Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

heavy.com


  • This topic is locked This topic is locked
14 replies to this topic

#1 wirth87

wirth87

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 11 March 2012 - 08:47 AM

Some of my browsers pages are getting redirected to heavy.com

it only seems to change the pages every so often and freezes the pc when running mozilla. it redirects pages on chrome but no freezing so far

It also usually changes pages im not using and only redirects to heavy.com

its not the google redirect virus

Malwarebytes anti malware doesnt pick anything up

neither does tdss killer (antirootkit scanner)

i also ran the trend online scanner

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by wirth87 at 21:41:03 on 2012-03-11
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.8187.4168 [GMT 8:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Windows\System32\alg.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Program Files (x86)\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files\NVIDIA Corporation\Display\NvTray.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\AUDIODG.EXE
C:\ME3\Mass Effect 3\Binaries\Win32\MassEffect3.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
D:\HijackThis.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe" /MINIMIZED
uRun: [Google Update] "C:\Users\wirth87\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\wirth87\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MAGICD~1.LNK - C:\Program Files (x86)\MagicDisc\MagicDisc.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{6B55A65C-FCFD-4174-B17A-BF6DDE3B16CE} : DhcpNameServer = 192.168.2.1
BHO-X64: IDM integration (IDMIEHlprObj Class): {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
BHO-X64: IDM Helper - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\wirth87\AppData\Roaming\Mozilla\Firefox\Profiles\oaranrl7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2863398&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.alot.com/web?src_id=12326&client_id=68385d685a68797835088834&camp_id=2655&install_time=2011-09-15T12:41:36Z&tb_version=2.4.14000%28F%29
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=12326&client_id=68385d685a68797835088834&camp_id=2655&install_time=2011-09-15T12:41:36Z&tb_version=2.4.14000%28F%29&pr=auto&q=
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Users\wirth87\AppData\Local\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 IDMWFP;IDMWFP;C:\Windows\system32\DRIVERS\idmwfp.sys --> C:\Windows\system32\DRIVERS\idmwfp.sys [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-2-16 652360]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-3-11 2348352]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-2-9 382272]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 nvoclk64;NVIDIA Enthusiasts Platform KDM;C:\Windows\system32\DRIVERS\nvoclk64.sys --> C:\Windows\system32\DRIVERS\nvoclk64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 androidusb;ADB Interface Driver;C:\Windows\system32\Drivers\androidusb.sys --> C:\Windows\system32\Drivers\androidusb.sys [?]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys --> C:\Windows\system32\drivers\synth3dvsc.sys [?]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-11 09:45:56 -------- d-----w- C:\Users\wirth87\AppData\Roaming\NVIDIA
2012-03-11 07:28:52 -------- d-----w- C:\Users\wirth87\AppData\Local\Google
2012-03-11 07:02:23 -------- d-----w- C:\Users\wirth87\AppData\Local\NVIDIA Corporation
2012-03-11 07:02:23 -------- d-----w- C:\Program Files\NVIDIA Corporation
2012-03-11 07:01:53 -------- d-----w- C:\NVIDIA
2012-03-08 04:54:05 -------- d--h--w- C:\Program Files (x86)\Common Files\EAInstaller
2012-03-08 04:54:01 -------- d-----w- C:\Program Files (x86)\NVIDIA Corporation
2012-03-08 04:41:54 -------- d-----w- C:\ME3
2012-02-27 10:19:18 -------- d-----w- C:\Users\wirth87\AppData\Local\Skyrim
2012-02-27 10:08:12 519000 ----a-w- C:\Windows\System32\d3dx10_40.dll
2012-02-27 10:08:12 452440 ----a-w- C:\Windows\SysWow64\d3dx10_40.dll
2012-02-27 10:08:12 2605920 ----a-w- C:\Windows\System32\D3DCompiler_40.dll
2012-02-27 10:08:12 2036576 ----a-w- C:\Windows\SysWow64\D3DCompiler_40.dll
2012-02-27 10:08:11 5631312 ----a-w- C:\Windows\System32\D3DX9_40.dll
2012-02-27 10:08:11 4379984 ----a-w- C:\Windows\SysWow64\D3DX9_40.dll
2012-02-27 10:02:39 -------- d-----w- C:\Program Files (x86)\The Elder Scrolls V Skyrim
2012-02-27 03:27:08 -------- d-----w- C:\codmw3
2012-02-23 15:12:58 149640 ----a-w- C:\Windows\System32\drivers\idmwfp.sys
2012-02-19 02:28:20 -------- d-----w- C:\Users\wirth87\AppData\Roaming\BoneCraft
2012-02-19 02:25:54 -------- d-----w- C:\Program Files\BoneCraft
2012-02-19 02:25:27 -------- d-----w- C:\Program Files (x86)\BoneCraft
2012-02-15 09:50:59 -------- d-----w- C:\Windows\SysWow64\directx
2012-02-14 12:52:14 -------- d-----w- C:\Program Files (x86)\VideoLAN
.
==================== Find3M ====================
.
2012-03-11 09:29:05 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-10 03:14:04 6074176 ----a-w- C:\Windows\System32\nvcpl.dll
2012-02-10 03:14:01 3089728 ----a-w- C:\Windows\System32\nvsvc64.dll
2012-02-10 03:07:00 889664 ----a-w- C:\Windows\System32\nvvsvc.exe
2012-02-10 03:07:00 63296 ----a-w- C:\Windows\System32\nvshext.dll
2012-02-10 03:07:00 118080 ----a-w- C:\Windows\System32\nvmctray.dll
2012-02-09 12:05:44 416064 ----a-w- C:\Windows\SysWow64\nvStreaming.exe
2012-02-05 11:40:19 14848 ----a-w- C:\Windows\System32\slwga.dll
2012-02-05 11:40:19 13824 ----a-w- C:\Windows\SysWow64\slwga.dll
2012-02-05 11:40:18 833024 ----a-w- C:\Windows\SysWow64\user32.dll
2012-02-05 11:40:18 419840 ----a-w- C:\Windows\System32\systemcpl.dll
2012-02-05 11:40:18 1008640 ----a-w- C:\Windows\System32\user32.dll
2012-01-03 07:56:57 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-29 18:00:00 92160 ----a-w- C:\Windows\System32\ff_vfw.dll
2011-12-29 18:00:00 79360 ----a-w- C:\Windows\SysWow64\ff_vfw.dll
2011-12-21 18:14:02 151552 ----a-w- C:\Windows\SysWow64\ac3acm.acm
2011-12-18 23:22:24 4078592 ----a-w- C:\Windows\SysWow64\x264vfw.dll
.
============= FINISH: 21:41:17.48 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:46 PM

Posted 12 March 2012 - 02:17 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 wirth87

wirth87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 13 March 2012 - 07:38 AM

After running combofix

I got an error "Illegal operation attempted on a registery key that has been marked for deletion." on every program that uses a network connection so i reset the pc

i played a game for an hr everything was fine

I then started browsing on firefox and the pc froze when i reset the pc it booted then just keeps resetting as after a minute or so of windows running



