E5D674-4389-442C-858A-2A0386C46CD0}" = lport=138 | protocol=17 | dir=in | app=system |
"{C67DFBAD-EB14-498B-AF35-F890810B9EE0}" = rport=138 | protocol=17 | dir=out | app=system |
"{E35F5DB3-06F2-49B5-BCFA-6F057C8C9F3D}" = lport=8376 | protocol=6 | dir=in | name=league of legends launcher |
"{FD185875-DA61-4F27-A874-B197DA2AB071}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{012CB307-5B3B-4095-B61A-ECFC01D945DF}" = dir=in | app=c:\program files (x86)\hewlett-packard\media\dvd\hptouchsmartvideo.exe |
"{028F3170-85AE-460E-9A6D-AC767DE4CAAA}" = dir=in | app=c:\program files (x86)\cyberlink\powerdirector\pdr.exe |
"{097B01F1-823F-4744-84C6-2646518C9D2E}" = dir=in | app=c:\program files (x86)\hewlett-packard\media\dvd\hpdvdsmart.exe |
"{198D64C0-F558-450F-B78F-3F9FBF251957}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{1B962738-2A1B-4FE1-89FB-82C8318092D0}" = dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{1D45902D-CA1C-4C5B-B254-0D4F42C59BEC}" = dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{30876046-9A88-428E-BA20-8A4E578243E1}" = dir=in | app=c:\program files (x86)\hewlett-packard\media\dvd\kernel\clml\clmlsvc.exe |
"{31C625A1-6740-441B-B38B-C69048F3BE8F}" = protocol=6 | dir=in | app=d:\pps.tv\ppsgame\ppsgame.exe |
"{348FC3D5-55F5-4EA9-BA04-680AD839E0B3}" = protocol=17 | dir=in | app=d:\pps.tv\ppstream\ppstream.exe |
"{3B370038-865A-4962-A1F3-E5ED943A5C35}" = protocol=17 | dir=in | app=c:\program files (x86)\curse\curseclient.exe |
"{45ECD171-4D30-4E3A-A36C-56F0FAF4FC88}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{4C9A21E3-AC18-4498-A6AA-303C930A15AB}" = protocol=17 | dir=in | app=d:\pps.tv\ppstream\ppsap.exe |
"{518BAD2B-0F37-4F12-93A9-6427E0CC96FD}" = dir=in | app=c:\program files (x86)\hewlett-packard\media\dvd\hptouchsmartphoto.exe |
"{58407F86-8854-4E1D-8EB7-8647CB3198B2}" = dir=in | app=c:\program files (x86)\hewlett-packard\touchsmart\media\hptouchsmartmusic.exe |
"{58BFA1C3-29AA-4208-882A-181684CE6328}" = protocol=6 | dir=in | app=c:\riot games\league of legends\air\lolclient.exe |
"{5DFE3EC5-E022-400B-815F-7E6BF90D4C12}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{60EDC2FD-FF01-447A-AFB1-1E3086D5B7EF}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{6B17FFBD-B862-467D-A3F9-1352B5D1F04C}" = dir=in | app=c:\program files (x86)\hewlett-packard\media\dvd\hptouchsmartmusic.exe |
"{6C140B73-1CE8-4B0C-9604-9D3E0EC53A03}" = dir=in | app=c:\program files (x86)\hewlett-packard\touchsmart\media\tsmagent.exe |
"{7BB8FDFA-2C3A-49C3-87F0-A17670CD29F4}" = protocol=6 | dir=in | app=c:\riot games\league of legends\game\league of legends.exe |
"{7BF7AAEC-48E6-420C-8DCE-A53619F10DB1}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{7F09309F-9BE3-4924-966C-13F52FE0BF5C}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{88C8A531-A804-4548-B853-82245398D9F1}" = protocol=17 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{902427A5-DEE6-440D-A91C-92A86700A998}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{A1739990-1B60-469D-8824-8A677C89C7D8}" = protocol=6 | dir=in | app=c:\program files (x86)\curse\curseclient.exe |
"{A1F4D18F-893D-4A1E-963C-3F7F7FF04CE4}" = protocol=6 | dir=in | app=d:\pps.tv\ppstream\ppstream.exe |
"{A3BF6482-C24B-4857-BD0C-067574001130}" = dir=in | app=c:\program files (x86)\hewlett-packard\touchsmart\media\hptouchsmartphoto.exe |
"{A86DAFE9-E9D1-43CB-9031-470112DB8988}" = dir=in | app=c:\program files (x86)\hewlett-packard\media\dvd\tsmagent.exe |
"{AB5E4B0A-B93C-4A0D-8FAC-6FA48AE03167}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{B8C7C822-61C8-4B1A-80B9-8E3A18CE2207}" = protocol=6 | dir=in | app=d:\pps.tv\ppstream\ppsap.exe |
"{CF3C9504-FAE5-4F6A-B9A7-489A6EF4480B}" = protocol=6 | dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{D5B01E62-AE55-4652-9854-944C35B780CA}" = dir=in | app=c:\program files (x86)\hewlett-packard\touchsmart\media\hptouchsmartvideo.exe |
"{E0F9D3CC-5645-4A8E-B325-9E5D78084B47}" = protocol=17 | dir=in | app=c:\riot games\league of legends\air\lolclient.exe |
"{E1B1A9A4-C235-49D0-A469-E15A1BFE9D6C}" = dir=in | app=c:\program files (x86)\hewlett-packard\touchsmart\media\kernel\clml\clmlsvc.exe |
"{EB364CBB-89D2-44B0-ADFF-972FF79473D4}" = protocol=17 | dir=in | app=c:\riot games\league of legends\game\league of legends.exe |
"{FEF94B71-6E68-43AF-9E51-DF051634C5F3}" = dir=in | app=c:\program files (x86)\pando networks\media booster\pmb.exe |
"{FF803B06-A699-4A04-8DBC-2A4D97C3573B}" = protocol=17 | dir=in | app=d:\pps.tv\ppsgame\ppsgame.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{03E66394-42F0-4745-85F7-0A2F8F35C09F}" = HP Deskjet Printer Driver Software 9.0
"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{0CE5F45E-F6CC-4638-B0DD-BB7F6EF56713}" = HP Deskjet D1500 Printer Driver Software 10.0 Rel .3
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{4B6C7001-C7D6-3710-913E-5BC23FCE91E6}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.4148
"{4FFA2088-8317-3B14-93CD-4C699DB37843}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729
"{5F240DB8-0D74-4F13-86C3-929760392A8D}" = HP Remote Software
"{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{A2422B02-0D41-43F5-B62E-C7A5E55FCBA8}" = Vegas Pro 9.0 (64-bit)
"{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D2E8F543-D23A-4A38-AFFC-4BDEBFBA6FDA}" = HP MediaSmart SmartMenu
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}" = Microsoft .NET Framework 4 Client Profile
"Agere Systems Soft Modem" = Agere Systems PCI-SV92EX Soft Modem
"GooglePinyin2" = 谷歌拼音输入法 2.6
"HDMI" = Intel® Graphics Media Accelerator Driver
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing
"HP Solution Center & Imaging Support Tools" = HP Solution Center 10.0
"HPExtendedCapabilities" = HP Customer Participation Program 10.0
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"OfficeTrial" = Microsoft Office Home and Student 60 day trial
"PC-Doctor for Windows" = Hardware Diagnostic Tools
"Shop for HP Supplies" = Shop for HP Supplies
"WinRAR archiver" = WinRAR archiver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02548730-180A-487e-A726-A75CB6650AF7}" = D1400
"{0295F89F-F698-4101-9A7D-49F407EC2D82}" = HP Active Support Library
"{05BDC796-3451-4F81-B91D-E98F7ADA76C2}" = TurboTax 2010 WinPerTaxSupport
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{15C70064-2463-49dd-9A88-B700F75BB428}" = dj_sf_ProductContext
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{1896E712-2B3D-45eb-BCE9-542742A51032}" = PictureMover
"{18FF3E5F-E060-45bf-8811-6FBA9521C94A}" = JewelDrops Deluxe
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.6.2
"{1CC069FA-1A86-402E-9787-3F04E652C67A}" = HP Support Information
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26A24AE4-039D-4CA4-87B4-2F83216015FF}" = Java™ 6 Update 30
"{290CA856-3737-4874-864B-BA142F4823C8}_is1" = HP MediaSmart Demo
"{305468A6-DE2D-43ba-A168-2F45A97A89DA}" = DJ_SF_03_D1500_Software_Min
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{36FDBE6E-6684-462b-AE98-9A39A1B200CC}" = HPProductAssistant
"{3782EC09-4000-475E-8A59-9CABD6F03B4C}" = TurboTax 2010 WinPerFedFormset
"{38436888-9EAA-4cec-A56F-65B73D9D423C}" = D1500
"{3A78FDE2-0C31-4B8A-92E8-1ED145C0A251}" = Anvil Studio 2011
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"{47F36D92-E58E-456D-B73C-3382737E4C42}" = HP Update
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4F2FCCCF-29F3-44B9-886F-6D16F8417522}" = TurboTax 2010 wrapper
"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{55979C41-7D6A-49CC-B591-64AC1BBE2C8B}" = HP Picasso Media Center Add-In
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{61150C85-DC0A-4976-922F-5575F388ADA6}" = Notation Player 2.6
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{730837D4-FF5E-48DB-BA49-33E732DFF0B3}" = PanoStandAlone
"{73A43E42-3658-4DD9-8551-FACDA3632538}" = HP Advisor
"{75C22B40-6D12-4439-80DC-CAB3313EADA5}" = dj_sf_software_req
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{784BEA84-FA66-4B19-BB80-7B545F248AC6}" = HP Total Care Setup
"{7F10292C-A190-4176-A665-A1ED3478DF86}" = LightScribe System Software
"{82C113AD-486F-4bd5-A2EA-2383AF57D084}" = D1500_Help
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8B8240B3-891D-4965-AA51-8799622D44FF}" = DJ_SF_03_D1500_ProductContext
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90AACECD-1E42-4D22-ABAD-7FB9B67B262D}" = H&R Block Premium + Efile + State 2009
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{96C39A4E-8636-439B-B439-02E908C05A2A}" = League of Legends
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9CC89170-000B-457D-91F1-53691F85B223}" = Python 2.6.1
"{A0640EC2-B97E-4FC1-AD14-227C9E386BB4}" = HP Recovery Manager RSS
"{A0B9F8DF-C949-45ed-9808-7DC5C0C19C81}" = Status
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A525E00B-6609-442E-9DCD-64453C233E8D}" = TurboTax 2010 WinPerReleaseEngine
"{A5AB9D5E-52E2-440e-A3ED-9512E253C81A}" = SolutionCenter
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1
"{AC76BA86-7AD7-2447-0000-900000000003}" = Chinese Simplified Fonts Support For Adobe Reader 9
"{AE469025-08BA-4B2A-915D-CC7765132419}" = Default Manager
"{B1421599-A42D-47ef-B512-B9B0317BD599}" = DJ_SF_03_D1500_Software
"{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"{B639110D-747F-40DC-9682-95D94EF73790}" = dj_sf_software
"{B84739A3-F943-47E4-95D8-96381EF5AC48}" = HP Customer Experience Enhancements
"{B8AC1A89-FFD1-4F97-8051-E505A160F562}" = HP Odometer
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"{C79BF5BB-5671-41C0-A028-E9A2097D1AAD}" = Microsoft Live Search Toolbar
"{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CCF13D13-A87B-34E8-B689-1896D0C2DBA2}" = Google Talk Plugin
"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
"{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"{DF802C05-4660-418c-970C-B988ADB1D316}" = Microsoft Live Search Toolbar
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E9E34215-82EF-4909-BE2F-F581F0DC9062}" = DirectX for Managed Code Update (Summer 2004)
"{EFE673F6-688A-42ed-9C6C-9DD8CF5A9B89}" = D1400_Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F7FC9307-374E-4017-8E9D-DE1154780480}" = System Requirements Lab for Intel
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Akamai" = Akamai NetSession Interface Service
"AnyToISO_is1" = AnyToISO
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.12 (Unicode)
"CamStudio" = CamStudio
"CNTV 网页点播加速器_is1" = CNTV 网页点播加速器1.0.2.0
"Free WMA to MP3 Converter_is1" = Free WMA to MP3 Converter 1.16
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = CyberLink DVD Suite Deluxe
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = Power2Go
"InstallShield_{B2EE25B9-5B00-4ACF-94F0-92433C28C39E}" = HP MediaSmart Music/Photo/Video
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LabelPrint
"InstallShield_{CB099890-1D5F-11D5-9EA9-0050BAE317E1}" = PowerDirector
"InstallShield_{DCCAD079-F92C-44DA-B258-624FC6517A5A}" = HP MediaSmart DVD
"ISOMagic" = ISOMagic
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.60.1.1000
"McAfee Security Scan" = McAfee Security Scan Plus
"NIS" = Norton Internet Security
"PPLive" = PPTV V2.7.2.0013
"PPSGame" = PPSÓÎÏ· V1.0.1.322
"PPStream" = PPStream V2.7.0.1226 Final
"pywin32-py2.6" = Python 2.6 pywin32-212
"sp44626" = sp44626
"TurboTax 2010" = TurboTax 2010
"usjobsearchtoolbar" = US Job Search Toolbar
"WildTangent hp Master Uninstall" = HP Games
"WT067509" = Jeopardy 2
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1163989138-1874164179-1159466216-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Akamai" = Akamai NetSession Interface
"Google Chrome" = Google Chrome
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/5/2012 12:19:43 PM | Computer Name = A-PC | Source = Perflib | ID = 1023
Description =

