Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef.G infection consrv.dll


  • This topic is locked This topic is locked
21 replies to this topic

#1 MPJ

MPJ

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 19 March 2012 - 05:59 PM

Attached File  Attach.txt   7.49KB   1 downloads

I have Win7 64. I had MSE running, now have Prevx3. PC was rebooting, unable to start Windows. I have to go back to a restore point if I want to use the machine. I've run ESET and MBAM and maybe some others but cleaning the infection puts the machine back in the same symptom. I've noticed now that Windows Firewall service is missing too. From the scans I've run I've managed to see at least the sirefef.g as one culprit although there may be others. Help!

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Dad at 18:25:33 on 2012-03-19
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2048.896 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files (x86)\Steam\Steam.exe
D:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Prevx\prevx.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
mWinlogon: Userinit=userinit.exe
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: GetRight IE Helper: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - D:\GetRight\xx2gr.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent
uRun: [Google Update] "C:\Users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe
mRun: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [BYR_AGENT] C:\ProgramData\LGMOBILEAX\BYR_Client\VZWNotiAgent.exe
mRun: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~2\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
mRun: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe
mRun: [StartCCC] "D:\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\Windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?s=100000345&p=ZLxdm378YYUS&si=1579&a=4gRI4bFAxHSLBi2VV0y8bQ&n=2011112421
IE: Download with GetRight - D:\GetRight\GRdownload.htm
IE: Open With GetRight Browser - D:\GetRight\GRbrowse.htm
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
Trusted Zone: org.com\www.cusa-hfs
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{503AC070-AFF5-4974-908F-BC38BA9398F7} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: MyWebSearch Search Assistant BHO: {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSRCAS.DLL
BHO-X64: MyWebSearch Search Assistant BHO - No File
BHO-X64: mwsBar BHO: {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL
BHO-X64: mwsBar BHO - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: GetRight IE Helper: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\GetRight\xx2gr.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: My Web Search: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL
TB-X64: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
mRun-x64: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun-x64: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [BYR_AGENT] C:\ProgramData\LGMOBILEAX\BYR_Client\VZWNotiAgent.exe
mRun-x64: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~2\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h
mRun-x64: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe
mRun-x64: [StartCCC] "D:\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 pxscan;pxscan;C:\Windows\system32\drivers\pxscan.sys --> C:\Windows\system32\drivers\pxscan.sys [?]
R1 pxrts;pxrts;C:\Windows\system32\drivers\pxrts.sys --> C:\Windows\system32\drivers\pxrts.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 CSIScanner;CSIScanner;C:\Program Files\Prevx\prevx.exe [2012-1-1 6746280]
R3 amdiox64;AMD IO Driver;C:\Windows\system32\DRIVERS\amdiox64.sys --> C:\Windows\system32\DRIVERS\amdiox64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 pxkbf;pxkbf;C:\Windows\system32\drivers\pxkbf.sys --> C:\Windows\system32\drivers\pxkbf.sys [?]
R3 Razerlow;Razer Pro|Solutions;C:\Windows\system32\drivers\Razerlow.sys --> C:\Windows\system32\drivers\Razerlow.sys [?]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk62x64.sys --> C:\Windows\system32\DRIVERS\yk62x64.sys [?]
S1 vflt;Shrew Soft Lightweight Filter;C:\Windows\system32\DRIVERS\vfilter.sys --> C:\Windows\system32\DRIVERS\vfilter.sys [?]
S2 AMD FUEL Service;AMD FUEL Service;D:\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService --> D:\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-24 136176]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-10-24 136176]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 vnet;Shrew Soft Virtual Adapter;C:\Windows\system32\DRIVERS\virtualnet.sys --> C:\Windows\system32\DRIVERS\virtualnet.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 MyWebSearchService;My Web Search Service;C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe --> C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-19 03:25:18 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-19 00:48:40 -------- d-----w- C:\Program Files (x86)\ESET
2012-03-18 02:07:48 -------- d-----w- C:\Windows\Battle Academy Demo
2012-03-15 18:37:55 -------- d-----w- C:\Users\Dad\AppData\Local\{C3B3F80D-0361-4650-B6C2-59F4898CE09C}
2012-03-15 18:37:45 -------- d-----w- C:\Users\Dad\AppData\Local\{8503C652-60DF-474D-8EC9-3740F1C79235}
2012-03-14 07:02:59 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-14 07:02:58 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-14 07:02:58 3913584 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-14 04:02:07 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-14 04:02:05 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-03-14 04:02:05 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-03-14 04:01:38 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-03-14 04:01:38 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-03-14 04:01:38 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-03-14 04:01:26 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-03-14 04:01:26 1112064 ----a-w- C:\Windows\System32\rdpcorets.dll
2012-03-14 04:01:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-03-14 04:01:25 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-03-14 04:01:25 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-03-11 21:27:16 -------- d-----w- C:\Users\Dad\AppData\Local\WinZip
2012-03-10 16:06:59 172104 ----a-w- C:\Windows\System32\drivers\sscdmdm.sys
2012-03-10 16:06:59 15944 ----a-w- C:\Windows\System32\drivers\sscdwhnt.sys
2012-03-10 16:06:59 15944 ----a-w- C:\Windows\System32\drivers\sscdwh.sys
2012-03-10 16:06:59 141384 ----a-w- C:\Windows\System32\drivers\sscdserd.sys
2012-03-10 16:06:58 19016 ----a-w- C:\Windows\System32\drivers\sscdmdfl.sys
2012-03-10 16:06:58 15432 ----a-w- C:\Windows\System32\drivers\sscdcmnt.sys
2012-03-10 16:06:58 15432 ----a-w- C:\Windows\System32\drivers\sscdcm.sys
2012-03-10 16:06:58 136264 ----a-w- C:\Windows\System32\drivers\sscdbus.sys
2012-03-10 16:06:58 -------- d-----w- C:\Program Files\SAMSUNG
2012-03-10 16:06:53 -------- d-----w- C:\ProgramData\Samsung
2012-03-10 16:06:48 53248 ----a-r- C:\Users\Dad\AppData\Roaming\Microsoft\Installer\{F42F3704-4CA7-4D28-9F5B-FDBF2E589EB2}\ARPPRODUCTICON.exe
2012-03-10 16:06:47 -------- d-----w- C:\Users\Dad\AppData\Roaming\Verizon
2012-02-23 04:49:51 -------- d-----w- C:\Users\Dad\AppData\Local\{6C88A61A-935B-4386-8CB8-4B1E95FBDF45}
2012-02-23 04:49:38 -------- d-----w- C:\Users\Dad\AppData\Local\{F2B5DF35-F1D3-4CB6-9E4B-A79F2FFEB7C3}
.
==================== Find3M ====================
.
2012-03-14 22:41:57 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-18 17:18:00 111928 ----a-w- C:\Windows\SysWow64\PnkBstrB.exe
2012-02-18 17:17:44 794408 ----a-w- C:\Windows\SysWow64\pbsvc.exe
2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2012-01-01 20:45:31 62976 ----a-w- C:\Windows\SysWow64\PxSecure.dll
2012-01-01 20:45:27 65736 ----a-w- C:\Windows\System32\drivers\pxrts.sys
2012-01-01 20:45:27 36384 ----a-w- C:\Windows\System32\drivers\pxscan.sys
2012-01-01 20:45:25 24024 ----a-w- C:\Windows\System32\drivers\pxkbf.sys
2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 18:26:25.00 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 19 March 2012 - 11:23 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Backup The Computer!!

If you have not done it yet spend a few minutes to backup the computer. Removing malware can be unpredictable and this may save you and me allot of grief later.

There is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the computer backed up you may do the following.

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 MPJ

MPJ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 20 March 2012 - 12:43 PM

Hi Gringo - Thanks for helping me out. I followed the instructions and downloaded frst64.exe and saved it to my desktop. I found a flashdrive and copied it there. I went into System Recovery options and to the command prompt. I found the flashdrive letter with notepad. When I tried to run the executable from the command prompt it hung for a few minutes and told me the app wasn't recognized as something that could be executed. After that message I couldn't see the flashdrive letter from the command prompt anymore although I could see it in notepad. Notepad could see the drive but not the app.

I tried this again just to see what would happen, same effect.

I tried again, downloading frst64.exe directly to the flashdrive after wiping it. Behaved the same way. I tried a couple more times doing things like using a different usb port for the stick, etc. Same thing.

???