ComboFix 12-03-12.02 - wirth87 13/03/2012 18:27:40.1.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.4091.2810 [GMT 8:00]
Running from: D:\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-11 09:45 . 2012-03-11 09:45 -------- d-----w- c:\users\wirth87\AppData\Roaming\NVIDIA
2012-03-11 09:29 . 2012-03-11 09:29 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-11 07:28 . 2012-03-11 07:29 -------- d-----w- c:\users\wirth87\AppData\Local\Google
2012-03-11 07:02 . 2012-03-11 07:02 -------- d-----w- c:\users\wirth87\AppData\Local\NVIDIA Corporation
2012-03-11 07:01 . 2012-03-11 07:09 -------- d-----w- C:\NVIDIA
2012-03-08 04:54 . 2012-03-08 04:54 -------- d--h--w- c:\program files (x86)\Common Files\EAInstaller
2012-03-08 04:54 . 2012-03-11 07:27 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-03-08 04:41 . 2012-03-08 04:42 -------- d-----w- C:\ME3
2012-02-27 10:19 . 2012-02-27 10:19 -------- d-----w- c:\users\wirth87\AppData\Local\Skyrim
2012-02-27 10:08 . 2008-10-14 22:22 519000 ----a-w- c:\windows\system32\d3dx10_40.dll
2012-02-27 10:08 . 2008-10-14 22:22 452440 ----a-w- c:\windows\SysWow64\d3dx10_40.dll
2012-02-27 10:08 . 2008-10-14 22:22 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2012-02-27 10:08 . 2008-10-14 22:22 2036576 ----a-w- c:\windows\SysWow64\D3DCompiler_40.dll
2012-02-27 10:08 . 2008-10-14 22:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
2012-02-27 10:08 . 2008-10-14 22:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2012-02-27 10:02 . 2012-02-27 10:19 -------- d-----w- c:\program files (x86)\The Elder Scrolls V Skyrim
2012-02-27 03:27 . 2012-03-03 06:47 -------- d-----w- C:\codmw3
2012-02-23 15:12 . 2012-02-08 01:13 149640 ----a-w- c:\windows\system32\drivers\idmwfp.sys
2012-02-19 02:28 . 2012-02-19 03:32 -------- d-----w- c:\users\wirth87\AppData\Roaming\BoneCraft
2012-02-19 02:25 . 2012-02-19 02:26 -------- d-----w- c:\program files\BoneCraft
2012-02-19 02:25 . 2012-02-19 02:26 -------- d-----w- c:\program files (x86)\BoneCraft
2012-02-14 12:52 . 2012-02-14 12:52 -------- d-----w- c:\users\wirth87\AppData\Roaming\vlc
2012-02-14 12:52 . 2012-02-14 12:52 -------- d-----w- c:\program files (x86)\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-11 09:29 . 2012-01-16 08:35 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-10 04:13 . 2009-07-13 21:59 9717568 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-02-09 12:05 . 2012-02-09 12:05 416064 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2012-02-05 11:40 . 2010-11-21 03:24 14848 ----a-w- c:\windows\system32\slwga.dll
2012-02-05 11:40 . 2010-11-21 03:23 13824 ----a-w- c:\windows\SysWow64\slwga.dll
2012-02-05 11:40 . 2010-11-21 03:24 833024 ----a-w- c:\windows\SysWow64\user32.dll
2012-02-05 11:40 . 2010-11-21 03:24 1008640 ----a-w- c:\windows\system32\user32.dll
2012-02-05 11:40 . 2010-11-21 03:24 419840 ----a-w- c:\windows\system32\systemcpl.dll
2012-01-03 07:56 . 2012-01-03 07:56 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-29 18:00 . 2012-01-02 10:50 79360 ----a-w- c:\windows\SysWow64\ff_vfw.dll
2011-12-29 18:00 . 2012-01-02 10:46 92160 ----a-w- c:\windows\system32\ff_vfw.dll
2011-12-21 18:14 . 2012-01-02 10:50 151552 ----a-w- c:\windows\SysWow64\ac3acm.acm
2011-12-18 23:22 . 2012-01-02 10:50 4078592 ----a-w- c:\windows\SysWow64\x264vfw.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2012-02-05 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2012-02-05 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2012-02-23 3474840]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2012-01-26 641400]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\wirth87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-1-29 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-02-10 2348352]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-09 382272]
S3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclk64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2963362775-1462534231-76741011-1001Core.job
- c:\users\wirth87\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-11 07:28]
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2963362775-1462534231-76741011-1001UA.job
- c:\users\wirth87\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-11 07:28]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 23432 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\wirth87\AppData\Roaming\Mozilla\Firefox\Profiles\oaranrl7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2863398&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.alot.com/web?src_id=12326&client_id=68385d685a68797835088834&camp_id=2655&install_time=2011-09-15T12:41Z&tb_version=2.4.14000%28F%29
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=12326&client_id=68385d685a68797835088834&camp_id=2655&install_time=2011-09-15T12:41Z&tb_version=2.4.14000%28F%29&pr=auto&q=
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2963362775-1462534231-76741011-1001_Classes\Wow6432Node\CLSID\{5212194e-d343-4564-adfd-91075642bf0b}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000042
"Therad"=dword:0000000a
"MData"=hex(0):8c,f8,11,3e,96,9a,dd,e0,8f,34,f9,0e,ce,33,bc,aa,1d,08,e1,8d,81,
15,9f,fd,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_USERS\S-1-5-21-2963362775-1462534231-76741011-1001_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):80,43,08,ef,f4,c8,26,49,42,e3,33,d0,17,97,b7,cb,63,87,3d,39,f2,
cb,81,b6,f6,cc,fc,74,a5,8f,b0,d1,dc,51,8b,62,24,07,3f,af,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Completion time: 2012-03-13 18:35:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-13 10:35
.
Pre-Run: 41,436,606,464 bytes free
Post-Run: 33,871,859,712 bytes free
.
- - End Of File - - AEC8904EA2B80B5AE9374A18FE1E9C28

Edited by wirth87, 13 March 2012 - 07:40 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:46 PM

Posted 13 March 2012 - 08:04 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 wirth87

wirth87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 13 March 2012 - 08:43 AM