Error - 2/5/2012 12:19:46 PM | Computer Name = A-PC | Source = LoadPerf | ID = 3002
Description =

Error - 2/5/2012 12:21:56 PM | Computer Name = A-PC | Source = LoadPerf | ID = 3002
Description =

Error - 2/5/2012 12:27:48 PM | Computer Name = A-PC | Source = LoadPerf | ID = 3002
Description =

Error - 2/5/2012 1:52:29 PM | Computer Name = A-PC | Source = Application Error | ID = 1000
Description = Faulting application iexplore.exe, version 8.0.6001.19088, time stamp
0x4de07b1b, faulting module mshtml.dll, version 8.0.6001.19088, time stamp 0x4de090ed,
exception code 0xc0000005, fault offset 0x000da56f, process id 0x172c, application
start time 0x01cce42dae7140ef.

Error - 2/5/2012 11:34:49 PM | Computer Name = A-PC | Source = LoadPerf | ID = 3002
Description =

Error - 2/5/2012 11:37:00 PM | Computer Name = A-PC | Source = LoadPerf | ID = 3002
Description =

Error - 2/7/2012 3:33:45 AM | Computer Name = A-PC | Source = WinMgmt | ID = 10
Description =

Error - 2/7/2012 3:38:04 AM | Computer Name = A-PC | Source = Application Error | ID = 1000
Description = Faulting application nslookup.exe, version 6.0.6001.18000, time stamp
0x47918e19, faulting module ntdll.dll, version 6.0.6001.18538, time stamp 0x4cb733e1,
exception code 0xc0000138, fault offset 0x0006f1e7, process id 0xc40, application
start time 0x01cce56b6c3eac6a.

Error - 2/7/2012 3:38:35 AM | Computer Name = A-PC | Source = LoadPerf | ID = 3002
Description =

[ System Events ]
Error - 2/13/2012 8:20:31 PM | Computer Name = A-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.4 for the Network Card with network
address 00261832C5B2 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 2/14/2012 7:59:02 PM | Computer Name = A-PC | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.3 for the Network Card with network
address 00261832C5B2 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 2/15/2012 1:25:24 PM | Computer Name = A-PC | Source = HTTP | ID = 15016
Description =

Error - 2/15/2012 1:26:59 PM | Computer Name = A-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 2/15/2012 1:26:59 PM | Computer Name = A-PC | Source = Service Control Manager | ID = 7003
Description =

Error - 2/15/2012 1:26:59 PM | Computer Name = A-PC | Source = Service Control Manager | ID = 7003
Description =

Error - 2/15/2012 1:28:18 PM | Computer Name = A-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 2/15/2012 1:28:18 PM | Computer Name = A-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 2/17/2012 6:59:21 PM | Computer Name = A-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 2/17/2012 7:01:28 PM | Computer Name = A-PC | Source = Service Control Manager | ID = 7023
Description =


< End of report >

Attached Files


Edited by SweetTech, 19 February 2012 - 06:02 AM.
expanded logs.-ST


#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:40 AM

Posted 19 February 2012 - 07:17 AM

Hi immediate1!

Not a problem!

1. I've attached the Malwarebytes and aswmbr.exe logs. Did you want me to copy and paste logs content or attach the logs? I ask this because pasting ALL of it in this one post really slowed my browser down a lot. At the moment, I do not have any other specific questions or comments.

I went ahead and posted the contents of the log files in your previous post for you, in the future, if you can post them for me, that'd be extremely helpful, it makes it easier for me to work with them. :)

It looks like aswMBR found some files that are infected, so we will be addressing these shortly.

10:22:03.184 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
10:23:53.071 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
10:23:55.830 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
10:25:41.368 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
10:25:41.411 File: C:\Windows\assembly\temp\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]

It also looks like the infection you have has corrupted the Windows Firewall as well as the Windows Security Center.

We'll address those issues a little bit later after we get the infection neutrilized.


Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt for further review.
  • If you get an error message saying: "Illegal operation attempted on a registry key that was marked for deletion." please reboot your computer, and that should take care of that error message.

Edited by SweetTech, 19 February 2012 - 07:31 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 immediate1

immediate1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 19 February 2012 - 12:40 PM

Ok I'll copy and paste any logs you need from here on out! :)

For whatever reason, stage 48 took about half an hour. Also some application called PEV.exe stopped working. Is PEV.exe malware? Here's the combofix.txt log:

ComboFix 12-02-19.01 - A 02/19/2012 10:21:38.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.6133.3641 [GMT -6:00]
Running from: c:\users\A\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\favoritevideo\InvisibleFolder
c:\favoritevideo\InvisibleFolder\20111109181426_tongyisucaib111110huanchong.swf
c:\favoritevideo\InvisibleFolder\20111111174415_tongyisucaic111113zanting.swf
c:\favoritevideo\InvisibleFolder\20111111174652_tongyisucaic111113huanchong15.swf
c:\favoritevideo\InvisibleFolder\20111111180522_tongyisucaid111113kehuduanhuanchong.swf
c:\favoritevideo\InvisibleFolder\20111111180809_tongyisucaid111113kehuduanzanting.swf
c:\favoritevideo\InvisibleFolder\20111118162412_tongyisucaif111119zanting.swf
c:\favoritevideo\InvisibleFolder\20111118162556_tongyisucaif111119zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120105095046_sanxingi929zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120116174022_haerbinpijiu120116chunwanzhu15s.swf
c:\favoritevideo\InvisibleFolder\20120117124426_shenxiandao120117zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120117124706_shenxiandao120117zanting.swf
c:\favoritevideo\InvisibleFolder\20120117124933_shenxiandao120117chabo.swf
c:\favoritevideo\InvisibleFolder\20120117135635_panpan120117jiaobiao2.swf
c:\favoritevideo\InvisibleFolder\20120117135741_panpan120117jiaobiao5.swf
c:\favoritevideo\InvisibleFolder\20120117135750_csol120119zanting.swf
c:\favoritevideo\InvisibleFolder\20120117141555_quanqiushim120118zanting.swf
c:\favoritevideo\InvisibleFolder\20120117181928_maidanglaocs120117zanting.swf
c:\favoritevideo\InvisibleFolder\20120117183029_91wan120118zanting.swf
c:\favoritevideo\InvisibleFolder\20120118114303_91wan120119zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120118114419_91wan120119zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120118114531_91wan120122zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120118114538_91wan120125zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120118133022_jiangsuyidong120120Bzhu15s.swf
c:\favoritevideo\InvisibleFolder\20120118172857_vaspmall120118zanting.swf
c:\favoritevideo\InvisibleFolder\20120118173315_vaspmall120118qipao.swf
c:\favoritevideo\InvisibleFolder\20120118174717_suunmo120125zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120119100328_youju37wanbu120122zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120119103214_37wan120130zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120119103407_37wan120130zhu15sbu.swf
c:\favoritevideo\InvisibleFolder\20120119103848_37wan120130zanting.swf
c:\favoritevideo\InvisibleFolder\20120119103932_37wan120126zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120119111858_maoxianwang120121zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120119112742_maoxianwang120121zanting.swf
c:\favoritevideo\InvisibleFolder\20120119113007_shengshisanguo120124zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120119113414_shengshisanguo120124zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120119113715_shengshisanguo120124fuceng.swf
c:\favoritevideo\InvisibleFolder\20120119114020_maoxianwang120121chabo.swf
c:\favoritevideo\InvisibleFolder\20120119114031_zhengtu20121zanting.swf
c:\favoritevideo\InvisibleFolder\20120119131806_wolingyin120127zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120119133653_wolingyin120127zanting.swf
c:\favoritevideo\InvisibleFolder\20120119134713_wolingyin120127chabo.swf
c:\favoritevideo\InvisibleFolder\20120119140747_huoyingshijie120129zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120119141149_huoyingshijie120129zanting15s.swf
c:\favoritevideo\InvisibleFolder\20120119151205_hupyingshijie120129cha15s.swf
c:\favoritevideo\InvisibleFolder\20120119161139_shenlongji120125zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120119165943_37wan120119zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120119170342_37wan120122zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120119170929_37wan120130zhu15sa.swf
c:\favoritevideo\InvisibleFolder\20120119171643_37wan120130zantinga.swf
c:\favoritevideo\InvisibleFolder\20120119181431_haoshiku120121zanting.swf
c:\favoritevideo\InvisibleFolder\20120119181706_haoshiku120121cha15s.swf
c:\favoritevideo\InvisibleFolder\20120119182338_haoshiku120121zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120120102602_guangdongyinlian120130zanting.swf
c:\favoritevideo\InvisibleFolder\20120120102651_guangdongyinlian120130chabo.swf
c:\favoritevideo\InvisibleFolder\20120120165721_hongji120130zanting.swf
c:\favoritevideo\InvisibleFolder\20120130181331_dongfengbiaozhi308120201zanting.swf
c:\favoritevideo\InvisibleFolder\20120201112148_pinganchexian120201zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120201141331_summnofangchan120201zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120202101934_yinyueyazhou120202zhuzt.jpg
c:\favoritevideo\InvisibleFolder\20120202113002_tianzhiren120203zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120202113203_tianzhiren120203zanting.swf
c:\favoritevideo\InvisibleFolder\20120202114445_tianzhiren120203chabo.swf
c:\favoritevideo\InvisibleFolder\20120202144347_37wan120203zhu15sa.swf
c:\favoritevideo\InvisibleFolder\20120202144548_37wan120203zhu15sb.swf
c:\favoritevideo\InvisibleFolder\20120202144828_37wan120203zanting.swf
c:\favoritevideo\InvisibleFolder\20120202145009_37wan120203cha15s.swf
c:\favoritevideo\InvisibleFolder\20120202154941_zhengtu20203zanting.swf
c:\favoritevideo\InvisibleFolder\20120202155310_zhengtu2120204zanting.swf
c:\favoritevideo\InvisibleFolder\20120202163834_shengui120203zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120202164635_shengui120203zanting.swf
c:\favoritevideo\InvisibleFolder\20120202165029_shengui120203cha15s.swf
c:\favoritevideo\InvisibleFolder\20120203141133_tongyisucai120206zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120203141429_tongyisucai120206zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120203141751_shenmozhetian12026zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120203142707_shenmozhetian120206zanting.swf
c:\favoritevideo\InvisibleFolder\20120203143114_shenmozhetian120206cha15s.swf
c:\favoritevideo\InvisibleFolder\20120203153516_youju37wan120204zhufuceng.swf
c:\favoritevideo\InvisibleFolder\20120203153536_37wan120204zhu15sa.swf
c:\favoritevideo\InvisibleFolder\20120203153632_37wan120206zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120203153758_youju37wan120206zhufuceng.swf
c:\favoritevideo\InvisibleFolder\20120203153808_37wan120204zhu15sb.swf
c:\favoritevideo\InvisibleFolder\20120203153906_youju37wan120206zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120203154846_51job120219zanting.swf
c:\favoritevideo\InvisibleFolder\20120203173122_jiangsuyidong120204zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120203174047_haiershangcheng120206zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120206103537_91wan120206zanting.swf
c:\favoritevideo\InvisibleFolder\20120206180131_91wan120206zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120206182035_vaspmall120206zanting.swf
c:\favoritevideo\InvisibleFolder\20120206182057_vaspmall120206qipao.swf
c:\favoritevideo\InvisibleFolder\20120206182800_jiangsuyidong120207zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120207135319_37wan120207zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120207171738_kelaisileqita120208zanting.swf
c:\favoritevideo\InvisibleFolder\20120207182205_kelaisik120208zanting.swf
c:\favoritevideo\InvisibleFolder\20120207190427_kelaisile120208zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120208142601_37wan120209zhu15sa.swf
c:\favoritevideo\InvisibleFolder\20120208142802_37wan120209zhu15sb.swf
c:\favoritevideo\InvisibleFolder\20120208143053_37wan120209zanting.swf
c:\favoritevideo\InvisibleFolder\20120208143321_37wan120209cha15s.swf
c:\favoritevideo\InvisibleFolder\20120208161055_tgc120208zanting.swf
c:\favoritevideo\InvisibleFolder\20120208172501_baidushuihu120209zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120208172630_baidushuihu120209zanting.swf
c:\favoritevideo\InvisibleFolder\20120209173436_sanxing120210zanting.swf
c:\favoritevideo\InvisibleFolder\20120210141818_fanren120212zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120210142428_fanren120212zanting.swf
c:\favoritevideo\InvisibleFolder\20120210144351_fanren120212chabo.swf
c:\favoritevideo\InvisibleFolder\20120210144700_langtaojin120213zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120210144915_langtaojin120213zanting.swf
c:\favoritevideo\InvisibleFolder\20120210164053_jurenzhengtu2120212zanting.swf
c:\favoritevideo\InvisibleFolder\20120210170232_37wan120213zhuhuanchong15sa.swf
c:\favoritevideo\InvisibleFolder\20120210170348_37wan120213zhuhuanchongb.swf
c:\favoritevideo\InvisibleFolder\20120210170456_37120213zhuzta.swf
c:\favoritevideo\InvisibleFolder\20120210170721_37wan120213zhufuceng.swf
c:\favoritevideo\InvisibleFolder\20120210182456_longzhigu120211zanting.swf
c:\favoritevideo\InvisibleFolder\20120212121530_haier120213zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120213110337_zhonglianghaoshiku120213zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120213111104_zhonglianghaoshiku120213zanting.swf
c:\favoritevideo\InvisibleFolder\20120213111328_zhonglianghaoshiku120213cha15s.swf
c:\favoritevideo\InvisibleFolder\20120214143235_huaixazhizhan120215zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120214143520_huaixazhizhan120215zanting2.swf
c:\favoritevideo\InvisibleFolder\20120214150605_huaixazhizhan120215chabo.swf
c:\favoritevideo\InvisibleFolder\20120214164033_37wan120215fuceng.swf
c:\favoritevideo\InvisibleFolder\20120214164235_37wan120215zhuzt.swf
c:\favoritevideo\InvisibleFolder\20120214164456_37wan120215zhuztb.swf
c:\favoritevideo\InvisibleFolder\20120214181423_tongyisucaie120215zanting.swf
c:\favoritevideo\InvisibleFolder\20120214181452_tongyisucaie120215zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120215134429_vaspmall120215zanting.swf
c:\favoritevideo\InvisibleFolder\20120215134534_vaspmall120215qipao.swf
c:\favoritevideo\InvisibleFolder\20120215162226_37wan120216zanting.swf
c:\favoritevideo\InvisibleFolder\20120215171919_baidu120216zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120215172100_baidu120216zanting.swf
c:\favoritevideo\InvisibleFolder\20120215205346_guangqibentian120216zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120216175845_sehnxiandao120219zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120217114502_sehnxiandao120219zanting.swf
c:\favoritevideo\InvisibleFolder\20120217120248_sehnxiandao120219chabo.swf
c:\favoritevideo\InvisibleFolder\20120217175210_youju37wan120219zantingA.swf
c:\favoritevideo\InvisibleFolder\kademlia.dll
c:\favoritevideo\InvisibleFolder\tipsclient.dll
c:\users\A\AppData\Local\Windows Server
c:\users\A\AppData\Local\Windows Server\hlp.dat
c:\users\A\AppData\Local\Windows Server\server.dat
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\bckfg.tmp
c:\windows\assembly\temp\cfg.ini
c:\windows\assembly\temp\keywords
c:\windows\assembly\temp\kwrd.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\consrv.dll
c:\windows\System64
.
.
((((((((((((((((((((((((( Files Created from 2012-01-19 to 2012-02-19 )))))))))))))))))))))))))))))))
.
.
2012-02-19 17:03 . 2012-02-19 17:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-05 14:22 . 2012-02-18 17:26 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-01-31 00:15 . 2012-01-31 00:15 6656 ----a-w- c:\programdata\Microsoft\Windows\DRM\BC27.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-21 23:36 . 2011-12-18 16:17 3587128 ----a-w- c:\windows\system32\GooglePinyin2.ime
2011-12-21 23:36 . 2011-12-18 16:17 2504760 ----a-w- c:\windows\SysWow64\GooglePinyin2.ime
2011-12-10 21:24 . 2011-12-20 02:40 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-28 21:41 . 2011-09-12 20:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-03-19 15:31 . 2011-03-19 15:31 195632 ----a-w- c:\program files\Uninst_Notation Player 2.6.exe
2010-10-27 01:29 . 2010-10-27 00:57 1337016015 ----a-w- c:\program files\4Story10092702_full.exe
2010-10-16 21:51 . 2010-10-16 21:41 819112408 ----a-w- c:\program files\FistsOfFuSetup-10.0.121.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{f409caa5-db4f-48aa-a238-ca307c481237}]
2011-06-24 15:13 81920 ----a-w- c:\program files (x86)\usjobsearchtoolbar\vmntemplateX.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{f409caa5-db4f-48aa-a238-ca307c481237}"= "c:\program files (x86)\usjobsearchtoolbar\vmntemplateX.dll" [2011-06-24 81920]
.
[HKEY_CLASSES_ROOT\clsid\{f409caa5-db4f-48aa-a238-ca307c481237}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"PPS Accelerator"="d:\pps.tv\PPStream\ppsap.exe" [2010-02-24 214408]
"PPAP"="c:\program files (x86)\Common Files\PPLiveNetwork\PPAP.exe" [2011-03-01 189880]
"Akamai NetSession Interface"="c:\users\A\AppData\Local\Akamai\netsession_win.exe" [2012-02-02 3329824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-10 1328424]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-10 185640]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-11-11 417792]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PPS.lnk - d:\pps.tv\PPStream\PPStream.exe [2011-2-28 5826952]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-2-9 430080]
PPTV.lnk - c:\program files (x86)\PPLive\PPTV\PPLive.exe [2011-3-1 189880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ GOOGLEPINYIN2.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-27 19:56]
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-27 19:56]
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000Core.job
- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 05:44]
.
2012-02-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000UA.job
- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 05:44]
.
2012-02-11 c:\windows\Tasks\HPCeeScheduleForA.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 01:17]
.
2010-03-31 c:\windows\Tasks\Install.job
- c:\windows\SysWOW64\Adobe\Shockwave 11\nssstub.exe [2010-03-24 00:03]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 154648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 227352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 202264]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"combofix"="c:\combofix\CF16144.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
s116bus
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1:9421
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-4StoryPrePatch - c:\program files\4Story_US\PrePatch.exe
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-sp44626 - c:\hp\Softpaq\sp44626\sp44626.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_7de0ed9.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\X6va003]
"ImagePath"="\??\c:\users\A\AppData\Local\Temp\003FDE6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-02-19 11:17:08 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-19 17:17
.
Pre-Run: 404,788,539,392 bytes free
Post-Run: 404,912,738,304 bytes free
.
- - End Of File - - 28768E2B437A48C74E174636FB907C8C