#4 MPJ

MPJ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 22 March 2012 - 07:18 AM

Hi Gringo - Bumping this as per your initial instructions.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 22 March 2012 - 02:48 PM

How are you getting into the system recovery options by pressing f8 or by your recovery disk

after you find the flashdrive do you see the app - try right clicking and select run



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 MPJ

MPJ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 23 March 2012 - 02:51 PM

Gringo - Here's the log file from Farbar, I had a bad flash drive on my first try with it:

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 23-03-2012 15:17:41
Running from G:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [1702400 2009-10-26] (Motorola Inc.)
HKLM-x32\...\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe [77824 2008-07-22] (AMD)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [47904 2010-10-08] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "D:\Program Files (x86)\iTunes\iTunesHelper.exe" [x]
HKLM-x32\...\Run: [BYR_AGENT] C:\ProgramData\LGMOBILEAX\BYR_Client\VZWNotiAgent.exe [x]
HKLM-x32\...\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~2\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w /h [x]
HKLM-x32\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe [x]
HKLM-x32\...\Run: [StartCCC] "D:\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [x]
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKU\Dad\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1242448 2011-08-02] (Valve Corporation)
HKU\Dad\...\Run: [Google Update] "C:\Users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-03-02] (Google Inc.)
HKU\Dad\...\Run: [MyWebSearch Email Plugin] C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe [x]
HKU\Dad\...\Policies\system: [LogonHoursAction] 2
HKU\Dad\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\Mom\...\Run: [Steam] "C:\Program Files (x86)\Steam\Steam.exe" -silent [1242448 2011-08-02] (Valve Corporation)
HKU\Mom\...\Run: [Google Update] "C:\Users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-03-02] (Google Inc.)
HKU\Mom\...\Run: [EA Core] C:\Program Files (x86)\Electronic Arts\EADM\Core.exe -silent [x]
HKU\Mom\...\Policies\system: [LogonHoursAction] 2
HKU\Mom\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Tcpip\Parameters: [DhcpNameServer] 209.18.47.61 209.18.47.62
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 CSIScanner; "C:\Program Files\Prevx\prevx.exe" /service [6746280 2012-01-01] (Prevx)
2 CVPND; "C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe" [1528616 2010-03-23] (Cisco Systems, Inc.)
3 IDriverT; "C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" [69632 2005-04-03] (Macrovision Corporation)
2 IntuitUpdateService; "C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe" [13088 2009-09-29] (Intuit Inc.)
2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [66872 2011-11-24] ()
2 AMD FUEL Service; C:\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService [x]
3 aspnet_state; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [x]
4 MyWebSearchService; C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe [x]

========================== Drivers (Whitelisted) =============

3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA64.sys [14992 2010-02-08] (Cisco Systems, Inc.)
3 CVPNDRVA; C:\Windows\System32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
3 DNE; C:\Windows\System32\DRIVERS\dne64x.sys [157968 2008-11-16] (Deterministic Networks, Inc.)
3 grmnusb; C:\Windows\System32\Drivers\grmnusb.sys [20520 2009-05-08] (GARMIN Corp.)
3 MODEMCSA; C:\Windows\System32\Drivers\MODEMCSA.sys [24064 2009-07-13] (Microsoft Corporation)
3 pxkbf; C:\Windows\System32\Drivers\pxkbf.sys [24024 2012-01-01] (Prevx)
1 pxrts; C:\Windows\System32\Drivers\pxrts.sys [65736 2012-01-01] (Prevx)
0 pxscan; C:\Windows\System32\Drivers\pxscan.sys [36384 2012-01-01] (Prevx)
3 Razerlow; C:\Windows\System32\Drivers\Razerlow.sys [21120 2005-11-07] (Razer (Asia-Pacific) Pte Ltd)
3 smserial; C:\Windows\System32\Drivers\smserial.sys [1202688 2009-10-26] (Motorola Inc.)
3 sscdbus; C:\Windows\System32\Drivers\sscdbus.sys [136264 2010-04-26] (MCCI Corporation)
3 sscdmdfl; C:\Windows\System32\Drivers\sscdmdfl.sys [19016 2010-04-26] (MCCI Corporation)
3 sscdmdm; C:\Windows\System32\Drivers\sscdmdm.sys [172104 2010-04-26] (MCCI Corporation)
3 sscdserd; C:\Windows\System32\Drivers\sscdserd.sys [141384 2010-04-26] (MCCI Corporation)
1 vflt; C:\Windows\System32\DRIVERS\vfilter.sys [20992 2009-11-18] (Shrew Soft Inc)
3 vnet; C:\Windows\System32\DRIVERS\virtualnet.sys [12800 2009-11-18] (Shrew Soft Inc)
3 yukonw7; C:\Windows\System32\DRIVERS\yk62x64.sys [395264 2009-09-28] ()
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-03-23 15:17 - 2012-03-23 15:18 - 0000000 ____D C:\FRST
2012-03-20 09:14 - 2012-03-20 09:14 - 0001908 ____A C:\Windows\diagwrn.xml
2012-03-20 09:14 - 2012-03-20 09:14 - 0001908 ____A C:\Windows\diagerr.xml
2012-03-20 04:17 - 2012-03-20 04:17 - 1385843 ____A C:\Users\Dad\Desktop\FRST64.exe
2012-03-20 04:16 - 2012-03-20 04:16 - 1385843 ____A C:\Users\Dad\Downloads\FRST64.exe
2012-03-19 16:47 - 2012-03-19 17:25 - 0020217 ____A C:\Users\Dad\Documents\Triathlon Training.ods
2012-03-19 14:27 - 2012-03-19 14:27 - 0007667 ____A C:\Users\Dad\Desktop\Attach.txt
2012-03-19 14:26 - 2012-03-19 14:26 - 0017297 ____A C:\Users\Dad\Desktop\DDS.txt
2012-03-19 14:25 - 2012-03-19 14:25 - 0607260 ____R (Swearware) C:\Users\Dad\Desktop\dds.scr
2012-03-19 13:47 - 2012-03-19 13:48 - 4731392 ____A (AVAST Software) C:\Users\Dad\Desktop\aswMBR.exe
2012-03-19 13:45 - 2012-03-19 13:45 - 4731392 ____A (AVAST Software) C:\Users\Dad\Downloads\aswMBR.exe
2012-03-18 19:25 - 2012-03-19 12:10 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-18 16:48 - 2012-03-18 16:48 - 0000000 ____D C:\Program Files (x86)\ESET
2012-03-17 18:09 - 2012-03-17 18:09 - 0000863 ____A C:\Users\Dad\Desktop\Battle Academy Demo.lnk
2012-03-17 18:07 - 2012-03-17 18:09 - 0813160 ____A C:\Windows\Battle Academy Demo Setup Log.txt
2012-03-17 18:07 - 2012-03-17 18:07 - 0000000 ____D C:\Windows\Battle Academy Demo
2012-03-17 18:03 - 2012-03-17 18:06 - 243334312 ____A C:\Users\Dad\Downloads\battleacademy-demo-160.zip
2012-03-15 10:37 - 2012-03-15 10:38 - 0000000 ____D C:\Users\Dad\AppData\Local\{C3B3F80D-0361-4650-B6C2-59F4898CE09C}
2012-03-15 10:37 - 2012-03-15 10:37 - 0000000 ____D C:\Users\Dad\AppData\Local\{8503C652-60DF-474D-8EC9-3740F1C79235}
2012-03-13 23:02 - 2011-11-19 07:20 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-13 23:02 - 2011-11-19 06:50 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-13 23:02 - 2011-11-19 06:50 - 3913584 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-03-13 20:02 - 2012-02-09 22:36 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-03-13 20:02 - 2012-02-09 21:38 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-03-13 20:02 - 2012-02-02 20:34 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-03-13 20:01 - 2012-02-16 22:38 - 1112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-03-13 20:01 - 2012-02-16 22:38 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-03-13 20:01 - 2012-02-16 21:34 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-03-13 20:01 - 2012-02-16 20:58 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-03-13 20:01 - 2012-02-16 20:57 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-03-13 20:01 - 2012-01-24 22:38 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-03-13 20:01 - 2012-01-24 22:38 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-03-13 20:01 - 2012-01-24 22:33 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-03-13 17:43 - 2012-03-13 17:43 - 0014848 ____A C:\Users\Dad\Documents\20wk Olympic Distance 2
2012-03-12 12:15 - 2012-03-12 12:15 - 0014848 ____A C:\Users\Dad\Documents\20wk Olympic Distance
2012-03-11 13:28 - 2012-03-11 13:28 - 0000000 ____D C:\Users\Dad\Downloads\oracle-pdfimport
2012-03-11 13:27 - 2012-03-11 13:27 - 0002209 ____A C:\Users\Public\Desktop\WinZip.lnk
2012-03-11 13:27 - 2012-03-11 13:27 - 0000000 ____D C:\Users\Dad\AppData\Local\WinZip
2012-03-11 13:26 - 2012-03-11 13:26 - 0000000 ____D C:\Program Files\WinZip
2012-03-11 13:17 - 2012-03-11 13:17 - 2661226 ____A C:\Users\Dad\Downloads\oracle-pdfimport.zip
2012-03-10 08:06 - 2012-03-10 08:06 - 0000000 ____D C:\Users\Dad\AppData\Roaming\Verizon
2012-03-10 08:06 - 2012-03-10 08:06 - 0000000 ____D C:\Users\All Users\Samsung
2012-03-10 08:06 - 2012-03-10 08:06 - 0000000 ____D C:\ProgramData\Samsung
2012-03-10 08:06 - 2012-03-10 08:06 - 0000000 ____D C:\Program Files\SAMSUNG
2012-03-10 08:06 - 2010-04-26 18:25 - 0172104 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdmdm.sys
2012-03-10 08:06 - 2010-04-26 18:25 - 0141384 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdserd.sys
2012-03-10 08:06 - 2010-04-26 18:25 - 0136264 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdbus.sys
2012-03-10 08:06 - 2010-04-26 18:25 - 0019016 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdmdfl.sys
2012-03-10 08:06 - 2010-04-26 18:25 - 0015944 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdwhnt.sys
2012-03-10 08:06 - 2010-04-26 18:25 - 0015944 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdwh.sys
2012-03-10 08:06 - 2010-04-26 18:25 - 0015432 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdcmnt.sys
2012-03-10 08:06 - 2010-04-26 18:25 - 0015432 ____A (MCCI Corporation) C:\Windows\System32\Drivers\sscdcm.sys
2012-03-04 18:59 - 2012-03-04 18:59 - 0017917 ____A C:\Users\Dad\Documents\Lol kenzies new story
2012-03-01 07:49 - 2012-03-01 07:49 - 1006229 ____A C:\Users\Dad\Documents\HPmarathon
2012-02-26 16:35 - 2012-02-26 16:35 - 0066929 ____A C:\Users\Dad\AppData\Roaming\icarus-dxdiag.xml
2012-02-23 14:10 - 2012-02-23 14:10 - 0015685 ____A C:\Users\Dad\Documents\kel haircut
2012-02-22 20:49 - 2012-02-22 20:49 - 0000000 ____D C:\Users\Dad\AppData\Local\{F2B5DF35-F1D3-4CB6-9E4B-A79F2FFEB7C3}
2012-02-22 20:49 - 2012-02-22 20:49 - 0000000 ____D C:\Users\Dad\AppData\Local\{6C88A61A-935B-4386-8CB8-4B1E95FBDF45}