btw thanks for helping and the quick replys

Both programs didnt pick anything up

21:21:05.0089 3428 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
21:21:05.0152 3428 ============================================================
21:21:05.0152 3428 Current date / time: 2012/03/13 21:21:05.0152
21:21:05.0152 3428 SystemInfo:
21:21:05.0152 3428
21:21:05.0152 3428 OS Version: 6.1.7601 ServicePack: 1.0
21:21:05.0152 3428 Product type: Workstation
21:21:05.0152 3428 ComputerName: WIRTH87-PC
21:21:05.0152 3428 UserName: wirth87
21:21:05.0152 3428 Windows directory: C:\Windows
21:21:05.0152 3428 System windows directory: C:\Windows
21:21:05.0152 3428 Running under WOW64
21:21:05.0152 3428 Processor architecture: Intel x64
21:21:05.0152 3428 Number of processors: 4
21:21:05.0152 3428 Page size: 0x1000
21:21:05.0152 3428 Boot type: Normal boot
21:21:05.0152 3428 ============================================================
21:21:05.0370 3428 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3C91, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
21:21:05.0386 3428 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
21:21:05.0401 3428 Drive \Device\Harddisk2\DR2 - Size: 0xE8E0CADE00 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
21:21:05.0401 3428 Drive \Device\Harddisk3\DR3 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
21:21:05.0401 3428 Drive \Device\Harddisk4\DR10 - Size: 0xAEA8A00000 (698.63 Gb), SectorSize: 0x200, Cylinders: 0x16440, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
21:21:05.0432 3428 \Device\Harddisk0\DR0:
21:21:05.0432 3428 MBR used
21:21:05.0432 3428 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
21:21:05.0432 3428 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0xDF61800
21:21:05.0432 3428 \Device\Harddisk1\DR1:
21:21:05.0432 3428 MBR used
21:21:05.0432 3428 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x74705000
21:21:05.0432 3428 \Device\Harddisk2\DR2:
21:21:05.0432 3428 MBR used
21:21:05.0432 3428 \Device\Harddisk2\DR2\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x74705000
21:21:05.0432 3428 \Device\Harddisk3\DR3:
21:21:05.0432 3428 MBR used
21:21:05.0432 3428 \Device\Harddisk3\DR3\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x74705800
21:21:05.0432 3428 \Device\Harddisk4\DR10:
21:21:05.0448 3428 MBR used
21:21:05.0448 3428 \Device\Harddisk4\DR10\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x57544800
21:21:05.0557 3428 Initialize success
21:21:05.0557 3428 ============================================================
21:21:09.0707 3284 ============================================================
21:21:09.0707 3284 Scan started
21:21:09.0707 3284 Mode: Manual;
21:21:09.0707 3284 ============================================================
21:21:09.0785 3284 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\DRIVERS\1394ohci.sys
21:21:09.0800 3284 1394ohci - ok
21:21:09.0816 3284 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
21:21:09.0816 3284 ACPI - ok
21:21:09.0832 3284 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
21:21:09.0832 3284 AcpiPmi - ok
21:21:09.0847 3284 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\drivers\adp94xx.sys
21:21:09.0863 3284 adp94xx - ok
21:21:09.0878 3284 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\drivers\adpahci.sys
21:21:09.0878 3284 adpahci - ok
21:21:09.0894 3284 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\drivers\adpu320.sys
21:21:09.0910 3284 adpu320 - ok
21:21:09.0925 3284 AFD (d31dc7a16dea4a9baf179f3d6fbdb38c) C:\Windows\system32\drivers\afd.sys
21:21:09.0941 3284 AFD - ok
21:21:09.0956 3284 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
21:21:09.0956 3284 agp440 - ok
21:21:09.0972 3284 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
21:21:09.0972 3284 aliide - ok
21:21:09.0988 3284 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
21:21:09.0988 3284 amdide - ok
21:21:10.0003 3284 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\drivers\amdk8.sys
21:21:10.0003 3284 AmdK8 - ok
21:21:10.0019 3284 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\drivers\amdppm.sys
21:21:10.0019 3284 AmdPPM - ok
21:21:10.0034 3284 amdsata (6ec6d772eae38dc17c14aed9b178d24b) C:\Windows\system32\drivers\amdsata.sys
21:21:10.0034 3284 amdsata - ok
21:21:10.0050 3284 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\drivers\amdsbs.sys
21:21:10.0050 3284 amdsbs - ok
21:21:10.0066 3284 amdxata (1142a21db581a84ea5597b03a26ebaa0) C:\Windows\system32\drivers\amdxata.sys
21:21:10.0066 3284 amdxata - ok
21:21:10.0081 3284 androidusb (9c59bf508c5d408bb348254e0ba2ee30) C:\Windows\system32\Drivers\androidusb.sys
21:21:10.0081 3284 androidusb - ok
21:21:10.0097 3284 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
21:21:10.0097 3284 AppID - ok
21:21:10.0128 3284 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\drivers\arc.sys
21:21:10.0128 3284 arc - ok
21:21:10.0144 3284 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\drivers\arcsas.sys
21:21:10.0144 3284 arcsas - ok
21:21:10.0159 3284 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
21:21:10.0159 3284 AsyncMac - ok
21:21:10.0175 3284 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
21:21:10.0175 3284 atapi - ok
21:21:10.0206 3284 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\drivers\bxvbda.sys
21:21:10.0206 3284 b06bdrv - ok
21:21:10.0222 3284 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
21:21:10.0237 3284 b57nd60a - ok
21:21:10.0253 3284 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
21:21:10.0253 3284 Beep - ok
21:21:10.0268 3284 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
21:21:10.0268 3284 blbdrive - ok
21:21:10.0284 3284 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
21:21:10.0284 3284 bowser - ok
21:21:10.0300 3284 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\BrFiltLo.sys
21:21:10.0300 3284 BrFiltLo - ok
21:21:10.0300 3284 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\BrFiltUp.sys
21:21:10.0315 3284 BrFiltUp - ok
21:21:10.0315 3284 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
21:21:10.0315 3284 BridgeMP - ok
21:21:10.0346 3284 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
21:21:10.0346 3284 Brserid - ok
21:21:10.0346 3284 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
21:21:10.0362 3284 BrSerWdm - ok
21:21:10.0362 3284 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
21:21:10.0362 3284 BrUsbMdm - ok
21:21:10.0378 3284 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
21:21:10.0378 3284 BrUsbSer - ok
21:21:10.0393 3284 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\drivers\bthmodem.sys
21:21:10.0393 3284 BTHMODEM - ok
21:21:10.0393 3284 catchme - ok
21:21:10.0409 3284 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
21:21:10.0409 3284 cdfs - ok
21:21:10.0424 3284 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
21:21:10.0424 3284 cdrom - ok
21:21:10.0440 3284 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\drivers\circlass.sys
21:21:10.0440 3284 circlass - ok
21:21:10.0456 3284 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
21:21:10.0456 3284 CLFS - ok
21:21:10.0487 3284 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\drivers\CmBatt.sys
21:21:10.0487 3284 CmBatt - ok
21:21:10.0502 3284 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
21:21:10.0502 3284 cmdide - ok
21:21:10.0534 3284 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
21:21:10.0534 3284 CNG - ok
21:21:10.0549 3284 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\drivers\compbatt.sys
21:21:10.0549 3284 Compbatt - ok
21:21:10.0549 3284 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\DRIVERS\CompositeBus.sys
21:21:10.0549 3284 CompositeBus - ok
21:21:10.0565 3284 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\drivers\crcdisk.sys
21:21:10.0565 3284 crcdisk - ok
21:21:10.0596 3284 CSC (54da3dfd29ed9f1619b6f53f3ce55e49) C:\Windows\system32\drivers\csc.sys
21:21:10.0596 3284 CSC - ok
21:21:10.0612 3284 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
21:21:10.0612 3284 DfsC - ok
21:21:10.0627 3284 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
21:21:10.0627 3284 discache - ok
21:21:10.0643 3284 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\drivers\disk.sys
21:21:10.0643 3284 Disk - ok