Edited by immediate1, 19 February 2012 - 06:21 PM.


#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:40 AM

Posted 20 February 2012 - 06:30 AM

Hi immediate1!

Ok I'll copy and paste any logs you need from here on out!

Thanks, I appreciate it. :)

For whatever reason, stage 48 took about half an hour. Also some application called PEV.exe stopped working. Is PEV.exe malware?

Pev.exe is a file that's part of ComboFix's inner workings.

It looks like you're still infected. Please run these scans for me:

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
ClearJavaCache::
File::
c:\windows\system32\dds_trash_log.cmd
c:\programdata\Microsoft\Windows\DRM\BC27.tmp
Suspect::[102]
c:\windows\system32\GooglePinyin2.ime
c:\windows\SysWow64\GooglePinyin2.ime

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



OTL Custom Scan

We need to create a new OTL Report
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Click on the NONE button at the top.
  • In the custom scan box paste the following:
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    "%WinDir%\$NtUninstallKB*$."
    C:\Program Files\Common Files\ComObjects\*.* /s
    %systemroot%\*. /mp /s
    %systemroot%\*. /rp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %SYSTEMDRIVE%\*.exe
    /md5start
    afd.sys
    volsnap.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    /md5stop
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    
  • Push the Posted Image button.
  • One report will open, copy and paste it in a reply here:
  • OTL.txt <-- Will be opened

Edited by SweetTech, 20 February 2012 - 06:31 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 immediate1

immediate1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 20 February 2012 - 07:35 PM

I meant to mention in my last reply that the redirects I was experiencing in search engines like Google and Bing have stopped temporarily. However, I still get redirected (sometimes there are pop-ups when I click links too) quite a bit when browsing through websites like BleepingComputer.

Anyway here are the ComboFix and OTL logs!

ComboFix:
ComboFix 12-02-19.01 - A 02/20/2012 16:03:17.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.6133.3532 [GMT -6:00]
Running from: c:\users\A\Desktop\ComboFix.exe
Command switches used :: c:\users\A\Desktop\CFscript.txt
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\programdata\Microsoft\Windows\DRM\BC27.tmp"
"c:\windows\system32\dds_trash_log.cmd"
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\favoritevideo\InvisibleFolder
c:\programdata\Microsoft\Windows\DRM\BC27.tmp
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-01-20 to 2012-02-20 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-29 11:10 . 2009-10-17 18:03 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-06 05:15 . 2012-02-19 20:01 8602168 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{03F0B9B1-A3CA-4380-8B70-9715C39ECB02}\mpengine.dll
2011-12-21 23:36 . 2011-12-18 16:17 3587128 ----a-w- c:\windows\system32\GooglePinyin2.ime
2011-12-21 23:36 . 2011-12-18 16:17 2504760 ------w- c:\windows\SysWow64\GooglePinyin2.ime
2011-12-10 21:24 . 2011-12-20 02:40 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-28 21:41 . 2011-09-12 20:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-03-19 15:31 . 2011-03-19 15:31 195632 ----a-w- c:\program files\Uninst_Notation Player 2.6.exe
2010-10-27 01:29 . 2010-10-27 00:57 1337016015 ----a-w- c:\program files\4Story10092702_full.exe
2010-10-16 21:51 . 2010-10-16 21:41 819112408 ----a-w- c:\program files\FistsOfFuSetup-10.0.121.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-19_17.08.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-20 22:59 . 2012-02-20 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-19 17:06 . 2012-02-19 17:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-20 22:59 . 2012-02-20 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-19 17:06 . 2012-02-19 17:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{f409caa5-db4f-48aa-a238-ca307c481237}]
2011-06-24 15:13 81920 ----a-w- c:\program files (x86)\usjobsearchtoolbar\vmntemplateX.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{f409caa5-db4f-48aa-a238-ca307c481237}"= "c:\program files (x86)\usjobsearchtoolbar\vmntemplateX.dll" [2011-06-24 81920]
.
[HKEY_CLASSES_ROOT\clsid\{f409caa5-db4f-48aa-a238-ca307c481237}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"PPS Accelerator"="d:\pps.tv\PPStream\ppsap.exe" [2010-02-24 214408]
"PPAP"="c:\program files (x86)\Common Files\PPLiveNetwork\PPAP.exe" [2011-03-01 189880]
"Akamai NetSession Interface"="c:\users\A\AppData\Local\Akamai\netsession_win.exe" [2012-02-02 3329824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-10 1328424]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-10 185640]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-11-11 417792]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PPS.lnk - d:\pps.tv\PPStream\PPStream.exe [2011-2-28 5826952]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-2-9 430080]
PPTV.lnk - c:\program files (x86)\PPLive\PPTV\PPLive.exe [2011-3-1 189880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ GOOGLEPINYIN2.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-27 19:56]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-27 19:56]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000Core.job
- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 05:44]
.
2012-02-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000UA.job
- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 05:44]
.
2012-02-11 c:\windows\Tasks\HPCeeScheduleForA.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 01:17]
.
2010-03-31 c:\windows\Tasks\Install.job
- c:\windows\SysWOW64\Adobe\Shockwave 11\nssstub.exe [2010-03-24 00:03]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 154648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 227352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 202264]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"combofix"="c:\combofix\CF5156.3XE" [2008-01-21 363008]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
s116bus
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1:9421
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_7de0ed9.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\X6va003]
"ImagePath"="\??\c:\users\A\AppData\Local\Temp\003FDE6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
c:\windows\SysWOW64\DllHost.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\SysWOW64\nslookup.exe
c:\windows\SysWOW64\WerFault.exe
c:\windows\SysWOW64\ping.exe
.
**************************************************************************
.
Completion time: 2012-02-20 17:12:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-20 23:12
ComboFix2.txt 2012-02-19 17:17
.
Pre-Run: 405,697,540,096 bytes free
Post-Run: 406,042,824,704 bytes free
.
- - End Of File - - 9F528AFEAAD7B40CDAA07B80B6B6BC83
Upload was successful