============ 3 Months Modified Files and Folders =============

2012-03-23 15:18 - 2012-03-23 15:17 - 0000000 ____D C:\FRST
2012-03-23 11:11 - 2010-02-05 08:15 - 1610260480 __ASH C:\hiberfil.sys
2012-03-23 11:11 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-03-23 11:11 - 2009-07-13 20:51 - 0001115 ____A C:\Windows\setupact.log
2012-03-23 11:08 - 2010-02-05 08:18 - 1418420 ____A C:\Windows\WindowsUpdate.log
2012-03-23 11:07 - 2009-07-13 21:13 - 0746420 ____A C:\Windows\System32\PerfStringBackup.INI
2012-03-23 10:28 - 2010-10-24 17:48 - 0000892 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-03-23 10:08 - 2010-03-02 21:09 - 0000900 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391858864-2636421006-2498368418-1000UA.job
2012-03-23 09:28 - 2010-10-24 17:48 - 0000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-03-23 04:24 - 2011-12-31 17:38 - 0000000 ____D C:\Users\All Users\PrevxCSI
2012-03-23 04:24 - 2011-12-31 17:38 - 0000000 ____D C:\ProgramData\PrevxCSI
2012-03-23 04:00 - 2009-07-13 20:45 - 0013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-03-23 04:00 - 2009-07-13 20:45 - 0013440 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-03-23 03:53 - 2010-02-05 14:57 - 0000000 ____D C:\Program Files (x86)\Steam
2012-03-22 19:08 - 2010-03-02 21:09 - 0000848 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391858864-2636421006-2498368418-1000Core.job
2012-03-20 09:14 - 2012-03-20 09:14 - 0001908 ____A C:\Windows\diagwrn.xml
2012-03-20 09:14 - 2012-03-20 09:14 - 0001908 ____A C:\Windows\diagerr.xml
2012-03-20 09:14 - 2009-07-13 20:51 - 0000000 ____A C:\Windows\setuperr.log
2012-03-20 04:17 - 2012-03-20 04:17 - 1385843 ____A C:\Users\Dad\Desktop\FRST64.exe
2012-03-20 04:16 - 2012-03-20 04:16 - 1385843 ____A C:\Users\Dad\Downloads\FRST64.exe
2012-03-20 04:12 - 2009-07-13 21:08 - 0032562 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-03-19 17:25 - 2012-03-19 16:47 - 0020217 ____A C:\Users\Dad\Documents\Triathlon Training.ods
2012-03-19 14:27 - 2012-03-19 14:27 - 0007667 ____A C:\Users\Dad\Desktop\Attach.txt
2012-03-19 14:26 - 2012-03-19 14:26 - 0017297 ____A C:\Users\Dad\Desktop\DDS.txt
2012-03-19 14:25 - 2012-03-19 14:25 - 0607260 ____R (Swearware) C:\Users\Dad\Desktop\dds.scr
2012-03-19 13:48 - 2012-03-19 13:47 - 4731392 ____A (AVAST Software) C:\Users\Dad\Desktop\aswMBR.exe
2012-03-19 13:45 - 2012-03-19 13:45 - 4731392 ____A (AVAST Software) C:\Users\Dad\Downloads\aswMBR.exe
2012-03-19 12:11 - 2010-02-08 04:52 - 0000000 ____D C:\users\Mom
2012-03-19 12:10 - 2012-03-18 19:25 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-19 12:10 - 2012-01-01 12:45 - 0000000 ____D C:\Program Files\Prevx
2012-03-19 12:10 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-03-19 08:29 - 2009-07-13 21:32 - 0000000 ____D C:\Windows\Downloaded Program Files
2012-03-19 08:21 - 2010-02-05 05:56 - 0000000 ____D C:\users\Dad
2012-03-19 08:13 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-03-18 16:48 - 2012-03-18 16:48 - 0000000 ____D C:\Program Files (x86)\ESET
2012-03-18 16:12 - 2010-02-09 15:16 - 0000000 ____D C:\Users\Dad\AppData\Local\ElevatedDiagnostics
2012-03-18 14:49 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\system
2012-03-17 18:10 - 2011-09-08 16:43 - 0000000 ___HD C:\Windows\msdownld.tmp
2012-03-17 18:10 - 2011-09-08 16:43 - 0000000 ____D C:\Windows\SysWOW64\directx
2012-03-17 18:10 - 2007-03-13 15:55 - 0000000 ____D C:\Users\Dad\Documents\My Games
2012-03-17 18:09 - 2012-03-17 18:09 - 0000863 ____A C:\Users\Dad\Desktop\Battle Academy Demo.lnk
2012-03-17 18:09 - 2012-03-17 18:07 - 0813160 ____A C:\Windows\Battle Academy Demo Setup Log.txt
2012-03-17 18:07 - 2012-03-17 18:07 - 0000000 ____D C:\Windows\Battle Academy Demo
2012-03-17 18:06 - 2012-03-17 18:03 - 243334312 ____A C:\Users\Dad\Downloads\battleacademy-demo-160.zip
2012-03-17 15:46 - 2010-02-08 18:54 - 0024650 ____A C:\Users\Public\Documents\FamilyURLs.xls
2012-03-15 12:04 - 2007-02-26 17:04 - 0002024 ___AH C:\Users\Dad\Documents\Default.rdp
2012-03-15 10:38 - 2012-03-15 10:37 - 0000000 ____D C:\Users\Dad\AppData\Local\{C3B3F80D-0361-4650-B6C2-59F4898CE09C}
2012-03-15 10:37 - 2012-03-15 10:37 - 0000000 ____D C:\Users\Dad\AppData\Local\{8503C652-60DF-474D-8EC9-3740F1C79235}
2012-03-14 14:41 - 2011-06-22 03:33 - 0414368 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-03-13 23:20 - 2009-07-13 20:45 - 0295624 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-13 23:01 - 2010-02-05 06:01 - 56297240 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-03-13 17:43 - 2012-03-13 17:43 - 0014848 ____A C:\Users\Dad\Documents\20wk Olympic Distance 2
2012-03-12 12:15 - 2012-03-12 12:15 - 0014848 ____A C:\Users\Dad\Documents\20wk Olympic Distance
2012-03-11 13:28 - 2012-03-11 13:28 - 0000000 ____D C:\Users\Dad\Downloads\oracle-pdfimport
2012-03-11 13:27 - 2012-03-11 13:27 - 0002209 ____A C:\Users\Public\Desktop\WinZip.lnk
2012-03-11 13:27 - 2012-03-11 13:27 - 0000000 ____D C:\Users\Dad\AppData\Local\WinZip
2012-03-11 13:27 - 2010-02-14 09:30 - 0000000 ____D C:\Users\All Users\WinZip
2012-03-11 13:27 - 2010-02-14 09:30 - 0000000 ____D C:\ProgramData\WinZip
2012-03-11 13:26 - 2012-03-11 13:26 - 0000000 ____D C:\Program Files\WinZip
2012-03-11 13:17 - 2012-03-11 13:17 - 2661226 ____A C:\Users\Dad\Downloads\oracle-pdfimport.zip
2012-03-10 08:06 - 2012-03-10 08:06 - 0000000 ____D C:\Users\Dad\AppData\Roaming\Verizon
2012-03-10 08:06 - 2012-03-10 08:06 - 0000000 ____D C:\Users\All Users\Samsung
2012-03-10 08:06 - 2012-03-10 08:06 - 0000000 ____D C:\ProgramData\Samsung
2012-03-10 08:06 - 2012-03-10 08:06 - 0000000 ____D C:\Program Files\SAMSUNG
2012-03-04 18:59 - 2012-03-04 18:59 - 0017917 ____A C:\Users\Dad\Documents\Lol kenzies new story
2012-03-01 07:49 - 2012-03-01 07:49 - 1006229 ____A C:\Users\Dad\Documents\HPmarathon
2012-02-26 16:35 - 2012-02-26 16:35 - 0066929 ____A C:\Users\Dad\AppData\Roaming\icarus-dxdiag.xml
2012-02-23 14:10 - 2012-02-23 14:10 - 0015685 ____A C:\Users\Dad\Documents\kel haircut
2012-02-22 20:49 - 2012-02-22 20:49 - 0000000 ____D C:\Users\Dad\AppData\Local\{F2B5DF35-F1D3-4CB6-9E4B-A79F2FFEB7C3}
2012-02-22 20:49 - 2012-02-22 20:49 - 0000000 ____D C:\Users\Dad\AppData\Local\{6C88A61A-935B-4386-8CB8-4B1E95FBDF45}
2012-02-18 09:18 - 2012-02-18 09:18 - 0000000 ____D C:\Users\Dad\AppData\Local\id Software
2012-02-18 09:18 - 2011-11-24 15:49 - 0111928 ____A C:\Windows\SysWOW64\PnkBstrB.exe
2012-02-18 09:17 - 2011-11-24 15:49 - 0794408 ____A C:\Windows\SysWOW64\pbsvc.exe
2012-02-18 09:17 - 2010-02-06 11:54 - 0333543 ____A C:\Windows\DirectX.log
2012-02-18 07:36 - 2012-02-18 07:36 - 0024652 ____A C:\Users\Dad\Documents\FamilyURLs.ods