21:21:10.0658 3284 dmvsc (5db085a8a6600be6401f2b24eecb5415) C:\Windows\system32\drivers\dmvsc.sys
21:21:10.0658 3284 dmvsc - ok
21:21:10.0674 3284 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
21:21:10.0674 3284 drmkaud - ok
21:21:10.0705 3284 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
21:21:10.0705 3284 DXGKrnl - ok
21:21:10.0768 3284 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\drivers\evbda.sys
21:21:10.0814 3284 ebdrv - ok
21:21:10.0830 3284 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\drivers\elxstor.sys
21:21:10.0846 3284 elxstor - ok
21:21:10.0861 3284 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
21:21:10.0861 3284 ErrDev - ok
21:21:10.0877 3284 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
21:21:10.0877 3284 exfat - ok
21:21:10.0892 3284 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
21:21:10.0908 3284 fastfat - ok
21:21:10.0924 3284 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\drivers\fdc.sys
21:21:10.0924 3284 fdc - ok
21:21:10.0939 3284 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
21:21:10.0939 3284 FileInfo - ok
21:21:10.0955 3284 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
21:21:10.0955 3284 Filetrace - ok
21:21:10.0970 3284 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\drivers\flpydisk.sys
21:21:10.0970 3284 flpydisk - ok
21:21:10.0986 3284 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
21:21:10.0986 3284 FltMgr - ok
21:21:11.0017 3284 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
21:21:11.0017 3284 FsDepends - ok
21:21:11.0033 3284 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
21:21:11.0033 3284 Fs_Rec - ok
21:21:11.0048 3284 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
21:21:11.0048 3284 fvevol - ok
21:21:11.0048 3284 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\drivers\gagp30kx.sys
21:21:11.0048 3284 gagp30kx - ok
21:21:11.0064 3284 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
21:21:11.0064 3284 GEARAspiWDM - ok
21:21:11.0080 3284 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
21:21:11.0080 3284 hcw85cir - ok
21:21:11.0111 3284 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
21:21:11.0111 3284 HdAudAddService - ok
21:21:11.0126 3284 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\DRIVERS\HDAudBus.sys
21:21:11.0126 3284 HDAudBus - ok
21:21:11.0142 3284 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\drivers\HidBatt.sys
21:21:11.0142 3284 HidBatt - ok
21:21:11.0142 3284 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\drivers\hidbth.sys
21:21:11.0142 3284 HidBth - ok
21:21:11.0158 3284 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\drivers\hidir.sys
21:21:11.0158 3284 HidIr - ok
21:21:11.0173 3284 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
21:21:11.0173 3284 HidUsb - ok
21:21:11.0189 3284 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
21:21:11.0189 3284 HpSAMD - ok
21:21:11.0205 3284 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
21:21:11.0205 3284 HTTP - ok
21:21:11.0220 3284 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
21:21:11.0220 3284 hwpolicy - ok
21:21:11.0236 3284 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
21:21:11.0236 3284 i8042prt - ok
21:21:11.0251 3284 iaStorV (3df4395a7cf8b7a72a5f4606366b8c2d) C:\Windows\system32\drivers\iaStorV.sys
21:21:11.0267 3284 iaStorV - ok
21:21:11.0267 3284 IDMWFP (5534e14ef27ebe8563cdbce6b88501a3) C:\Windows\system32\DRIVERS\idmwfp.sys
21:21:11.0267 3284 IDMWFP - ok
21:21:11.0298 3284 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\drivers\iirsp.sys
21:21:11.0298 3284 iirsp - ok
21:21:11.0314 3284 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
21:21:11.0314 3284 intelide - ok
21:21:11.0329 3284 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
21:21:11.0329 3284 intelppm - ok
21:21:11.0345 3284 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
21:21:11.0345 3284 IpFilterDriver - ok
21:21:11.0361 3284 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
21:21:11.0361 3284 IPMIDRV - ok
21:21:11.0376 3284 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
21:21:11.0376 3284 IPNAT - ok
21:21:11.0392 3284 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
21:21:11.0392 3284 IRENUM - ok
21:21:11.0407 3284 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
21:21:11.0407 3284 isapnp - ok
21:21:11.0423 3284 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
21:21:11.0423 3284 iScsiPrt - ok
21:21:11.0439 3284 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
21:21:11.0439 3284 kbdclass - ok
21:21:11.0454 3284 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
21:21:11.0454 3284 kbdhid - ok
21:21:11.0470 3284 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
21:21:11.0470 3284 KSecDD - ok
21:21:11.0485 3284 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
21:21:11.0485 3284 KSecPkg - ok
21:21:11.0501 3284 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
21:21:11.0501 3284 ksthunk - ok
21:21:11.0517 3284 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
21:21:11.0532 3284 lltdio - ok
21:21:11.0548 3284 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\drivers\lsi_fc.sys
21:21:11.0548 3284 LSI_FC - ok
21:21:11.0563 3284 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\drivers\lsi_sas.sys
21:21:11.0563 3284 LSI_SAS - ok
21:21:11.0579 3284 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\drivers\lsi_sas2.sys
21:21:11.0579 3284 LSI_SAS2 - ok
21:21:11.0595 3284 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\drivers\lsi_scsi.sys
21:21:11.0595 3284 LSI_SCSI - ok
21:21:11.0610 3284 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
21:21:11.0610 3284 luafv - ok
21:21:11.0610 3284 MBAMProtector (79da94b35371b9e7104460c7693dcb2c) C:\Windows\system32\drivers\mbam.sys
21:21:11.0610 3284 MBAMProtector - ok
21:21:11.0626 3284 mcdbus (79d51e7f5926e8ce1b3ebecebae28cff) C:\Windows\system32\DRIVERS\mcdbus.sys
21:21:11.0641 3284 mcdbus - ok
21:21:11.0641 3284 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\drivers\megasas.sys
21:21:11.0641 3284 megasas - ok
21:21:11.0657 3284 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\drivers\MegaSR.sys
21:21:11.0673 3284 MegaSR - ok
21:21:11.0673 3284 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
21:21:11.0688 3284 Modem - ok
21:21:11.0688 3284 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
21:21:11.0688 3284 monitor - ok
21:21:11.0704 3284 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
21:21:11.0704 3284 mouclass - ok
21:21:11.0719 3284 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
21:21:11.0719 3284 mouhid - ok
21:21:11.0735 3284 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
21:21:11.0735 3284 mountmgr - ok
21:21:11.0751 3284 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
21:21:11.0751 3284 mpio - ok
21:21:11.0766 3284 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
21:21:11.0766 3284 mpsdrv - ok
21:21:11.0782 3284 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
21:21:11.0782 3284 MRxDAV - ok
21:21:11.0797 3284 mrxsmb (faf015b07e3a2874a790a39b7d2c579f) C:\Windows\system32\DRIVERS\mrxsmb.sys
21:21:11.0797 3284 mrxsmb - ok
21:21:11.0813 3284 mrxsmb10 (08e2345df129082bcdffdc1440f9c00d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
21:21:11.0813 3284 mrxsmb10 - ok
21:21:11.0829 3284 mrxsmb20 (108d87409c5812ef47d81e22843e8c9d) C:\Windows\system32\DRIVERS\mrxsmb20.sys
21:21:11.0829 3284 mrxsmb20 - ok
21:21:11.0844 3284 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
21:21:11.0844 3284 msahci - ok
21:21:11.0860 3284 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
21:21:11.0860 3284 msdsm - ok
21:21:11.0875 3284 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
21:21:11.0875 3284 Msfs - ok
21:21:11.0891 3284 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
21:21:11.0891 3284 mshidkmdf - ok
21:21:11.0907 3284 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
21:21:11.0907 3284 msisadrv - ok
21:21:11.0922 3284 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
21:21:11.0922 3284 MSKSSRV - ok
21:21:11.0938 3284 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
21:21:11.0938 3284 MSPCLOCK - ok
21:21:11.0953 3284 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
21:21:11.0953 3284 MSPQM - ok
21:21:11.0985 3284 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