OTL:
OTL logfile created on: 2/20/2012 6:22:20 PM - Run 2
OTL by OldTimer - Version 3.2.32.0 Folder = C:\Users\A\Desktop
64bit-Windows Vista Home Premium Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.19088)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.99 Gb Total Physical Memory | 3.47 Gb Available Physical Memory | 57.88% Memory free
12.09 Gb Paging File | 9.96 Gb Available in Paging File | 82.36% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 582.50 Gb Total Space | 378.11 Gb Free Space | 64.91% Space Free | Partition Type: NTFS
Drive D: | 13.67 Gb Total Space | 1.88 Gb Free Space | 13.71% Space Free | Partition Type: NTFS

Computer Name: A-PC | User Name: A | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days


SafeBootMin:64bit: Base - Driver Group
SafeBootMin:64bit: Boot Bus Extender - Driver Group
SafeBootMin:64bit: Boot file system - Driver Group
SafeBootMin:64bit: File system - Driver Group
SafeBootMin:64bit: Filter - Driver Group
SafeBootMin:64bit: HelpSvc - Service
SafeBootMin:64bit: PCI Configuration - Driver Group
SafeBootMin:64bit: PNP Filter - Driver Group
SafeBootMin:64bit: Primary disk - Driver Group
SafeBootMin:64bit: sacsvr - Service
SafeBootMin:64bit: SCSI Class - Driver Group
SafeBootMin:64bit: SymEFA.sys - C:\Windows\SysNative\drivers\NISx64\1008030.006\SYMEFA64.SYS ()
SafeBootMin:64bit: System Bus Extender - Driver Group
SafeBootMin:64bit: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX:64bit: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} -
ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 11.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} -
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.7
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\system32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\Windows\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\system32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Web Folders
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Macromedia Shockwave Flash
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: {F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4} - .NET Framework
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm ()
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3codecp - C:\Windows\SysWow64\l3codecp.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

NetSvcs:64bit: s116bus - C:\Windows\SysNative\AppnBase.dll ()

========== Custom Scans ==========


< "%WinDir%\$NtUninstallKB*$." >

< C:\Program Files\Common Files\ComObjects\*.* /s >

< %systemroot%\*. /mp /s >

< %systemroot%\*. /rp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >

< %systemroot%\System32\config\*.sav >

< %systemroot%\system32\drivers\*.sys /90 >

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AFD.SYS >
[2011/04/21 08:20:24 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=0CC146C4ADDEA45791B18B1E2659F4A9 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18457_none_35be4fb214130ed1\afd.sys
[2009/04/10 23:44:24 | 000,406,016 | ---- | M] (Microsoft Corporation) MD5=12415CCFD3E7CEC55B5184E67B039FE4 -- C:\Windows\SoftwareDistribution\Download\61da130e21aad3387c2fa3ca1d469de3\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.18005_none_35f2572213ec5bd2\afd.sys
[2011/04/21 07:54:10 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=7B8E5F3A0626CA83B706F0738830845F -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6002.22629_none_366a5ebb2d168a9d\afd.sys
[2011/04/21 07:42:48 | 000,407,552 | ---- | M] () MD5=9BB97042FA331A0FB4BDD98B9280A50A -- C:\Windows\SysNative\drivers\afd.sys
[2011/04/21 07:42:48 | 000,407,552 | ---- | M] (Microsoft Corporation) MD5=9BB97042FA331A0FB4BDD98B9280A50A -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18639_none_33ef7c5016dab752\afd.sys
[2011/04/21 07:47:41 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=B53144D2EBB0843DD0436F5EA6953F65 -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.22905_none_34958b832fe3983b\afd.sys
[2008/01/20 20:48:18 | 000,408,064 | ---- | M] (Microsoft Corporation) MD5=DB37041AB857ABC7E179E856D8E1582C -- C:\Windows\winsxs\amd64_microsoft-windows-winsock-core_31bf3856ad364e35_6.0.6001.18000_none_3406de1616ca9086\afd.sys

< MD5 for: ATAPI.SYS >
[2008/01/20 20:46:50 | 000,022,584 | ---- | M] (Microsoft Corporation) MD5=1898FAE8E07D97F2F6C2D5326C633FAC -- C:\Windows\ERDNT\cache64\atapi.sys
[2008/01/20 20:46:50 | 000,022,584 | ---- | M] () MD5=1898FAE8E07D97F2F6C2D5326C633FAC -- C:\Windows\SysNative\drivers\atapi.sys
[2008/01/20 20:46:50 | 000,022,584 | ---- | M] (Microsoft Corporation) MD5=1898FAE8E07D97F2F6C2D5326C633FAC -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_3956c39dd9e73fd2\atapi.sys
[2009/04/11 01:15:00 | 000,020,952 | ---- | M] (Microsoft Corporation) MD5=E68D9B3A3905619732F7FE039466A623 -- C:\Windows\SoftwareDistribution\Download\61da130e21aad3387c2fa3ca1d469de3\amd64_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_3b423ca9d7090b1e\atapi.sys

< MD5 for: EXPLORER.EXE >
[2009/04/22 04:53:10 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=37440D09DEAE0B672A04DCCF7ABF06BE -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_b5f700fe698beb14\explorer.exe
[2009/04/22 04:53:09 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\SysWOW64\explorer.exe
[2009/04/22 04:53:09 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=4F554999D7D5F05DAAEBBA7B5BA1089D -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_b7eb106e66a7ac19\explorer.exe
[2009/04/22 04:53:10 | 003,087,360 | ---- | M] (Microsoft Corporation) MD5=50514057C28A74BAC2BD04B7B990D615 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.16771_none_aba256ac352b2919\explorer.exe
[2009/04/22 04:53:09 | 002,927,616 | ---- | M] (Microsoft Corporation) MD5=50BA5850147410CDE89C523AD3BC606E -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_b8583e9d7fda0512\explorer.exe
[2009/04/11 01:10:17 | 003,079,168 | ---- | M] (Microsoft Corporation) MD5=6B08E54A451B3F95E4109DBA7E594270 -- C:\Windows\SoftwareDistribution\Download\61da130e21aad3387c2fa3ca1d469de3\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_afbebba22f3bab41\explorer.exe
[2009/04/22 04:53:09 | 003,086,848 | ---- | M] (Microsoft Corporation) MD5=72B9990E45C25AA3C75C4FB50A9D6CE0 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_ac5266dd4e2b0a41\explorer.exe
[2009/04/22 04:53:09 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=BBD8E74F23D7605CB0CDB57A1B25D826 -- C:\Windows\ERDNT\cache86\explorer.exe
[2009/04/22 04:53:09 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=BBD8E74F23D7605CB0CDB57A1B25D826 -- C:\Windows\explorer.exe
[2009/04/22 04:53:09 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=BBD8E74F23D7605CB0CDB57A1B25D826 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18164_none_ad96661c3246ea1e\explorer.exe
[2009/04/11 00:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) MD5=D07D4C3038F3578FFCE1C0237F2A1253 -- C:\Windows\SoftwareDistribution\Download\61da130e21aad3387c2fa3ca1d469de3\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_ba1365f4639c6d3c\explorer.exe
[2009/04/22 04:53:09 | 003,081,216 | ---- | M] (Microsoft Corporation) MD5=E404A65EF890140410E9F3D405841C95 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.22298_none_ae03944b4b794317\explorer.exe
[2009/04/22 04:53:09 | 002,923,520 | ---- | M] (Microsoft Corporation) MD5=E7156B0B74762D9DE0E66BDCDE06E5FB -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6000.20947_none_b6a7112f828bcc3c\explorer.exe
[2008/01/20 20:48:44 | 003,080,704 | ---- | M] (Microsoft Corporation) MD5=F6D765FB6B457542D954682F50C26E4F -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_add342963219dff5\explorer.exe
[2008/01/20 20:49:23 | 002,927,104 | ---- | M] (Microsoft Corporation) MD5=FFA764631CB70A30065C12EF8E174F9F -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.0.6001.18000_none_b827ece8667aa1f0\explorer.exe

< MD5 for: VOLSNAP.SYS >
[2009/04/11 01:15:45 | 000,269,288 | ---- | M] (Microsoft Corporation) MD5=5280AADA24AB36B01A84A6424C475C8D -- C:\Windows\SoftwareDistribution\Download\61da130e21aad3387c2fa3ca1d469de3\amd64_volume.inf_31bf3856ad364e35_6.0.6002.18005_none_73c0cc10b194374f\volsnap.sys
[2008/01/20 20:47:03 | 000,271,416 | ---- | M] () MD5=DE4307412D98050239026E56A7DFF3C0 -- C:\Windows\SysNative\drivers\volsnap.sys
[2008/01/20 20:47:03 | 000,271,416 | ---- | M] (Microsoft Corporation) MD5=DE4307412D98050239026E56A7DFF3C0 -- C:\Windows\winsxs\amd64_volume.inf_31bf3856ad364e35_6.0.6001.18000_none_71d55304b4726c03\volsnap.sys