2012-02-16 22:38 - 2012-03-13 20:01 - 1112064 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-02-16 22:38 - 2012-03-13 20:01 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-13 20:01 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-13 20:01 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-13 20:01 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-15 03:55 - 2010-02-05 05:56 - 0000174 ___SH C:\Users\Dad\Start Menu\Programs\Startup\desktop.ini
2012-02-15 03:55 - 2010-02-05 05:56 - 0000174 ___SH C:\Users\Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-15 00:28 - 2010-02-06 11:56 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-02-13 13:07 - 2012-02-13 13:07 - 0028070 ____A C:\Users\Dad\Documents\mos v day card
2012-02-13 12:56 - 2012-02-13 12:56 - 0319677 ____A C:\Users\Dad\Documents\mias v day card
2012-02-09 22:36 - 2012-03-13 20:02 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-09 21:38 - 2012-03-13 20:02 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-02 20:34 - 2012-03-13 20:02 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-02-02 12:46 - 2012-02-02 12:46 - 0012808 ____A C:\Users\Dad\Documents\mij
2012-01-29 09:26 - 2011-02-17 04:26 - 0000000 ____D C:\Users\Dad\Documents\HRBlock
2012-01-29 09:23 - 2011-02-17 04:27 - 0000000 ____D C:\Users\Dad\AppData\Roaming\TaxCut
2012-01-29 09:22 - 2012-01-29 09:22 - 0000000 ____D C:\Program Files (x86)\HRBlock2011
2012-01-29 09:19 - 2011-02-17 04:25 - 0000000 ____D C:\Users\All Users\TaxCut
2012-01-29 09:19 - 2011-02-17 04:25 - 0000000 ____D C:\ProgramData\TaxCut
2012-01-27 08:08 - 2011-02-02 08:28 - 0000000 ____D C:\Users\Dad\Documents\Kyrsten Writing
2012-01-26 13:32 - 2012-01-26 13:32 - 0023898 ____A C:\Users\Dad\Documents\meowmeow.odt
2012-01-26 13:06 - 2012-01-26 13:05 - 0000000 ____D C:\Users\Dad\AppData\Local\{5FC4E25C-4A01-497A-920F-B6C59C1C9EAB}
2012-01-26 13:05 - 2012-01-26 13:05 - 0000000 ____D C:\Users\Dad\AppData\Local\{54E3026C-94A3-4F63-B110-36E3EA252E1F}
2012-01-24 22:38 - 2012-03-13 20:01 - 0149504 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorekmts.dll
2012-01-24 22:38 - 2012-03-13 20:01 - 0077312 ____A (Microsoft Corporation) C:\Windows\System32\rdpwsx.dll
2012-01-24 22:33 - 2012-03-13 20:01 - 0009216 ____A (Microsoft Corporation) C:\Windows\System32\rdrmemptylst.exe
2012-01-15 14:23 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-01-15 12:52 - 2009-07-13 19:20 - 0000000 ____D C:\PerfLogs
2012-01-15 12:05 - 2012-01-15 12:05 - 0002018 ____A C:\Users\Public\Desktop\Adobe Reader 9.lnk
2012-01-15 12:05 - 2010-02-06 16:34 - 0000000 ____D C:\Users\Dad\AppData\Local\Adobe
2012-01-15 12:05 - 2010-02-05 16:41 - 0000000 ____D C:\Users\All Users\Adobe
2012-01-15 12:05 - 2010-02-05 16:41 - 0000000 ____D C:\ProgramData\Adobe
2012-01-15 12:04 - 2012-01-15 12:04 - 0004171 ____A C:\Windows\SysWOW64\jupdate-1.6.0_30-b12.log
2012-01-15 12:04 - 2010-02-05 17:11 - 0000000 ____D C:\Program Files (x86)\Java
2012-01-14 17:11 - 2012-01-14 17:07 - 0000000 ____D C:\Users\All Users\BitDefender
2012-01-14 17:11 - 2012-01-14 17:07 - 0000000 ____D C:\ProgramData\BitDefender
2012-01-14 17:07 - 2012-01-14 17:07 - 0000000 ____D C:\Users\Dad\AppData\Roaming\BitDefender
2012-01-14 17:07 - 2012-01-14 17:07 - 0000000 ____D C:\Program Files\Common Files\BitDefender
2012-01-09 18:31 - 2012-01-09 18:31 - 0013613 ____A C:\Users\Dad\Documents\fndf.odt
2012-01-05 16:35 - 2010-12-12 16:48 - 0124436 ___AH C:\Windows\SysWOW64\mlfcache.dat
2012-01-04 18:32 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\LiveKernelReports
2012-01-04 02:44 - 2012-02-14 11:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-01-04 02:44 - 2012-02-14 11:52 - 0509952 ____A (Microsoft Corporation) C:\Windows\System32\ntshrui.dll
2012-01-04 00:59 - 2012-02-14 11:52 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-01-04 00:58 - 2012-02-14 11:52 - 0442880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntshrui.dll
2012-01-03 16:26 - 2012-01-03 16:26 - 0013312 ____A C:\Users\Dad\Documents\Scoring Procedure-Mohawk Tourney2012.doc
2012-01-03 16:22 - 2012-01-03 16:22 - 0025498 ____A C:\Users\Dad\Documents\siennatourney2012schedule.odt
2012-01-01 15:05 - 2010-02-05 14:45 - 0095450 ____A C:\Windows\PFRO.log
2012-01-01 14:33 - 2011-11-27 18:08 - 0000000 ____D C:\Program Files (x86)\AMD APP
2012-01-01 14:32 - 2011-01-27 05:01 - 0001945 ____A C:\Windows\epplauncher.mif
2012-01-01 14:31 - 2006-11-02 03:18 - 0000000 ___HD C:\Windows\System32\GroupPolicy
2012-01-01 12:45 - 2012-01-01 12:45 - 0065736 ____A (Prevx) C:\Windows\System32\Drivers\pxrts.sys
2012-01-01 12:45 - 2012-01-01 12:45 - 0062976 ____A (Prevx) C:\Windows\SysWOW64\PxSecure.dll
2012-01-01 12:45 - 2012-01-01 12:45 - 0036384 ____A (Prevx) C:\Windows\System32\Drivers\pxscan.sys
2012-01-01 12:45 - 2012-01-01 12:45 - 0024024 ____A (Prevx) C:\Windows\System32\Drivers\pxkbf.sys
2012-01-01 12:44 - 2012-01-01 12:44 - 0945272 ____A (Prevx) C:\Users\Dad\Downloads\prevxcsifree.exe
2012-01-01 12:44 - 2012-01-01 12:44 - 0000048 ____A C:\Windows\wininit.ini
2011-12-31 22:32 - 2011-12-31 18:16 - 0000000 ____D C:\Program Files\ATI Technologies
2011-12-31 22:32 - 2009-07-13 23:45 - 0000000 ___RD C:\Users\Public\Recorded TV
2011-12-31 18:33 - 2011-12-31 18:33 - 0000000 ____D C:\Users\Dad\AppData\Local\{6928026F-52D7-4F23-B7C6-DD23E7052BF3}
2011-12-31 18:33 - 2011-12-31 18:33 - 0000000 ____D C:\Users\Dad\AppData\Local\{441B5EA0-48EC-4A9F-9F66-8034C87714FC}
2011-12-31 18:27 - 2011-12-31 18:27 - 0000000 ____D C:\Users\All Users\ATI
2011-12-31 18:27 - 2011-12-31 18:27 - 0000000 ____D C:\ProgramData\ATI
2011-12-31 18:20 - 2011-08-20 15:33 - 0000000 ____D C:\Users\All Users\AMD
2011-12-31 18:20 - 2011-08-20 15:33 - 0000000 ____D C:\ProgramData\AMD
2011-12-31 16:06 - 2011-12-31 16:06 - 0000000 ____D C:\Users\Dad\AppData\Roaming\Malwarebytes
2011-12-31 16:05 - 2011-12-31 16:05 - 0000000 ____D C:\Users\All Users\Malwarebytes
2011-12-31 16:05 - 2011-12-31 16:05 - 0000000 ____D C:\ProgramData\Malwarebytes
2011-12-31 15:39 - 2011-05-07 04:27 - 0002427 ____A C:\Windows\SysWOW64\lgAxconfig.ini
2011-12-31 15:38 - 2011-12-21 19:23 - 0011570 __ASH C:\Users\Dad\AppData\Local\eaobxq8b3hgh6kfp1iyw6q758a4y
2011-12-31 15:38 - 2011-12-21 19:23 - 0011570 __ASH C:\Users\All Users\eaobxq8b3hgh6kfp1iyw6q758a4y
2011-12-31 15:38 - 2011-12-21 19:23 - 0011570 __ASH C:\ProgramData\eaobxq8b3hgh6kfp1iyw6q758a4y
2011-12-29 22:26 - 2012-02-14 11:52 - 0515584 ____A (Microsoft Corporation) C:\Windows\System32\timedate.cpl
2011-12-29 21:27 - 2012-02-14 11:52 - 0478720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\timedate.cpl
2011-12-27 19:59 - 2012-02-14 11:52 - 0498688 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\afd.sys