21:21:11.0985 3284 MsRPC - ok
21:21:12.0000 3284 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
21:21:12.0000 3284 mssmbios - ok
21:21:12.0016 3284 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
21:21:12.0016 3284 MSTEE - ok
21:21:12.0031 3284 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\drivers\MTConfig.sys
21:21:12.0031 3284 MTConfig - ok
21:21:12.0047 3284 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
21:21:12.0047 3284 Mup - ok
21:21:12.0078 3284 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
21:21:12.0078 3284 NativeWifiP - ok
21:21:12.0109 3284 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
21:21:12.0109 3284 NDIS - ok
21:21:12.0125 3284 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
21:21:12.0125 3284 NdisCap - ok
21:21:12.0141 3284 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
21:21:12.0156 3284 NdisTapi - ok
21:21:12.0172 3284 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
21:21:12.0172 3284 Ndisuio - ok
21:21:12.0187 3284 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
21:21:12.0187 3284 NdisWan - ok
21:21:12.0203 3284 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
21:21:12.0203 3284 NDProxy - ok
21:21:12.0219 3284 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
21:21:12.0219 3284 NetBIOS - ok
21:21:12.0234 3284 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
21:21:12.0234 3284 NetBT - ok
21:21:12.0265 3284 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\drivers\nfrd960.sys
21:21:12.0265 3284 nfrd960 - ok
21:21:12.0281 3284 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
21:21:12.0281 3284 Npfs - ok
21:21:12.0297 3284 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
21:21:12.0297 3284 nsiproxy - ok
21:21:12.0343 3284 Ntfs (05d78aa5cb5f3f5c31160bdb955d0b7c) C:\Windows\system32\drivers\Ntfs.sys
21:21:12.0359 3284 Ntfs - ok
21:21:12.0375 3284 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
21:21:12.0375 3284 Null - ok
21:21:12.0562 3284 nvlddmkm (9c1996dd3c0469bc8933321f15709f5a) C:\Windows\system32\DRIVERS\nvlddmkm.sys
21:21:12.0624 3284 nvlddmkm - ok
21:21:12.0640 3284 nvoclk64 (8c1d181480796d7d3366a9381fd7782d) C:\Windows\system32\DRIVERS\nvoclk64.sys
21:21:12.0640 3284 nvoclk64 - ok
21:21:12.0655 3284 nvraid (5d9fd91f3d38dc9da01e3cb5fa89cd48) C:\Windows\system32\drivers\nvraid.sys
21:21:12.0655 3284 nvraid - ok
21:21:12.0671 3284 nvstor (f7cd50fe7139f07e77da8ac8033d1832) C:\Windows\system32\drivers\nvstor.sys
21:21:12.0671 3284 nvstor - ok
21:21:12.0687 3284 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
21:21:12.0687 3284 nv_agp - ok
21:21:12.0702 3284 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
21:21:12.0702 3284 ohci1394 - ok
21:21:12.0718 3284 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\drivers\parport.sys
21:21:12.0718 3284 Parport - ok
21:21:12.0733 3284 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
21:21:12.0733 3284 partmgr - ok
21:21:12.0749 3284 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
21:21:12.0749 3284 pci - ok
21:21:12.0765 3284 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
21:21:12.0765 3284 pciide - ok
21:21:12.0780 3284 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\drivers\pcmcia.sys
21:21:12.0780 3284 pcmcia - ok
21:21:12.0796 3284 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
21:21:12.0796 3284 pcw - ok
21:21:12.0811 3284 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
21:21:12.0811 3284 PEAUTH - ok
21:21:12.0843 3284 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
21:21:12.0843 3284 PptpMiniport - ok
21:21:12.0858 3284 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\drivers\processr.sys
21:21:12.0858 3284 Processor - ok
21:21:12.0889 3284 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
21:21:12.0889 3284 Psched - ok
21:21:12.0921 3284 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\drivers\ql2300.sys
21:21:12.0952 3284 ql2300 - ok
21:21:12.0967 3284 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\drivers\ql40xx.sys
21:21:12.0967 3284 ql40xx - ok
21:21:12.0983 3284 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
21:21:12.0983 3284 QWAVEdrv - ok
21:21:12.0999 3284 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
21:21:12.0999 3284 RasAcd - ok
21:21:13.0014 3284 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
21:21:13.0014 3284 RasAgileVpn - ok
21:21:13.0030 3284 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
21:21:13.0030 3284 Rasl2tp - ok
21:21:13.0061 3284 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
21:21:13.0061 3284 RasPppoe - ok
21:21:13.0077 3284 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
21:21:13.0077 3284 RasSstp - ok
21:21:13.0092 3284 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
21:21:13.0092 3284 rdbss - ok
21:21:13.0108 3284 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
21:21:13.0108 3284 rdpbus - ok
21:21:13.0123 3284 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
21:21:13.0123 3284 RDPCDD - ok
21:21:13.0155 3284 RDPDR (1b6163c503398b23ff8b939c67747683) C:\Windows\system32\drivers\rdpdr.sys
21:21:13.0155 3284 RDPDR - ok
21:21:13.0170 3284 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
21:21:13.0170 3284 RDPENCDD - ok
21:21:13.0186 3284 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
21:21:13.0186 3284 RDPREFMP - ok
21:21:13.0217 3284 RdpVideoMiniport (70cba1a0c98600a2aa1863479b35cb90) C:\Windows\system32\drivers\rdpvideominiport.sys
21:21:13.0217 3284 RdpVideoMiniport - ok
21:21:13.0233 3284 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
21:21:13.0233 3284 RDPWD - ok
21:21:13.0248 3284 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
21:21:13.0248 3284 rdyboost - ok
21:21:13.0279 3284 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
21:21:13.0279 3284 rspndr - ok
21:21:13.0311 3284 RTL8167 (9140db0911de035fed0a9a77a2d156ea) C:\Windows\system32\DRIVERS\Rt64win7.sys
21:21:13.0311 3284 RTL8167 - ok
21:21:13.0326 3284 s3cap (e60c0a09f997826c7627b244195ab581) C:\Windows\system32\drivers\vms3cap.sys
21:21:13.0326 3284 s3cap - ok
21:21:13.0342 3284 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
21:21:13.0342 3284 sbp2port - ok
21:21:13.0373 3284 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
21:21:13.0373 3284 scfilter - ok
21:21:13.0389 3284 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
21:21:13.0389 3284 secdrv - ok
21:21:13.0420 3284 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
21:21:13.0420 3284 Serenum - ok
21:21:13.0435 3284 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
21:21:13.0435 3284 Serial - ok
21:21:13.0451 3284 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\drivers\sermouse.sys
21:21:13.0451 3284 sermouse - ok
21:21:13.0482 3284 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
21:21:13.0482 3284 sffdisk - ok
21:21:13.0498 3284 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
21:21:13.0498 3284 sffp_mmc - ok
21:21:13.0513 3284 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
21:21:13.0513 3284 sffp_sd - ok
21:21:13.0529 3284 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\drivers\sfloppy.sys
21:21:13.0529 3284 sfloppy - ok
21:21:13.0545 3284 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\drivers\SiSRaid2.sys
21:21:13.0545 3284 SiSRaid2 - ok
21:21:13.0560 3284 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\drivers\sisraid4.sys
21:21:13.0576 3284 SiSRaid4 - ok
21:21:13.0591 3284 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
21:21:13.0591 3284 Smb - ok
21:21:13.0607 3284 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
21:21:13.0607 3284 spldr - ok
21:21:13.0638 3284 srv (2098b8556d1cec2aca9a29cd479e3692) C:\Windows\system32\DRIVERS\srv.sys
21:21:13.0638 3284 srv - ok
21:21:13.0669 3284 srv2 (d0f73a42040f21f92fd314b42ac5c9e7) C:\Windows\system32\DRIVERS\srv2.sys
21:21:13.0669 3284 srv2 - ok
21:21:13.0685 3284 srvnet (2ba8f3250828ccdb4204ecf2c6f40b6a) C:\Windows\system32\DRIVERS\srvnet.sys
21:21:13.0685 3284 srvnet - ok
21:21:13.0716 3284 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\drivers\stexstor.sys
21:21:13.0716 3284 stexstor - ok
21:21:13.0732 3284 storflt (7785dc213270d2fc066538daf94087e7) C:\Windows\system32\drivers\vmstorfl.sys
21:21:13.0732 3284 storflt - ok