< MD5 for: WININIT.EXE >
[2008/01/20 20:48:04 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\ERDNT\cache86\wininit.exe
[2008/01/20 20:48:04 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\SysWOW64\wininit.exe
[2008/01/20 20:48:04 | 000,096,768 | ---- | M] (Microsoft Corporation) MD5=101BA3EA053480BB5D957EF37C06B5ED -- C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_30f2b8cf0450a6a2\wininit.exe
[2008/01/20 20:50:23 | 000,123,904 | ---- | M] (Microsoft Corporation) MD5=117EA87DF785CA1B9D821F6F213DCE07 -- C:\Windows\ERDNT\cache64\wininit.exe
[2008/01/20 20:50:23 | 000,123,904 | ---- | M] () MD5=117EA87DF785CA1B9D821F6F213DCE07 -- C:\Windows\SysNative\wininit.exe
[2008/01/20 20:50:23 | 000,123,904 | ---- | M] (Microsoft Corporation) MD5=117EA87DF785CA1B9D821F6F213DCE07 -- C:\Windows\winsxs\amd64_microsoft-windows-wininit_31bf3856ad364e35_6.0.6001.18000_none_8d115452bcae17d8\wininit.exe

< MD5 for: WINLOGON.EXE >
[2012/01/13 14:53:20 | 000,182,856 | ---- | M] () MD5=63EEC8A8B221AB79045E776E5F592868 -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2009/04/11 01:11:08 | 000,405,504 | ---- | M] (Microsoft Corporation) MD5=6D0773A3A65D28B663F334C90441D01A -- C:\Windows\SoftwareDistribution\Download\61da130e21aad3387c2fa3ca1d469de3\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_cdcd15a68a70b877\winlogon.exe
[2008/01/20 20:49:47 | 000,406,016 | ---- | M] (Microsoft Corporation) MD5=856491FCED98093D824B9EB2892F564A -- C:\Windows\ERDNT\cache64\winlogon.exe
[2008/01/20 20:49:47 | 000,406,016 | ---- | M] () MD5=856491FCED98093D824B9EB2892F564A -- C:\Windows\SysNative\winlogon.exe
[2008/01/20 20:49:47 | 000,406,016 | ---- | M] (Microsoft Corporation) MD5=856491FCED98093D824B9EB2892F564A -- C:\Windows\winsxs\amd64_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_cbe19c9a8d4eed2b\winlogon.exe
[2009/04/11 00:28:13 | 000,314,368 | ---- | M] (Microsoft Corporation) MD5=898E7C06A350D4A1A64A9EA264D55452 -- C:\Windows\SoftwareDistribution\Download\61da130e21aad3387c2fa3ca1d469de3\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6002.18005_none_71ae7a22d2134741\winlogon.exe
[2008/01/20 20:50:38 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\SysWOW64\winlogon.exe
[2008/01/20 20:50:38 | 000,314,880 | ---- | M] (Microsoft Corporation) MD5=C2610B6BDBEFC053BBDAB4F1B965CB24 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.0.6001.18000_none_6fc30116d4f17bf5\winlogon.exe

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\SysWOW64\ie4uinit.exe" -hide [2011/05/27 22:32:51 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\SysWOW64\ie4uinit.exe" -show [2011/05/27 22:32:51 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\SysWOW64\ie4uinit.exe" -reinstall [2011/05/27 22:32:51 | 000,173,568 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff [2011/05/28 00:09:21 | 000,638,232 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" [2011/05/28 00:09:21 | 000,638,232 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -HIDE [2011/05/27 22:53:19 | 000,070,656 | ---- | M] ()
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -SHOW [2011/05/27 22:53:19 | 000,070,656 | ---- | M] ()
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\WINDOWS\SYSTEM32\IE4UINIT.EXE" -REINSTALL [2011/05/27 22:53:19 | 000,070,656 | ---- | M] ()
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" -EXTOFF [2011/05/28 00:09:21 | 000,638,232 | ---- | M] (Microsoft Corporation)
64bit-HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE" [2011/05/28 00:09:21 | 000,638,232 | ---- | M] (Microsoft Corporation)

< >

< >

< End of report >

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:40 AM

Posted 21 February 2012 - 02:07 AM

Hi immediate1!

It looks like you're infected with a newer infection.

I need to have you run this ComboFix script below.

I meant to mention in my last reply that the redirects I was experiencing in search engines like Google and Bing have stopped temporarily. However, I still get redirected (sometimes there are pop-ups when I click links too) quite a bit when browsing through websites like BleepingComputer.

Okay, thanks for that information.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Suspect::[102]
C:\Windows\SysNative\AppnBase.dll

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 immediate1

immediate1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 21 February 2012 - 05:44 PM

Before I ran combofix this time, the redirects came back worse than ever. I used Google and was redirected everytime I clicked a link and I got pop-ups here on BleepingComputer by just clicking in the margins of the webpages. Redirects are still present, just not as persistent after reboot. There was also an error message that kept popping up about compatibility issue between Internet Explorer 8 (my internet explorer is still version 7) and the HP Smart Web Printing add-on program. Is this the working of malware? (These messages are no longer popping up after reboot.)

Oh, and, of course, here is the ComboFix log :)

ComboFix 12-02-19.01 - A 02/21/2012 15:47:49.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.6133.2456 [GMT -6:00]
Running from: c:\users\A\Desktop\ComboFix.exe
Command switches used :: c:\users\A\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\favoritevideo\InvisibleFolder
c:\favoritevideo\InvisibleFolder\20120113133342_bmw120116zhu15juji.swf
c:\favoritevideo\InvisibleFolder\20120207182205_kelaisik120208zanting.swf
c:\favoritevideo\InvisibleFolder\20120207190427_kelaisile120208zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120215205346_guangqibentian120216zhuhuanchong15s.swf
c:\favoritevideo\InvisibleFolder\20120216144328_dongfeng308120216zanting.swf
c:\favoritevideo\InvisibleFolder\20120217153424_moshou120224jiaobiao.swf
c:\favoritevideo\InvisibleFolder\20120217163353_ximenzi120220zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120217163942_ximenzi120220zanting.swf
c:\favoritevideo\InvisibleFolder\20120217203337_mairuibao120220jiaobiao.jpg
c:\favoritevideo\InvisibleFolder\20120220144402_mairuibao120220zantingbudianjia.swf
c:\favoritevideo\InvisibleFolder\20120220164247_youju37wan120221chabo.swf
c:\favoritevideo\InvisibleFolder\20120220164319_youju37wanzantingA.swf
c:\favoritevideo\InvisibleFolder\20120220164342_youju37wanzantingB.swf
c:\favoritevideo\InvisibleFolder\20120220164455_youju37wanzhu15sA.swf
c:\favoritevideo\InvisibleFolder\20120220164507_youju37wanzhu15sB.swf
c:\favoritevideo\InvisibleFolder\20120220170102_baidu120216zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120220170241_baidu120218zanting.swf
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\consrv.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-21 to 2012-02-21 )))))))))))))))))))))))))))))))
.
.
2012-02-21 22:17 . 2012-02-21 22:17 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-21 22:14 . 2012-02-21 22:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-21 19:19 . 2012-02-21 21:21 84146 ----a-w- c:\windows\SysWow64\32cX8r3R.com_
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 07:13 . 2012-02-21 10:45 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E2843531-81BA-49B5-9F65-8D96B3E9C5A2}\mpengine.dll
2012-01-29 11:10 . 2009-10-17 18:03 279656 ------w- c:\windows\system32\MpSigStub.exe
2011-12-21 23:36 . 2011-12-18 16:17 3587128 ----a-w- c:\windows\system32\GooglePinyin2.ime
2011-12-21 23:36 . 2011-12-18 16:17 2504760 ------w- c:\windows\SysWow64\GooglePinyin2.ime
2011-12-10 21:24 . 2011-12-20 02:40 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-28 21:41 . 2011-09-12 20:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-03-19 15:31 . 2011-03-19 15:31 195632 ----a-w- c:\program files\Uninst_Notation Player 2.6.exe
2010-10-27 01:29 . 2010-10-27 00:57 1337016015 ----a-w- c:\program files\4Story10092702_full.exe
2010-10-16 21:51 . 2010-10-16 21:41 819112408 ----a-w- c:\program files\FistsOfFuSetup-10.0.121.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-19_17.08.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-21 21:42 . 2012-02-21 21:42 11776 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{F9E852C0-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:43 10752 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F365C223-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:42 11776 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F365C224-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:40 . 2012-02-21 21:40 12288 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B4BF17B4-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Feeds Cache\index.dat
+ 2012-02-21 21:40 . 2012-02-21 21:42 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{BD389650-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:40 . 2012-02-21 21:41 9216 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4BF17B3-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:43 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F9E852C3-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:42 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F9E852C2-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:42 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F9E852C1-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:42 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F365C22C-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:42 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F365C22B-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:42 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F365C22A-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:42 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F365C228-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:42 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F365C227-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:42 . 2012-02-21 21:42 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F365C225-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:41 . 2012-02-21 21:41 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D5CCB392-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:41 . 2012-02-21 21:41 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D5CCB391-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:41 . 2012-02-21 21:41 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D5CCB390-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:41 . 2012-02-21 21:41 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CE89E032-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:41 . 2012-02-21 21:41 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CE89E031-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:41 . 2012-02-21 21:41 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CE89E030-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:41 . 2012-02-21 21:41 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C62C9C23-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:41 . 2012-02-21 21:41 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C62C9C21-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:41 . 2012-02-21 21:41 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C62C9C20-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:40 . 2012-02-21 21:40 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B4BF17BC-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:40 . 2012-02-21 21:40 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B4BF17BB-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:40 . 2012-02-21 21:40 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B4BF17BA-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:40 . 2012-02-21 21:40 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B4BF17B8-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:40 . 2012-02-21 21:40 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B4BF17B7-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:40 . 2012-02-21 21:40 4096 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B4BF17B6-5CD4-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{198806D7-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{198806D6-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{198806C0-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0E991B7C-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0E991B7B-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0E991B6C-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0E991B56-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 6144 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{08774853-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{08774852-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{08774851-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{08774850-5CD5-11E1-AD1E-00261832C5B2}.dat
+ 2012-02-21 21:43 . 2012-02-21 21:43 9066 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\frameiconcache.dat
- 2012-02-19 17:06 . 2012-02-19 17:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-21 22:16 . 2012-02-21 22:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-02-21 22:16 . 2012-02-21 22:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-02-19 17:06 . 2012-02-19 17:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-24 10:21 . 2012-02-21 21:43 163840 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2008-01-21 03:20 . 2012-02-21 22:13 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-02-19 17:03 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-02-19 17:03 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2012-02-21 22:13 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{f409caa5-db4f-48aa-a238-ca307c481237}]
2011-06-24 15:13 81920 ----a-w- c:\program files (x86)\usjobsearchtoolbar\vmntemplateX.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{f409caa5-db4f-48aa-a238-ca307c481237}"= "c:\program files (x86)\usjobsearchtoolbar\vmntemplateX.dll" [2011-06-24 81920]
.
[HKEY_CLASSES_ROOT\clsid\{f409caa5-db4f-48aa-a238-ca307c481237}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"PPS Accelerator"="d:\pps.tv\PPStream\ppsap.exe" [2010-02-24 214408]
"PPAP"="c:\program files (x86)\Common Files\PPLiveNetwork\PPAP.exe" [2011-03-01 189880]
"Akamai NetSession Interface"="c:\users\A\AppData\Local\Akamai\netsession_win.exe" [2012-02-02 3329824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-10 1328424]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-10 185640]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-11-11 417792]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PPS.lnk - d:\pps.tv\PPStream\PPStream.exe [2011-2-28 5826952]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-2-9 430080]
PPTV.lnk - c:\program files (x86)\PPLive\PPTV\PPLive.exe [2011-3-1 189880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ GOOGLEPINYIN2.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-21 c:\windows\Tasks\At10.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At12.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At14.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At16.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At18.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At2.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At20.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At22.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At24.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At26.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At28.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At30.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At32.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At34.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At36.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At38.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At4.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At40.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At42.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At44.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At46.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At48.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At6.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\At8.job
- c:\windows\system32\32cX8r3R.com_ [2012-02-21 21:21]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-27 19:56]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-27 19:56]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000Core.job
- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 05:44]
.
2012-02-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000UA.job
- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 05:44]
.
2012-02-11 c:\windows\Tasks\HPCeeScheduleForA.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 01:17]
.
2010-03-31 c:\windows\Tasks\Install.job
- c:\windows\SysWOW64\Adobe\Shockwave 11\nssstub.exe [2010-03-24 00:03]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 154648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 227352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 202264]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"combofix"="c:\combofix\CF22121.3XE" [2008-01-21 363008]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
s116bus
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1:9421
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
LSP: mswsock.dll
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_7de0ed9.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\X6va003]
"ImagePath"="\??\c:\users\A\AppData\Local\Temp\003FDE6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
c:\windows\SysWOW64\DllHost.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\windows\SysWOW64\nslookup.exe
c:\windows\SysWOW64\WerFault.exe
c:\windows\SysWOW64\ping.exe
.
**************************************************************************
.
Completion time: 2012-02-21 16:27:48 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-21 22:27
ComboFix2.txt 2012-02-20 23:26
ComboFix3.txt 2012-02-19 17:17
.
Pre-Run: 405,870,223,360 bytes free
Post-Run: 405,973,557,248 bytes free
.
- - End Of File - - D98E3818ACFD5113A56E82AABB518BEF
Upload was successful