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 25%
Total physical RAM: 2047.55 MB
Available physical RAM: 1534.63 MB
Total Pagefile: 2047.55 MB
Available Pagefile: 1519.56 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (ACER) (Fixed) (Total:145.8 GB) (Free:31.53 GB) NTFS ==>[Drive with boot components (obtanied from BCD)]
2 Drive d: (DATA) (Fixed) (Total:72.78 GB) (Free:21.76 GB) NTFS
3 Drive e: (PQSERVICE) (Fixed) (Total:6.83 GB) (Free:1.86 GB) NTFS
4 Drive f: (GRMCULXFRER_EN_DVD) (CDROM) (Total:3 GB) (Free:0 GB) UDF
5 Drive g: (DAD'S IPOD) (Removable) (Total:7.34 GB) (Free:6.93 GB) FAT32
10 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 7168 KB
Disk 1 Online 7523 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 6997 MB 31 KB
Partition 2 Primary 145 GB 6997 MB
Partition 3 Primary 72 GB 152 GB
Partition 0 Extended 72 GB 225 GB
Partition 5 Logical 4000 MB 225 GB
Partition 4 Logical 68 GB 229 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 6997 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C ACER NTFS Partition 145 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D DATA NTFS Partition 72 GB Healthy

======================================================================================================

Disk: 0
Partition 5
Type : 82
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Disk: 0
Partition 4
Type : 83
Hidden: Yes
Active: No

There is no volume associated with this partition.

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7523 MB 256 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G DAD'S IPOD FAT32 Removable 7523 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-20 12:39

======================= End Of Log ==========================

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 23 March 2012 - 03:50 PM

Hello


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

SubSystems: [Windows] ==> ZeroAccess
2011-12-31 15:38 - 2011-12-21 19:23 - 0011570 __ASH C:\Users\Dad\AppData\Local\eaobxq8b3hgh6kfp1iyw6q758a4y
2011-12-31 15:38 - 2011-12-21 19:23 - 0011570 __ASH C:\Users\All Users\eaobxq8b3hgh6kfp1iyw6q758a4y
2011-12-31 15:38 - 2011-12-21 19:23 - 0011570 __ASH C:\ProgramData\eaobxq8b3hgh6kfp1iyw6q758a4y

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 MPJ

MPJ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 23 March 2012 - 06:52 PM

Gringo -

Here's the fixlist.txt file:

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 15-03-2012
Ran by SYSTEM at 2012-03-23 18:49:14 R:1
Running from G:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
C:\Users\Dad\AppData\Local\eaobxq8b3hgh6kfp1iyw6q758a4y moved successfully.
C:\Users\All Users\eaobxq8b3hgh6kfp1iyw6q758a4y moved successfully.
C:\ProgramData\eaobxq8b3hgh6kfp1iyw6q758a4y not found.

==== End of Fixlog ====




Here's the ComboFix log:

ComboFix 12-03-22.01 - Dad 03/23/2012 19:09:32.1.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2048.1242 [GMT -4:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
c:\users\Dad\AppData\Roaming\mm
c:\users\Dad\AppData\Roaming\mm\cache\.cache
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\04F22FD5A435BC54EA1F1C07BF3B242A
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\08B06D62EC0553EFDF9B4E91A3E21509
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\0931C01EF2E25B644F53B17D6599627B
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\0D51E9900D2C17AA30F9D5B537BA8FCE
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\18472687D12CD06FF270E4D7D6A661EC
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\18BF81A178CC7AB54763930FC567BEFF
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\1A3FF969616AED3337912F9B48A1F312
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\1A60AAEFA2E5F2624EE2B03E9701FBF8
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\1E22F2CBD5882A4B8D137798EAE69B7E
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\231EED46982DAF475ED4EA4352328C38
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\24B86D44D5D6EF25A6B09497BF5CC3D1
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\280C695730499CBDD3480F9A5351242F
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\294724C940D38A21A98E26A2512C2234
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\3A5E84D9E7016F2F36BF67356008A130
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\3AB2301C46A4B1529317A1EEEFA56C8C
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\3C537468670FEF5CDA2E97FDA3E15875
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\41217986E1CC6556F7AE09C1D040B00A
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\46265902ABB04E073805EB03A1D341D4
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\4E3F559E293CC2E9F6D4636400134E54
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\50C29A0817DA15706DF4BEF40A633D15
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\53ED4A37E2A28251D0FD1C8C277BD84C
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\6FAE5055599BD2400DEE6B579E037CF4
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\8DF11D6C73F71693FF9EBDC2F0D96E80
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\9473ED8D08CD0A7A6AF41487BCF705E8
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\98D93EF44A493F64C63A18A33B2E790F
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\A1BEF7307139960047BA512889CE0D25
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\B0527DFD4B3DCC4212EB8BF51E37D7A6
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\B12F48B9073487D3847A2187C557EEE1
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\B7C5BE489E59FBA9D7F0F5ADF057A6FB
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\BA99F46403ED985D25A0AADA41E4719F
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\CA95B9C8B4BE07EF84E0AEAB381419EA
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\D2B0DF18FEFCDAF0AE7AEAD2DD894AFC
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\D605C59D4EC909FAE7D843169F98B086
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\D7AEE82CF80EB0894BFBB90BAA75522C
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\DCBEF9310A0B4B74BF4BD8C1813D7EAC
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\E1BFB414A4019AE18DEAC1AFD8340322
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\E1EAFAFCA02B242445CB15E1989ED676
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\E244E1540674526FDC33FCFEFE68AE6F
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\EA748FACA764E2E733FE9ED2254A905A
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\EFDEDAE8D1FA87DEB21BE3FC6FED85EB
c:\users\Dad\AppData\Roaming\mm\cache\ImageLoader\F722CF962F4FCDC6D9D98B6BDE3E35D8
c:\users\Mom\Documents\DPE.DUS
c:\users\Mom\Documents\Readiris.DUS
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\SysWow64\f3PSSavr.scr
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_MyWebSearchService
.
.
((((((((((((((((((((((((( Files Created from 2012-02-23 to 2012-03-23 )))))))))))))))))))))))))))))))
.
.
2012-03-23 23:19 . 2012-03-23 23:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-23 23:19 . 2012-03-23 23:19 -------- d-----w- c:\users\Mom\AppData\Local\temp
2012-03-23 23:17 . 2012-03-23 23:18 -------- d-----w- C:\FRST
2012-03-23 22:56 . 2012-03-23 22:56 16712 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2012-03-19 03:25 . 2012-03-19 20:10 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-19 00:48 . 2012-03-19 00:48 -------- d-----w- c:\program files (x86)\ESET
2012-03-18 02:07 . 2012-03-18 02:07 -------- d-----w- c:\windows\Battle Academy Demo
2012-03-14 07:02 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 07:02 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-14 07:02 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-14 04:02 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 04:02 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 04:02 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 04:01 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 04:01 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 04:01 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-14 04:01 . 2012-02-17 06:38 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-03-14 04:01 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 04:01 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 04:01 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 04:01 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-11 21:27 . 2012-03-11 21:27 -------- d-----w- c:\users\Dad\AppData\Local\WinZip
2012-03-10 16:06 . 2010-04-27 02:25 172104 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2012-03-10 16:06 . 2010-04-27 02:25 15944 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2012-03-10 16:06 . 2010-04-27 02:25 15944 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2012-03-10 16:06 . 2010-04-27 02:25 141384 ----a-w- c:\windows\system32\drivers\sscdserd.sys
2012-03-10 16:06 . 2012-03-10 16:06 -------- d-----w- c:\program files\SAMSUNG
2012-03-10 16:06 . 2010-04-27 02:25 19016 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2012-03-10 16:06 . 2010-04-27 02:25 15432 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2012-03-10 16:06 . 2010-04-27 02:25 15432 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2012-03-10 16:06 . 2010-04-27 02:25 136264 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2012-03-10 16:06 . 2012-03-10 16:06 -------- d-----w- c:\programdata\Samsung
2012-03-10 16:06 . 2012-03-10 16:06 53248 ----a-r- c:\users\Dad\AppData\Roaming\Microsoft\Installer\{F42F3704-4CA7-4D28-9F5B-FDBF2E589EB2}\ARPPRODUCTICON.exe
2012-03-10 16:06 . 2012-03-10 16:06 -------- d-----w- c:\users\Dad\AppData\Roaming\Verizon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-14 22:41 . 2011-06-22 11:33 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-18 17:18 . 2011-11-24 23:49 111928 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-02-18 17:17 . 2011-11-24 23:49 794408 ----a-w- c:\windows\SysWow64\pbsvc.exe
2012-01-04 10:44 . 2012-02-14 19:52 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-04 08:58 . 2012-02-14 19:52 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-01-01 20:45 . 2012-01-01 20:45 62976 ----a-w- c:\windows\SysWow64\PxSecure.dll
2012-01-01 20:45 . 2012-01-01 20:45 65736 ----a-w- c:\windows\system32\drivers\pxrts.sys
2012-01-01 20:45 . 2012-01-01 20:45 36384 ----a-w- c:\windows\system32\drivers\pxscan.sys
2012-01-01 20:45 . 2012-01-01 20:45 24024 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2011-12-30 06:26 . 2012-02-14 19:52 515584 ----a-w- c:\windows\system32\timedate.cpl
2011-12-30 05:27 . 2012-02-14 19:52 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2011-12-28 03:59 . 2012-02-14 19:52 498688 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-08-02 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"iTunesHelper"="d:\program files (x86)\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys [x]
R2 AMD FUEL Service;AMD FUEL Service;d:\ati technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-25 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-25 136176]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [x]
S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2012-01-01 6746280]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [x]
S3 Razerlow;Razer Pro|Solutions;c:\windows\system32\drivers\Razerlow.sys [x]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-25 01:48]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-25 01:48]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391858864-2636421006-2498368418-1000Core.job
- c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-03 05:09]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391858864-2636421006-2498368418-1000UA.job
- c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-03 05:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1702400]
"combofix"="c:\combofix\CF938.3XE" [2010-11-20 345088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Download with GetRight - d:\getright\GRdownload.htm
IE: Open With GetRight Browser - d:\getright\GRbrowse.htm
Trusted Zone: intuit.com\ttlc
Trusted Zone: org.com\www.cusa-hfs
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-BYR_AGENT - c:\programdata\LGMOBILEAX\BYR_Client\VZWNotiAgent.exe
Wow6432Node-HKLM-Run-StartCCC - d:\ati technologies\ATI.ACE\Core-Static\CLIStart.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-PunkBusterSvc - c:\windows\system32\pbsvc.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2391858864-2636421006-2498368418-1000\Software\SecuROM\License information*]
"datasecu"=hex:e0,84,22,10,7a,0a,c1,ba,4b,8b,bd,61,a9,04,2b,57,7f,24,70,c1,2e,
0b,fb,ef,ec,e8,70,9e,26,86,bf,e3,64,a6,5f,38,d1,11,e0,99,27,9d,34,e7,23,59,\
"rkeysecu"=hex:37,61,9f,a5,84,80,76,c6,6d,21,ba,c1,64,c3,81,a4
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-03-23 19:36:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-23 23:36
.
Pre-Run: 33,872,244,736 bytes free
Post-Run: 33,897,304,064 bytes free
.
- - End Of File - - CDDAFEBDB76497E37EFBBDCA29A52D08


The Windows firewall service has reappeared. I'm going to poke around and see what else I can find and report back.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 23 March 2012 - 08:17 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 MPJ

MPJ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 23 March 2012 - 08:20 PM

I can see my printer now from my secondary workstation again, this hadn't been possible for some time now.

I ran the Eset online scanner in find, not fix, mode and it says I have these still to deal with:

C:\Qoobox\Quarantine\C\Windows\SysWOW64\f3PSSavr.scr.vir Win32/Toolbar.MyWebSearch application
C:\Users\Dad\AppData\LocalLow\FunWebProducts\Installr\Cache\0AEFCAF5.exe a variant of Win32/Toolbar.MyWebSearch.O application
C:\Windows\system64\consrv.dll Win64/Sirefef.G trojan

I'll wait for further instructions/advice. Thanks.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 23 March 2012 - 08:51 PM

see post 9 please


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 MPJ

MPJ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 24 March 2012 - 07:50 AM

Good morning -

Here's the log from TDSSKiller. Said it found no infections:

08:24:25.0881 4020 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
08:24:26.0271 4020 ============================================================
08:24:26.0271 4020 Current date / time: 2012/03/24 08:24:26.0271
08:24:26.0271 4020 SystemInfo:
08:24:26.0271 4020
08:24:26.0271 4020 OS Version: 6.1.7601 ServicePack: 1.0
08:24:26.0271 4020 Product type: Workstation
08:24:26.0271 4020 ComputerName: AMD4200
08:24:26.0271 4020 UserName: Dad
08:24:26.0271 4020 Windows directory: C:\Windows
08:24:26.0271 4020 System windows directory: C:\Windows
08:24:26.0271 4020 Running under WOW64
08:24:26.0271 4020 Processor architecture: Intel x64
08:24:26.0271 4020 Number of processors: 2
08:24:26.0271 4020 Page size: 0x1000
08:24:26.0271 4020 Boot type: Normal boot
08:24:26.0271 4020 ============================================================
08:24:27.0893 4020 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
08:24:27.0909 4020 Drive \Device\Harddisk1\DR1 - Size: 0x1D63C0000 (7.35 Gb), SectorSize: 0x1000, Cylinders: 0x77, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
08:24:27.0909 4020 \Device\Harddisk0\DR0:
08:24:27.0909 4020 MBR used
08:24:27.0909 4020 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x6, StartLBA 0xDAA87C, BlocksNum 0x12399B19
08:24:27.0909 4020 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x13144395, BlocksNum 0x9190328
08:24:27.0940 4020 \Device\Harddisk1\DR1:
08:24:27.0940 4020 MBR used
08:24:27.0940 4020 \Device\Harddisk1\DR1\Partition0: MBR, Type 0xB, StartLBA 0x40, BlocksNum 0x1D637F
08:24:28.0002 4020 Initialize success
08:24:28.0002 4020 ============================================================
08:24:46.0270 2132 ============================================================
08:24:46.0270 2132 Scan started
08:24:46.0270 2132 Mode: Manual;
08:24:46.0270 2132 ============================================================
08:24:47.0175 2132 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
08:24:47.0175 2132 1394ohci - ok
08:24:47.0237 2132 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
08:24:47.0237 2132 ACPI - ok
08:24:47.0331 2132 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
08:24:47.0331 2132 AcpiPmi - ok
08:24:47.0409 2132 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
08:24:47.0409 2132 adp94xx - ok
08:24:47.0502 2132 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
08:24:47.0502 2132 adpahci - ok
08:24:47.0565 2132 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
08:24:47.0565 2132 adpu320 - ok
08:24:47.0596 2132 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
08:24:47.0596 2132 AeLookupSvc - ok
08:24:47.0705 2132 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\Windows\system32\drivers\afd.sys
08:24:47.0705 2132 AFD - ok
08:24:47.0752 2132 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
08:24:47.0752 2132 agp440 - ok
08:24:47.0846 2132 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
08:24:47.0846 2132 ALG - ok
08:24:47.0908 2132 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
08:24:47.0908 2132 aliide - ok
08:24:47.0970 2132 AMD External Events Utility (812349d328eb406815183a5d17b49e7c) C:\Windows\system32\atiesrxx.exe
08:24:47.0970 2132 AMD External Events Utility - ok
08:24:48.0033 2132 AMD FUEL Service - ok
08:24:48.0142 2132 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
08:24:48.0142 2132 amdide - ok
08:24:48.0189 2132 amdiox64 (6a2eeb0c4133b20773bb3dd0b7b377b4) C:\Windows\system32\DRIVERS\amdiox64.sys
08:24:48.0189 2132 amdiox64 - ok
08:24:48.0236 2132 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
08:24:48.0236 2132 AmdK8 - ok
08:24:48.0548 2132 amdkmdag (0415ffe1b6a6ea141feafca57567f57f) C:\Windows\system32\DRIVERS\atikmdag.sys
08:24:48.0782 2132 amdkmdag - ok
08:24:48.0891 2132 amdkmdap (dc24d6f38f17c0d643d9aa8a6852f8d0) C:\Windows\system32\DRIVERS\atikmpag.sys
08:24:48.0906 2132 amdkmdap - ok
08:24:48.0938 2132 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
08:24:48.0938 2132 AmdPPM - ok
08:24:48.0984 2132 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
08:24:48.0984 2132 amdsata - ok
08:24:49.0062 2132 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
08:24:49.0078 2132 amdsbs - ok
08:24:49.0109 2132 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
08:24:49.0109 2132 amdxata - ok
08:24:49.0156 2132 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
08:24:49.0156 2132 AppID - ok
08:24:49.0250 2132 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
08:24:49.0250 2132 AppIDSvc - ok
08:24:49.0281 2132 Appinfo (3977d4a871ca0d4f2ed1e7db46829731) C:\Windows\System32\appinfo.dll
08:24:49.0281 2132 Appinfo - ok
08:24:49.0374 2132 Apple Mobile Device (018857ead9a077a56aedfc0e5ef7a24a) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
08:24:49.0374 2132 Apple Mobile Device - ok
08:24:49.0468 2132 AppMgmt (4aba3e75a76195a3e38ed2766c962899) C:\Windows\System32\appmgmts.dll
08:24:49.0468 2132 AppMgmt - ok
08:24:49.0515 2132 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
08:24:49.0530 2132 arc - ok
08:24:49.0546 2132 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
08:24:49.0546 2132 arcsas - ok
08:24:49.0608 2132 aspnet_state - ok
08:24:49.0686 2132 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
08:24:49.0686 2132 AsyncMac - ok
08:24:49.0749 2132 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
08:24:49.0749 2132 atapi - ok
08:24:49.0858 2132 AtiHDAudioService (dbb487d09f56c674430ac454fd8bcab9) C:\Windows\system32\drivers\AtihdW76.sys
08:24:49.0858 2132 AtiHDAudioService - ok
08:24:49.0920 2132 AtiHdmiService (2d648572ba9a610952fcafba1e119c2d) C:\Windows\system32\drivers\AtiHdmi.sys
08:24:49.0920 2132 AtiHdmiService - ok
08:24:49.0998 2132 AudioEndpointBuilder (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
08:24:49.0998 2132 AudioEndpointBuilder - ok
08:24:50.0030 2132 AudioSrv (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
08:24:50.0030 2132 AudioSrv - ok
08:24:50.0108 2132 AxInstSV (a6bf31a71b409dfa8cac83159e1e2aff) C:\Windows\System32\AxInstSV.dll
08:24:50.0108 2132 AxInstSV - ok
08:24:50.0186 2132 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
08:24:50.0201 2132 b06bdrv - ok
08:24:50.0248 2132 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
08:24:50.0264 2132 b57nd60a - ok
08:24:50.0295 2132 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll
08:24:50.0310 2132 BDESVC - ok
08:24:50.0373 2132 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
08:24:50.0373 2132 Beep - ok
08:24:50.0466 2132 BFE (82974d6a2fd19445cc5171fc378668a4) C:\Windows\System32\bfe.dll
08:24:50.0466 2132 BFE - ok
08:24:50.0529 2132 BITS (1ea7969e3271cbc59e1730697dc74682) C:\Windows\system32\qmgr.dll
08:24:50.0544 2132 BITS - ok
08:24:50.0622 2132 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
08:24:50.0622 2132 blbdrive - ok
08:24:50.0716 2132 Bonjour Service (f832f1505ad8b83474bd9a5b1b985e01) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
08:24:50.0716 2132 Bonjour Service - ok
08:24:50.0810 2132 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
08:24:50.0825 2132 bowser - ok
08:24:50.0872 2132 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
08:24:50.0872 2132 BrFiltLo - ok
08:24:50.0888 2132 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
08:24:50.0888 2132 BrFiltUp - ok
08:24:50.0997 2132 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
08:24:50.0997 2132 BridgeMP - ok
08:24:51.0044 2132 Browser (8ef0d5c41ec907751b8429162b1239ed) C:\Windows\System32\browser.dll
08:24:51.0059 2132 Browser - ok
08:24:51.0090 2132 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
08:24:51.0090 2132 Brserid - ok
08:24:51.0168 2132 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
08:24:51.0168 2132 BrSerWdm - ok
08:24:51.0200 2132 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
08:24:51.0215 2132 BrUsbMdm - ok
08:24:51.0231 2132 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
08:24:51.0231 2132 BrUsbSer - ok
08:24:51.0262 2132 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
08:24:51.0262 2132 BTHMODEM - ok
08:24:51.0340 2132 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll
08:24:51.0356 2132 bthserv - ok
08:24:51.0371 2132 catchme - ok
08:24:51.0402 2132 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
08:24:51.0418 2132 cdfs - ok
08:24:51.0512 2132 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
08:24:51.0512 2132 cdrom - ok
08:24:51.0558 2132 CertPropSvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
08:24:51.0574 2132 CertPropSvc - ok
08:24:51.0652 2132 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
08:24:51.0652 2132 circlass - ok
08:24:51.0699 2132 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
08:24:51.0699 2132 CLFS - ok
08:24:51.0761 2132 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
08:24:51.0761 2132 clr_optimization_v2.0.50727_32 - ok
08:24:51.0824 2132 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
08:24:51.0839 2132 clr_optimization_v2.0.50727_64 - ok
08:24:51.0933 2132 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
08:24:51.0933 2132 clr_optimization_v4.0.30319_32 - ok