21:21:13.0747 3284 storvsc (d34e4943d5ac096c8edeebfd80d76e23) C:\Windows\system32\drivers\storvsc.sys
21:21:13.0747 3284 storvsc - ok
21:21:13.0763 3284 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
21:21:13.0763 3284 swenum - ok
21:21:13.0794 3284 Synth3dVsc (c3a39c4079305480972d29c44b868c78) C:\Windows\system32\drivers\synth3dvsc.sys
21:21:13.0794 3284 Synth3dVsc - ok
21:21:13.0841 3284 Tcpip (509383e505c973ed7534a06b3d19688d) C:\Windows\system32\drivers\tcpip.sys
21:21:13.0872 3284 Tcpip - ok
21:21:13.0903 3284 TCPIP6 (509383e505c973ed7534a06b3d19688d) C:\Windows\system32\DRIVERS\tcpip.sys
21:21:13.0919 3284 TCPIP6 - ok
21:21:13.0935 3284 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
21:21:13.0935 3284 tcpipreg - ok
21:21:13.0950 3284 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
21:21:13.0950 3284 TDPIPE - ok
21:21:13.0966 3284 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
21:21:13.0966 3284 TDTCP - ok
21:21:13.0981 3284 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
21:21:13.0981 3284 tdx - ok
21:21:13.0997 3284 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\DRIVERS\termdd.sys
21:21:13.0997 3284 TermDD - ok
21:21:14.0013 3284 terminpt (2b5bdff688ec9871d7ec5837833374e9) C:\Windows\system32\drivers\terminpt.sys
21:21:14.0013 3284 terminpt - ok
21:21:14.0044 3284 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
21:21:14.0044 3284 tssecsrv - ok
21:21:14.0059 3284 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
21:21:14.0059 3284 TsUsbFlt - ok
21:21:14.0075 3284 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\Windows\system32\drivers\TsUsbGD.sys
21:21:14.0075 3284 TsUsbGD - ok
21:21:14.0091 3284 tsusbhub (e1748d04ae40118b62bc18ac86032192) C:\Windows\system32\drivers\tsusbhub.sys
21:21:14.0091 3284 tsusbhub - ok
21:21:14.0106 3284 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
21:21:14.0106 3284 tunnel - ok
21:21:14.0122 3284 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\drivers\uagp35.sys
21:21:14.0122 3284 uagp35 - ok
21:21:14.0137 3284 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
21:21:14.0153 3284 udfs - ok
21:21:14.0169 3284 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
21:21:14.0169 3284 uliagpkx - ok
21:21:14.0184 3284 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
21:21:14.0184 3284 umbus - ok
21:21:14.0200 3284 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\drivers\umpass.sys
21:21:14.0200 3284 UmPass - ok
21:21:14.0215 3284 USBAAPL64 (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows\system32\Drivers\usbaapl64.sys
21:21:14.0215 3284 USBAAPL64 - ok
21:21:14.0247 3284 usbaudio (82e8f44688e6fac57b5b7c6fc7adbc2a) C:\Windows\system32\drivers\usbaudio.sys
21:21:14.0247 3284 usbaudio - ok
21:21:14.0262 3284 usbccgp (481dff26b4dca8f4cbac1f7dce1d6829) C:\Windows\system32\DRIVERS\usbccgp.sys
21:21:14.0262 3284 usbccgp - ok
21:21:14.0278 3284 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
21:21:14.0278 3284 usbcir - ok
21:21:14.0293 3284 usbehci (74ee782b1d9c241efe425565854c661c) C:\Windows\system32\DRIVERS\usbehci.sys
21:21:14.0293 3284 usbehci - ok
21:21:14.0309 3284 usbhub (dc96bd9ccb8403251bcf25047573558e) C:\Windows\system32\DRIVERS\usbhub.sys
21:21:14.0309 3284 usbhub - ok
21:21:14.0340 3284 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\drivers\usbohci.sys
21:21:14.0340 3284 usbohci - ok
21:21:14.0356 3284 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
21:21:14.0356 3284 usbprint - ok
21:21:14.0371 3284 USBSTOR (d76510cfa0fc09023077f22c2f979d86) C:\Windows\system32\DRIVERS\USBSTOR.SYS
21:21:14.0371 3284 USBSTOR - ok
21:21:14.0387 3284 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
21:21:14.0387 3284 usbuhci - ok
21:21:14.0403 3284 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
21:21:14.0403 3284 vdrvroot - ok
21:21:14.0434 3284 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
21:21:14.0434 3284 vga - ok
21:21:14.0449 3284 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
21:21:14.0449 3284 VgaSave - ok
21:21:14.0465 3284 VGPU - ok
21:21:14.0481 3284 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
21:21:14.0481 3284 vhdmp - ok
21:21:14.0496 3284 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
21:21:14.0496 3284 viaide - ok
21:21:14.0512 3284 vmbus (86ea3e79ae350fea5331a1303054005f) C:\Windows\system32\drivers\vmbus.sys
21:21:14.0527 3284 vmbus - ok
21:21:14.0543 3284 VMBusHID (7de90b48f210d29649380545db45a187) C:\Windows\system32\drivers\VMBusHID.sys
21:21:14.0543 3284 VMBusHID - ok
21:21:14.0559 3284 vncmirror (93f279a2c172562050700a18fa84be2e) C:\Windows\system32\DRIVERS\vncmirror.sys
21:21:14.0559 3284 vncmirror - ok
21:21:14.0574 3284 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
21:21:14.0574 3284 volmgr - ok
21:21:14.0590 3284 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
21:21:14.0590 3284 volmgrx - ok
21:21:14.0621 3284 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
21:21:14.0621 3284 volsnap - ok
21:21:14.0637 3284 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\drivers\vsmraid.sys
21:21:14.0637 3284 vsmraid - ok
21:21:14.0652 3284 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
21:21:14.0652 3284 vwifibus - ok
21:21:14.0683 3284 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\drivers\wacompen.sys
21:21:14.0683 3284 WacomPen - ok
21:21:14.0699 3284 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
21:21:14.0699 3284 WANARP - ok
21:21:14.0699 3284 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
21:21:14.0699 3284 Wanarpv6 - ok
21:21:14.0730 3284 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\drivers\wd.sys
21:21:14.0730 3284 Wd - ok
21:21:14.0761 3284 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
21:21:14.0761 3284 Wdf01000 - ok
21:21:14.0793 3284 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
21:21:14.0793 3284 WfpLwf - ok
21:21:14.0808 3284 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
21:21:14.0808 3284 WIMMount - ok
21:21:14.0855 3284 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUsb.sys
21:21:14.0855 3284 WinUsb - ok
21:21:14.0871 3284 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
21:21:14.0871 3284 WmiAcpi - ok
21:21:14.0902 3284 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
21:21:14.0902 3284 ws2ifsl - ok
21:21:14.0933 3284 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
21:21:14.0933 3284 WudfPf - ok
21:21:14.0949 3284 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
21:21:14.0949 3284 WUDFRd - ok
21:21:14.0964 3284 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
21:21:14.0980 3284 \Device\Harddisk0\DR0 - ok
21:21:14.0980 3284 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk1\DR1
21:21:14.0995 3284 \Device\Harddisk1\DR1 - ok
21:21:15.0011 3284 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk2\DR2
21:21:15.0058 3284 \Device\Harddisk2\DR2 - ok
21:21:15.0058 3284 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk3\DR3
21:21:15.0073 3284 \Device\Harddisk3\DR3 - ok
21:21:15.0073 3284 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk4\DR10
21:21:15.0073 3284 \Device\Harddisk4\DR10 - ok
21:21:15.0073 3284 Boot (0x1200) (8f8fd1f7a041700546218221f5eb18d3) \Device\Harddisk0\DR0\Partition0
21:21:15.0073 3284 \Device\Harddisk0\DR0\Partition0 - ok
21:21:15.0089 3284 Boot (0x1200) (5420bfaf1a4703e9b86606dc61d9d584) \Device\Harddisk0\DR0\Partition1
21:21:15.0089 3284 \Device\Harddisk0\DR0\Partition1 - ok
21:21:15.0089 3284 Boot (0x1200) (9d6ce0f6a7806910721ecb10eb62c71a) \Device\Harddisk1\DR1\Partition0
21:21:15.0089 3284 \Device\Harddisk1\DR1\Partition0 - ok
21:21:15.0089 3284 Boot (0x1200) (8e86a0c430ce2ed0b80cfc57b548e35e) \Device\Harddisk2\DR2\Partition0
21:21:15.0089 3284 \Device\Harddisk2\DR2\Partition0 - ok
21:21:15.0105 3284 Boot (0x1200) (514e01138b7744f84d254c59eef4e54a) \Device\Harddisk3\DR3\Partition0
21:21:15.0105 3284 \Device\Harddisk3\DR3\Partition0 - ok
21:21:15.0105 3284 Boot (0x1200) (7af02d428b7b0f37e273e8fd98544237) \Device\Harddisk4\DR10\Partition0
21:21:15.0105 3284 \Device\Harddisk4\DR10\Partition0 - ok
21:21:15.0105 3284 ============================================================
21:21:15.0105 3284 Scan finished
21:21:15.0105 3284 ============================================================
21:21:15.0120 3332 Detected object count: 0
21:21:15.0120 3332 Actual detected object count: 0








aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-13 21:21:45
-----------------------------
21:21:45.599 OS Version: Windows x64 6.1.7601 Service Pack 1
21:21:45.599 Number of processors: 4 586 0x1E05
21:21:45.599 ComputerName: WIRTH87-PC UserName: wirth87
21:21:45.771 Initialize success
21:21:48.087 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
21:21:48.102 Disk 0 Vendor: OCZ-AGILITY3 2.11 Size: 114473MB BusType: 3
21:21:48.102 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1
21:21:48.102 Disk 1 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
21:21:48.102 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP8T0L0-e
21:21:48.118 Disk 2 Vendor: WDC_WD10EADS-00L5B1 01.01A01 Size: 953868MB BusType: 11
21:21:48.118 Disk 3 \Device\Harddisk3\DR3 -> \Device\Ide\IdeDeviceP10T0L0-10
21:21:48.118 Disk 3 Vendor: WDC_WD10EADS-00M2B0 01.00A01 Size: 953869MB BusType: 11
21:21:48.118 Disk 4 \Device\Harddisk4\DR10 -> \Device\00000083
21:21:48.133 Disk 4 Vendor: Size: 953869MB BusType: 0
21:21:48.133 Disk 0 MBR read successfully
21:21:48.133 Disk 0 MBR scan
21:21:48.133 Disk 0 Windows 7 default MBR code
21:21:48.133 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:21:48.149 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 114371 MB offset 206848
21:21:48.165 Disk 0 scanning C:\Windows\system32\drivers
21:21:49.413 Service scanning
21:21:53.547 Modules scanning
21:21:53.547 Disk 0 trace - called modules:
21:21:53.562 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
21:21:53.578 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003f88060]
21:21:53.578 3 CLASSPNP.SYS[fffff880019c343f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8003d08060]
21:21:53.593 Scan finished successfully
21:22:00.676 Disk 0 MBR has been saved successfully to "I:\MBR.dat"
21:22:00.707 The log file has been saved successfully to "I:\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-13 21:25:27
-----------------------------
21:25:27.979 OS Version: Windows x64 6.1.7601 Service Pack 1
21:25:27.979 Number of processors: 4 586 0x1E05
21:25:27.979 ComputerName: WIRTH87-PC UserName: wirth87
21:25:28.213 Initialize success
21:27:13.723 AVAST engine defs: 12031300
21:27:36.530 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
21:27:36.530 Disk 0 Vendor: OCZ-AGILITY3 2.11 Size: 114473MB BusType: 3
21:27:36.546 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1
21:27:36.546 Disk 1 Vendor: WDC_WD1002FAEX-00Z3A0 05.01D05 Size: 953869MB BusType: 3
21:27:36.546 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP8T0L0-e
21:27:36.546 Disk 2 Vendor: WDC_WD10EADS-00L5B1 01.01A01 Size: 953868MB BusType: 11
21:27:36.561 Disk 3 \Device\Harddisk3\DR3 -> \Device\Ide\IdeDeviceP10T0L0-10
21:27:36.561 Disk 3 Vendor: WDC_WD10EADS-00M2B0 01.00A01 Size: 953869MB BusType: 11
21:27:36.577 Disk 0 MBR read successfully
21:27:36.577 Disk 0 MBR scan
21:27:36.592 Disk 0 Windows 7 default MBR code
21:27:36.592 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:27:36.608 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 114371 MB offset 206848
21:27:36.624 Disk 0 scanning C:\Windows\system32\drivers
21:27:40.368 Service scanning
21:27:50.414 Modules scanning
21:27:50.414 Disk 0 trace - called modules:
21:27:50.430 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
21:27:50.445 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003f88060]
21:27:50.445 3 CLASSPNP.SYS[fffff880019c343f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8003d08060]
21:27:50.664 AVAST engine scan C:\
21:39:55.799 Scan finished successfully
21:40:55.360 Disk 0 MBR has been saved successfully to "I:\MBR.dat"
21:40:55.360 The log file has been saved successfully to "I:\aswMBR.txt"