#10 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:40 AM

Posted 22 February 2012 - 11:10 AM

Hi immediate1!

You're currently infected with ZeroAccess still, so we'll hopefully be able to kill it off in this post, and it should hopefully help improve things.

Is this the working of malware?

It's possible.

We still have some work to do with this malware.

Please give this ComboFix script a whirl.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
AtJob::
ClearJavaCache::
File::
C:\Windows\SysNative\AppnBase.dll
c:\windows\SysWow64\32cX8r3R.com_
c:\windows\system32\dds_trash_log.cmd
NetSvc::
s116bus
Driver::
s116bus
DDS::
uInternet Settings,ProxyOverride = 127.0.0.1:9421

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Edited by SweetTech, 22 February 2012 - 11:11 AM.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#11 immediate1

immediate1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 22 February 2012 - 06:17 PM

I think that did the trick but I'm still not sure. I noticed that in the registry the consrv values have reverted back to winsrv. Is that an indicator the redirect virus is gone now? :)

Here is the combofix log:

ComboFix 12-02-19.01 - A 02/22/2012 15:55:45.4.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.6133.3320 [GMT -6:00]
Running from: c:\users\A\Desktop\ComboFix.exe
Command switches used :: c:\users\A\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\AppnBase.dll"
"c:\windows\system32\dds_trash_log.cmd"
"c:\windows\SysWow64\32cX8r3R.com_"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\favoritevideo\InvisibleFolder
c:\favoritevideo\InvisibleFolder\20111111174415_tongyisucaic111113zanting.swf
c:\favoritevideo\InvisibleFolder\20111111174652_tongyisucaic111113huanchong15.swf
c:\favoritevideo\InvisibleFolder\20111111180522_tongyisucaid111113kehuduanhuanchong.swf
c:\favoritevideo\InvisibleFolder\20111111180809_tongyisucaid111113kehuduanzanting.swf
c:\favoritevideo\InvisibleFolder\20120220151454_shengshi120221zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120220152216_shengshi120221zanting.swf
c:\favoritevideo\InvisibleFolder\20120220153811_shengshi120221chabo.swf
c:\favoritevideo\InvisibleFolder\20120221153410_youju37wan120222zhu15sB.swf
c:\favoritevideo\InvisibleFolder\20120221153436_youju37wan120222zhu15sA.swf
c:\favoritevideo\InvisibleFolder\20120221153635_youju37wan120222chabo.swf
c:\favoritevideo\InvisibleFolder\20120221153657_youju37wan120222zantingA.swf
c:\favoritevideo\InvisibleFolder\20120221153715_youju37wan120222zantingB.swf
c:\favoritevideo\InvisibleFolder\20120221172741_baidu120222zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120221172928_baidu120222zanting.swf
c:\favoritevideo\InvisibleFolder\20120221183158_wushen120222zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120221183330_wushen120222zanting.swf
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\AppnBase.dll
c:\windows\system32\dds_trash_log.cmd
c:\windows\SysWow64\32cX8r3R.com_
c:\windows\Tasks\At10.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At8.job
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_s116bus
.
.
((((((((((((((((((((((((( Files Created from 2012-01-22 to 2012-02-22 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 07:13 . 2012-02-21 10:45 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E2843531-81BA-49B5-9F65-8D96B3E9C5A2}\mpengine.dll
2012-01-29 11:10 . 2009-10-17 18:03 279656 ------w- c:\windows\system32\MpSigStub.exe
2011-12-21 23:36 . 2011-12-18 16:17 3587128 ----a-w- c:\windows\system32\GooglePinyin2.ime
2011-12-21 23:36 . 2011-12-18 16:17 2504760 ------w- c:\windows\SysWow64\GooglePinyin2.ime
2011-12-10 21:24 . 2011-12-20 02:40 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-28 21:41 . 2011-09-12 20:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-03-19 15:31 . 2011-03-19 15:31 195632 ----a-w- c:\program files\Uninst_Notation Player 2.6.exe
2010-10-27 01:29 . 2010-10-27 00:57 1337016015 ----a-w- c:\program files\4Story10092702_full.exe
2010-10-16 21:51 . 2010-10-16 21:41 819112408 ----a-w- c:\program files\FistsOfFuSetup-10.0.121.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-02-21_22.19.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-22 22:59 . 2012-02-22 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-21 22:16 . 2012-02-21 22:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-21 22:16 . 2012-02-21 22:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-22 22:59 . 2012-02-22 22:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-24 10:21 . 2012-02-22 21:44 163840 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2011-12-24 10:21 . 2012-02-21 21:43 163840 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2008-01-21 03:20 . 2012-02-22 22:57 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-02-21 22:13 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-02-21 22:13 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2012-02-22 22:57 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{f409caa5-db4f-48aa-a238-ca307c481237}]
2011-06-24 15:13 81920 ----a-w- c:\program files (x86)\usjobsearchtoolbar\vmntemplateX.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{f409caa5-db4f-48aa-a238-ca307c481237}"= "c:\program files (x86)\usjobsearchtoolbar\vmntemplateX.dll" [2011-06-24 81920]
.
[HKEY_CLASSES_ROOT\clsid\{f409caa5-db4f-48aa-a238-ca307c481237}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"PPS Accelerator"="d:\pps.tv\PPStream\ppsap.exe" [2010-02-24 214408]
"PPAP"="c:\program files (x86)\Common Files\PPLiveNetwork\PPAP.exe" [2011-03-01 189880]
"Akamai NetSession Interface"="c:\users\A\AppData\Local\Akamai\netsession_win.exe" [2012-02-02 3329824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-10 1328424]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-10 185640]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-11-11 417792]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PPS.lnk - d:\pps.tv\PPStream\PPStream.exe [2011-2-28 5826952]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-2-9 430080]
PPTV.lnk - c:\program files (x86)\PPLive\PPTV\PPLive.exe [2011-3-1 189880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ GOOGLEPINYIN2.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-27 19:56]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-27 19:56]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000Core.job
- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 05:44]
.
2012-02-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000UA.job
- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 05:44]
.
2012-02-11 c:\windows\Tasks\HPCeeScheduleForA.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 01:17]
.
2010-03-31 c:\windows\Tasks\Install.job
- c:\windows\SysWOW64\Adobe\Shockwave 11\nssstub.exe [2010-03-24 00:03]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 154648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 227352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 202264]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
"combofix"="c:\combofix\CF10583.3XE" [2008-01-21 363008]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
s116bus
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_7de0ed9.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\X6va003]
"ImagePath"="\??\c:\users\A\AppData\Local\Temp\003FDE6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-02-22 17:09:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-22 23:09
ComboFix2.txt 2012-02-21 22:33
ComboFix3.txt 2012-02-20 23:26
ComboFix4.txt 2012-02-19 17:17
.
Pre-Run: 401,543,012,352 bytes free
Post-Run: 402,274,967,552 bytes free
.
- - End Of File - - 9A5F5782E7D1D65D9BEF9C82B98DECEF

#12 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:40 AM

Posted 23 February 2012 - 01:35 AM

Hi immediate1!

I think that did the trick but I'm still not sure. I noticed that in the registry the consrv values have reverted back to winsrv. Is that an indicator the redirect virus is gone now?

That's definitely a good sign!

I still see something in here, that bothers me, so please run this script with ComboFix for me again.

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
File::
C:\Windows\SysNative\AppnBase.dll
NetSvc::
s116bus
Driver::
s116bus

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#13 immediate1

immediate1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 23 February 2012 - 05:36 PM

My internet browser took a LONG time to open after reboot... and I just got redirected again when I clicked add reply. :(

Was AppnBase.dll supposed to be deleted? It's still on my system.

ComboFix 12-02-19.01 - A 02/23/2012 15:46:29.5.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.6133.3858 [GMT -6:00]
Running from: c:\users\A\Desktop\ComboFix.exe
Command switches used :: c:\users\A\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\AppnBase.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\favoritevideo\InvisibleFolder
c:\favoritevideo\InvisibleFolder\20120221103319_wushen120222zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120221103612_wushen120222zanting.swf
c:\favoritevideo\InvisibleFolder\20120222141653_37wan120222zhu15sanew.swf
c:\favoritevideo\InvisibleFolder\20120222141833_37wan120222zhu15sb.swf
c:\favoritevideo\InvisibleFolder\20120222142146_37wan120222zantingbnew.swf
c:\favoritevideo\InvisibleFolder\20120222151759_baidu120223zhu15s.swf
c:\favoritevideo\InvisibleFolder\20120222151918_baidu120223zanting.swf
c:\favoritevideo\InvisibleFolder\20120222174227_37wan120223jiaobiao.swf
c:\favoritevideo\InvisibleFolder\20120222214741_pinganchexian120223zhufuceng.swf
c:\favoritevideo\InvisibleFolder\20120222214917_pinganchexian120223zhuzt.swf
c:\favoritevideo\InvisibleFolder\peer.dll
c:\windows\system32\AppnBase.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-01-23 to 2012-02-23 )))))))))))))))))))))))))))))))
.
.
2012-02-23 21:57 . 2012-02-23 21:57 -------- d-----w- c:\users\Default\AppData\Local\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-08 07:13 . 2012-02-21 10:45 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E2843531-81BA-49B5-9F65-8D96B3E9C5A2}\mpengine.dll
2012-01-29 11:10 . 2009-10-17 18:03 279656 ------w- c:\windows\system32\MpSigStub.exe
2011-12-21 23:36 . 2011-12-18 16:17 3587128 ----a-w- c:\windows\system32\GooglePinyin2.ime
2011-12-21 23:36 . 2011-12-18 16:17 2504760 ------w- c:\windows\SysWow64\GooglePinyin2.ime
2011-12-10 21:24 . 2011-12-20 02:40 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-28 21:41 . 2011-09-12 20:45 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-03-19 15:31 . 2011-03-19 15:31 195632 ----a-w- c:\program files\Uninst_Notation Player 2.6.exe
2010-10-27 01:29 . 2010-10-27 00:57 1337016015 ----a-w- c:\program files\4Story10092702_full.exe
2010-10-16 21:51 . 2010-10-16 21:41 819112408 ----a-w- c:\program files\FistsOfFuSetup-10.0.121.exe
.
.
((((((((((((((((((((((((((((( SnapShot_2012-02-21_22.19.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-23 21:58 . 2012-02-23 21:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-21 22:16 . 2012-02-21 22:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-02-21 22:16 . 2012-02-21 22:16 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-02-23 21:58 . 2012-02-23 21:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-12-24 10:21 . 2012-02-22 21:44 163840 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2011-12-24 10:21 . 2012-02-21 21:43 163840 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2008-01-21 03:20 . 2012-02-22 22:57 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-02-21 22:13 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-02-21 22:13 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2012-02-22 22:57 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{f409caa5-db4f-48aa-a238-ca307c481237}]
2011-06-24 15:13 81920 ----a-w- c:\program files (x86)\usjobsearchtoolbar\vmntemplateX.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{f409caa5-db4f-48aa-a238-ca307c481237}"= "c:\program files (x86)\usjobsearchtoolbar\vmntemplateX.dll" [2011-06-24 81920]
.
[HKEY_CLASSES_ROOT\clsid\{f409caa5-db4f-48aa-a238-ca307c481237}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-21 1555968]
"HPADVISOR"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-04-04 1644088]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"PPS Accelerator"="d:\pps.tv\PPStream\ppsap.exe" [2010-02-24 214408]
"PPAP"="c:\program files (x86)\Common Files\PPLiveNetwork\PPAP.exe" [2011-03-01 189880]
"Akamai NetSession Interface"="c:\users\A\AppData\Local\Akamai\netsession_win.exe" [2012-02-02 3329824]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-12-04 75016]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdateLBPShortCut"="c:\program files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2009-02-02 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2009-04-10 1328424]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2009-04-10 185640]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-03-19 1148200]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"Microsoft Default Manager"="c:\program files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2009-11-11 417792]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\A\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PPS.lnk - d:\pps.tv\PPStream\PPStream.exe [2011-2-28 5826952]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-2-9 430080]
PPTV.lnk - c:\program files (x86)\PPLive\PPTV\PPLive.exe [2011-3-1 189880]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
Ime File REG_SZ GOOGLEPINYIN2.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-27 19:56]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-02-27 19:56]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000Core.job
- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 05:44]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1163989138-1874164179-1159466216-1000UA.job
- c:\users\A\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-13 05:44]
.
2012-02-11 c:\windows\Tasks\HPCeeScheduleForA.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2009-04-22 01:17]
.
2010-03-31 c:\windows\Tasks\Install.job
- c:\windows\SysWOW64\Adobe\Shockwave 11\nssstub.exe [2010-03-24 00:03]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Remote Software"="c:\program files\Hewlett-Packard\HP Remote\HP REMOTE V1.0.5.exe" [2009-02-06 172032]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-03-05 154648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-03-05 227352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-03-05 202264]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-12-04 186904]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
s116bus
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
TCP: DhcpNameServer = 192.168.1.1
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_7de0ed9.dll"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\X6va003]
"ImagePath"="\??\c:\users\A\AppData\Local\Temp\003FDE6.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Norton Internet Security\Engine\16.8.3.6\ccSvcHst.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-02-23 16:09:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-23 22:09
ComboFix2.txt 2012-02-22 23:09
ComboFix3.txt 2012-02-21 22:33
ComboFix4.txt 2012-02-20 23:26
ComboFix5.txt 2012-02-23 21:42
.
Pre-Run: 402,293,006,336 bytes free
Post-Run: 402,061,819,904 bytes free
.
- - End Of File - - E6621C12AB638785CCEF320BA0F8C5DD

#14 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:40 AM

Posted 24 February 2012 - 01:58 AM

Hi immediate1!

Oh noes! That's not good! Sorry to hear you're still experiencing issues with redirects!

Was AppnBase.dll supposed to be deleted? It's still on my system.

I don't believe it is. It's been known to be a legit file, but the copy of your file, doesn't appear to be a signed copy, and I'm pretty sure that it's related to the Siref/ZeroAccess infection and is malicious in this case.

Do you use these 3 programs below:

"PPLive" = PPTV V2.7.2.0013
"PPSGame" = PPSÓÎÏ· V1.0.1.322
"PPStream" = PPStream V2.7.0.1226 Final


OTL Fix

We need to run an OTL Fix

Note: If you have MalwareBytes Anti-Malware 1.6 or higher installed and are using the Pro version or trial version, please temporarily disable it for the duration of this fix as it may interfere with the successfully execution of the script below.

  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
    s116bus
    :Processes
    KILLALLPROCESSES
    :OTL
    NetSvcs:64bit: s116bus - C:\Windows\SysNative\AppnBase.dll ()
    :Files
    :Commands
    [CreateRestorePoint]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Rootkit::
C:\Windows\SysNative\AppnBase.dll
NetSvc::
s116bus
Driver::
s116bus
Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\X6va003]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#15 immediate1

immediate1
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:07:40 AM

Posted 24 February 2012 - 04:54 PM

Hi Agent ST! I ran the OTL script and upon reboot the computer failed to start up and had to be repaired with the launch startup repair option. :o

Also, the PPS programs are for watching Chinese TV shows or something; they don't get used much so I could delete them if you want.

UPDATE: The repair restored my system back to the date when it had consrv.dll and its rootkit. :(

Edited by immediate1, 24 February 2012 - 10:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users