Edited by wirth87, 13 March 2012 - 08:46 AM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:46 PM

Posted 13 March 2012 - 01:12 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Firefox::
FF - ProfilePath - c:\users\wirth87\AppData\Roaming\Mozilla\Firefox\Profiles\oaranrl7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2863398&SearchSource=3&q={searchTerms}

RegLockDel:::
[HKEY_USERS\S-1-5-21-2963362775-1462534231-76741011-1001_Classes\Wow6432Node\CLSID\{5212194e-d343-4564-adfd-91075642bf0b}]

RegLock::
[HKEY_USERS\S-1-5-21-2963362775-1462534231-76741011-1001_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 wirth87

wirth87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 13 March 2012 - 10:09 PM

So far the pc has been running well no problems after a couple of hours ill have to see how it goes because when the problem first started the pc could run for 3-4hrs any redirects started. I will report back if i have any further issues.

ComboFix 12-03-12.02 - wirth87 14/03/2012 9:17.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.4091.2374 [GMT 8:00]
Running from: D:\ComboFix.exe
Command switches used :: c:\users\wirth87\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2012-02-14 to 2012-03-14 )))))))))))))))))))))))))))))))
.
.
2012-03-14 01:23 . 2012-03-14 01:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-13 13:54 . 2012-03-13 13:54 -------- d-----w- c:\windows\system32\appmgmt
2012-03-11 09:45 . 2012-03-11 09:45 -------- d-----w- c:\users\wirth87\AppData\Roaming\NVIDIA
2012-03-11 09:29 . 2012-03-11 09:29 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-11 07:28 . 2012-03-11 07:29 -------- d-----w- c:\users\wirth87\AppData\Local\Google
2012-03-11 07:02 . 2012-03-11 07:02 -------- d-----w- c:\users\wirth87\AppData\Local\NVIDIA Corporation
2012-03-11 07:01 . 2012-03-11 07:09 -------- d-----w- C:\NVIDIA
2012-03-08 04:54 . 2012-03-08 04:54 -------- d--h--w- c:\program files (x86)\Common Files\EAInstaller
2012-03-08 04:54 . 2012-03-11 07:27 -------- d-----w- c:\program files (x86)\NVIDIA Corporation
2012-03-08 04:41 . 2012-03-08 04:42 -------- d-----w- C:\ME3
2012-02-27 10:19 . 2012-02-27 10:19 -------- d-----w- c:\users\wirth87\AppData\Local\Skyrim
2012-02-27 10:08 . 2008-10-14 22:22 519000 ----a-w- c:\windows\system32\d3dx10_40.dll
2012-02-27 10:08 . 2008-10-14 22:22 452440 ----a-w- c:\windows\SysWow64\d3dx10_40.dll
2012-02-27 10:08 . 2008-10-14 22:22 2605920 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2012-02-27 10:08 . 2008-10-14 22:22 2036576 ----a-w- c:\windows\SysWow64\D3DCompiler_40.dll
2012-02-27 10:08 . 2008-10-14 22:22 5631312 ----a-w- c:\windows\system32\D3DX9_40.dll
2012-02-27 10:08 . 2008-10-14 22:22 4379984 ----a-w- c:\windows\SysWow64\D3DX9_40.dll
2012-02-27 10:02 . 2012-02-27 10:19 -------- d-----w- c:\program files (x86)\The Elder Scrolls V Skyrim
2012-02-27 03:27 . 2012-03-03 06:47 -------- d-----w- C:\codmw3
2012-02-23 15:12 . 2012-02-08 01:13 149640 ----a-w- c:\windows\system32\drivers\idmwfp.sys
2012-02-19 02:28 . 2012-02-19 03:32 -------- d-----w- c:\users\wirth87\AppData\Roaming\BoneCraft
2012-02-19 02:25 . 2012-02-19 02:26 -------- d-----w- c:\program files\BoneCraft
2012-02-19 02:25 . 2012-03-13 13:54 -------- d-----w- c:\program files (x86)\BoneCraft
2012-02-14 12:52 . 2012-02-14 12:52 -------- d-----w- c:\users\wirth87\AppData\Roaming\vlc
2012-02-14 12:52 . 2012-02-14 12:52 -------- d-----w- c:\program files (x86)\VideoLAN
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-11 09:29 . 2012-01-16 08:35 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-10 04:13 . 2009-07-13 21:59 9717568 ----a-w- c:\windows\system32\nvwgf2umx.dll
2012-02-09 12:05 . 2012-02-09 12:05 416064 ----a-w- c:\windows\SysWow64\nvStreaming.exe
2012-02-05 11:40 . 2010-11-21 03:24 14848 ----a-w- c:\windows\system32\slwga.dll
2012-02-05 11:40 . 2010-11-21 03:23 13824 ----a-w- c:\windows\SysWow64\slwga.dll
2012-02-05 11:40 . 2010-11-21 03:24 833024 ----a-w- c:\windows\SysWow64\user32.dll
2012-02-05 11:40 . 2010-11-21 03:24 1008640 ----a-w- c:\windows\system32\user32.dll
2012-02-05 11:40 . 2010-11-21 03:24 419840 ----a-w- c:\windows\system32\systemcpl.dll
2012-01-03 07:56 . 2012-01-03 07:56 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2011-12-29 18:00 . 2012-01-02 10:50 79360 ----a-w- c:\windows\SysWow64\ff_vfw.dll
2011-12-29 18:00 . 2012-01-02 10:46 92160 ----a-w- c:\windows\system32\ff_vfw.dll
2011-12-21 18:14 . 2012-01-02 10:50 151552 ----a-w- c:\windows\SysWow64\ac3acm.acm
2011-12-18 23:22 . 2012-01-02 10:50 4078592 ----a-w- c:\windows\SysWow64\x264vfw.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2012-02-05 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2012-02-05 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-03-13_10.33.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-03-13 10:40 25820 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-13 13:19 37436 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2012-01-02 07:02 . 2012-03-08 16:38 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 07:02 . 2012-03-13 16:31 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-02 07:02 . 2012-03-08 16:38 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-02 07:02 . 2012-03-13 16:31 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-08 16:38 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-13 16:31 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-02 10:05 . 2012-03-13 13:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-02 10:05 . 2012-03-11 16:31 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-02 10:05 . 2012-03-11 16:31 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-02 10:05 . 2012-03-13 13:20 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-01-02 10:05 . 2012-03-13 13:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-02 10:05 . 2012-03-11 16:31 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-02 10:06 . 2012-03-14 01:35 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-02 10:06 . 2012-03-13 10:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-02 10:06 . 2012-03-14 01:35 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-02 10:06 . 2012-03-13 10:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-02 10:07 . 2012-03-13 13:19 4164 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2963362775-1462534231-76741011-1001_UserData.bin
- 2012-03-13 10:33 . 2012-03-13 10:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-14 01:35 . 2012-03-14 01:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-14 01:35 . 2012-03-14 01:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-13 10:33 . 2012-03-13 10:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-03-13 07:22 663664 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-13 13:22 663664 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-13 13:22 124400 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-03-13 07:22 124400 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-03-13 10:32 274036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-14 01:24 274036 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2012-02-23 3474840]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-07-05 421888]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-16 421736]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\wirth87\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files (x86)\MagicDisc\MagicDisc.exe [2012-1-29 576000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 androidusb;ADB Interface Driver;c:\windows\system32\Drivers\androidusb.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [2012-02-10 2348352]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2012-02-09 382272]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 nvoclk64;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\DRIVERS\nvoclk64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2963362775-1462534231-76741011-1001Core.job
- c:\users\wirth87\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-11 07:28]
.
2012-03-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2963362775-1462534231-76741011-1001UA.job
- c:\users\wirth87\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-11 07:28]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 23432 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
TCP: DhcpNameServer = 192.168.2.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
.
**************************************************************************
.
Completion time: 2012-03-14 09:45:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-14 01:45
ComboFix2.txt 2012-03-13 10:35
.
Pre-Run: 43,227,258,880 bytes free
Post-Run: 42,630,778,880 bytes free
.
- - End Of File - - E270859CF5AB9C1EBF95765C6D957069

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:46 PM

Posted 13 March 2012 - 10:56 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 wirth87

wirth87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 14 March 2012 - 03:55 AM

Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.2)
Android SDK Tools
Apple Application Support
Apple Software Update
Camtasia Studio 7
CuteFTP 8 Professional
Google Chrome
Internet Download Manager
Java Auto Updater
Java™ 6 Update 31
K-Lite Mega Codec Pack 8.1.0
MagicDisc 2.7.106
Malwarebytes Anti-Malware version 1.60.1.1000
Mass Effect™ 3
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
MozBackup 1.5.1
NVIDIA Performance
NVIDIA PhysX
NVIDIA Stereoscopic 3D Driver
NVIDIA System Monitor
NVIDIA System Update
OpenOffice.org 3.3
QuickTime
Realtek Ethernet Controller Driver
SDFormatter
VLC media player 1.1.11

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:46 PM

Posted 14 March 2012 - 07:35 AM

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 wirth87

wirth87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 15 March 2012 - 02:46 AM

The only issue i had running these scans was hijackthis said access to hosts file denied.

The pc seems to be running normally was left on overnight and all day. Hasn't reset itself and so far no pages have been redirected.




Malwarebytes Anti-Malware (PRO) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.15.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
wirth87 :: WIRTH87-PC [administrator]

Protection: Enabled

15/03/2012 3:39:16 PM
mbam-log-2012-03-15 (15-39-16).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205509
Time elapsed: 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)








Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:43:50 PM, on 15/03/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\K-Lite Codec Pack\Media Player Classic\mpc-hc.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\wirth87\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe -update plugin
O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\System Update\UpdateCenterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 7623 bytes

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:46 PM

Posted 15 March 2012 - 02:57 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
      O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe -update plugin
      O4 - Startup: MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo

Edited by gringo_pr, 15 March 2012 - 02:58 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 wirth87

wirth87
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 16 March 2012 - 01:45 AM

D:\OpenOffice_Setup.exe a variant of Win32/Adware.iBryte.A application
D:\wiivideo9-600-setup.exe Win32/OpenCandy application
E:\Backup\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\2ec82cba-63e508c3 multiple threats


Thankyou for your help

Edited by wirth87, 16 March 2012 - 01:47 AM.


#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:46 PM

Posted 16 March 2012 - 01:48 AM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "D:\OpenOffice_Setup.exe"
    del /f /s /q "D:\wiivideo9-600-setup.exe"
    del /f /s /q "E:\Backup\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\2ec82cba-63e508c3"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop.

:DeFogger:

Note** This only needs to be run if it was run before - If not then skip it.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
Your Emulation drivers are now re-enabled.


:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image


:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.


:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:46 PM

Posted 19 March 2012 - 09:52 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users