08:24:51.0980 2132 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
08:24:51.0980 2132 clr_optimization_v4.0.30319_64 - ok
08:24:52.0042 2132 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
08:24:52.0042 2132 CmBatt - ok
08:24:52.0089 2132 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
08:24:52.0089 2132 cmdide - ok
08:24:52.0151 2132 CNG (c4943b6c962e4b82197542447ad599f4) C:\Windows\system32\Drivers\cng.sys
08:24:52.0151 2132 CNG - ok
08:24:52.0229 2132 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
08:24:52.0229 2132 Compbatt - ok
08:24:52.0307 2132 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
08:24:52.0307 2132 CompositeBus - ok
08:24:52.0354 2132 COMSysApp - ok
08:24:52.0401 2132 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
08:24:52.0401 2132 crcdisk - ok
08:24:52.0463 2132 CryptSvc (15597883fbe9b056f276ada3ad87d9af) C:\Windows\system32\cryptsvc.dll
08:24:52.0479 2132 CryptSvc - ok
08:24:52.0557 2132 CSC (54da3dfd29ed9f1619b6f53f3ce55e49) C:\Windows\system32\drivers\csc.sys
08:24:52.0557 2132 CSC - ok
08:24:52.0604 2132 CscService (3ab183ab4d2c79dcf459cd2c1266b043) C:\Windows\System32\cscsvc.dll
08:24:52.0604 2132 CscService - ok
08:24:52.0822 2132 CSIScanner (5131d2469b6b19dc20b446ebe43ebb79) C:\Program Files\Prevx\prevx.exe
08:24:52.0962 2132 CSIScanner - ok
08:24:53.0072 2132 CVirtA (44bddeb03c84a1c993c992ffb5700357) C:\Windows\system32\DRIVERS\CVirtA64.sys
08:24:53.0072 2132 CVirtA - ok
08:24:53.0165 2132 CVPND (66257cb4e4fb69887cddc71663741435) C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
08:24:53.0196 2132 CVPND - ok
08:24:53.0274 2132 CVPNDRVA (cc8e52daa9826064ba464dbe531f2bb5) C:\Windows\system32\Drivers\CVPNDRVA.sys
08:24:53.0290 2132 CVPNDRVA - ok
08:24:53.0352 2132 DcomLaunch (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
08:24:53.0352 2132 DcomLaunch - ok
08:24:53.0446 2132 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll
08:24:53.0462 2132 defragsvc - ok
08:24:53.0508 2132 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
08:24:53.0508 2132 DfsC - ok
08:24:53.0618 2132 Dhcp (43d808f5d9e1a18e5eeb5ebc83969e4e) C:\Windows\system32\dhcpcore.dll
08:24:53.0633 2132 Dhcp - ok
08:24:53.0664 2132 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
08:24:53.0664 2132 discache - ok
08:24:53.0696 2132 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
08:24:53.0696 2132 Disk - ok
08:24:53.0789 2132 DNE (05cb5910b3ca6019fc3cca815ee06ffb) C:\Windows\system32\DRIVERS\dne64x.sys
08:24:53.0789 2132 DNE - ok
08:24:53.0852 2132 Dnscache (16835866aaa693c7d7fceba8fff706e4) C:\Windows\System32\dnsrslvr.dll
08:24:53.0852 2132 Dnscache - ok
08:24:53.0945 2132 dot3svc (b1fb3ddca0fdf408750d5843591afbc6) C:\Windows\System32\dot3svc.dll
08:24:53.0945 2132 dot3svc - ok
08:24:53.0976 2132 DPS (b26f4f737e8f9df4f31af6cf31d05820) C:\Windows\system32\dps.dll
08:24:53.0992 2132 DPS - ok
08:24:54.0039 2132 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
08:24:54.0039 2132 drmkaud - ok
08:24:54.0148 2132 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
08:24:54.0164 2132 DXGKrnl - ok
08:24:54.0195 2132 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll
08:24:54.0210 2132 EapHost - ok
08:24:54.0320 2132 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
08:24:54.0351 2132 ebdrv - ok
08:24:54.0444 2132 EFS (c118a82cd78818c29ab228366ebf81c3) C:\Windows\System32\lsass.exe
08:24:54.0444 2132 EFS - ok
08:24:54.0507 2132 ehRecvr (c4002b6b41975f057d98c439030cea07) C:\Windows\ehome\ehRecvr.exe
08:24:54.0522 2132 ehRecvr - ok
08:24:54.0538 2132 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe
08:24:54.0538 2132 ehSched - ok
08:24:54.0647 2132 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
08:24:54.0647 2132 elxstor - ok
08:24:54.0678 2132 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
08:24:54.0678 2132 ErrDev - ok
08:24:54.0725 2132 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll
08:24:54.0741 2132 EventSystem - ok
08:24:54.0819 2132 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
08:24:54.0834 2132 exfat - ok
08:24:54.0850 2132 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
08:24:54.0850 2132 fastfat - ok
08:24:54.0912 2132 Fax (dbefd454f8318a0ef691fdd2eaab44eb) C:\Windows\system32\fxssvc.exe
08:24:54.0928 2132 Fax - ok
08:24:55.0022 2132 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
08:24:55.0022 2132 fdc - ok
08:24:55.0053 2132 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll
08:24:55.0053 2132 fdPHost - ok
08:24:55.0068 2132 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll
08:24:55.0084 2132 FDResPub - ok
08:24:55.0100 2132 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
08:24:55.0100 2132 FileInfo - ok
08:24:55.0115 2132 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
08:24:55.0115 2132 Filetrace - ok
08:24:55.0209 2132 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
08:24:55.0224 2132 flpydisk - ok
08:24:55.0256 2132 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
08:24:55.0271 2132 FltMgr - ok
08:24:55.0318 2132 FontCache (5c4cb4086fb83115b153e47add961a0c) C:\Windows\system32\FntCache.dll
08:24:55.0334 2132 FontCache - ok
08:24:55.0443 2132 FontCache3.0.0.0 (a8b7f3818ab65695e3a0bb3279f6dce6) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
08:24:55.0443 2132 FontCache3.0.0.0 - ok
08:24:55.0505 2132 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
08:24:55.0505 2132 FsDepends - ok
08:24:55.0568 2132 fssfltr (6c06701bf1db05405804d7eb610991ce) C:\Windows\system32\DRIVERS\fssfltr.sys
08:24:55.0568 2132 fssfltr - ok
08:24:55.0677 2132 fsssvc (4ce9dac1518ff7e77bd213e6394b9d77) C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe
08:24:55.0708 2132 fsssvc - ok
08:24:55.0786 2132 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
08:24:55.0786 2132 Fs_Rec - ok
08:24:55.0833 2132 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
08:24:55.0833 2132 fvevol - ok
08:24:55.0848 2132 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
08:24:55.0864 2132 gagp30kx - ok
08:24:55.0958 2132 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
08:24:55.0958 2132 GEARAspiWDM - ok
08:24:56.0020 2132 gpsvc (277bbc7e1aa1ee957f573a10eca7ef3a) C:\Windows\System32\gpsvc.dll
08:24:56.0036 2132 gpsvc - ok
08:24:56.0129 2132 grmnusb (2ed7ff3e1ada4092632393781518b3a7) C:\Windows\system32\drivers\grmnusb.sys
08:24:56.0129 2132 grmnusb - ok
08:24:56.0207 2132 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
08:24:56.0207 2132 gupdate - ok
08:24:56.0238 2132 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
08:24:56.0238 2132 gupdatem - ok
08:24:56.0316 2132 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
08:24:56.0316 2132 hcw85cir - ok
08:24:56.0379 2132 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
08:24:56.0379 2132 HdAudAddService - ok
08:24:56.0426 2132 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
08:24:56.0426 2132 HDAudBus - ok
08:24:56.0504 2132 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
08:24:56.0504 2132 HidBatt - ok
08:24:56.0535 2132 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
08:24:56.0535 2132 HidBth - ok
08:24:56.0566 2132 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
08:24:56.0566 2132 HidIr - ok
08:24:56.0597 2132 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\System32\hidserv.dll
08:24:56.0597 2132 hidserv - ok
08:24:56.0706 2132 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\drivers\hidusb.sys
08:24:56.0706 2132 HidUsb - ok
08:24:56.0738 2132 hkmsvc (387e72e739e15e3d37907a86d9ff98e2) C:\Windows\system32\kmsvc.dll
08:24:56.0738 2132 hkmsvc - ok
08:24:56.0769 2132 HomeGroupListener (efdfb3dd38a4376f93e7985173813abd) C:\Windows\system32\ListSvc.dll
08:24:56.0769 2132 HomeGroupListener - ok
08:24:56.0816 2132 HomeGroupProvider (908acb1f594274965a53926b10c81e89) C:\Windows\system32\provsvc.dll
08:24:56.0816 2132 HomeGroupProvider - ok
08:24:56.0909 2132 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
08:24:56.0909 2132 HpSAMD - ok
08:24:56.0956 2132 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
08:24:56.0972 2132 HTTP - ok
08:24:57.0003 2132 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
08:24:57.0003 2132 hwpolicy - ok
08:24:57.0112 2132 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
08:24:57.0112 2132 i8042prt - ok
08:24:57.0174 2132 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
08:24:57.0174 2132 iaStorV - ok
08:24:57.0268 2132 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
08:24:57.0268 2132 IDriverT - ok
08:24:57.0393 2132 idsvc (5988fc40f8db5b0739cd1e3a5d0d78bd) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
08:24:57.0408 2132 idsvc - ok
08:24:57.0471 2132 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
08:24:57.0471 2132 iirsp - ok
08:24:57.0564 2132 IKEEXT (fcd84c381e0140af901e58d48882d26b) C:\Windows\System32\ikeext.dll
08:24:57.0564 2132 IKEEXT - ok
08:24:57.0658 2132 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
08:24:57.0658 2132 intelide - ok
08:24:57.0736 2132 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
08:24:57.0736 2132 intelppm - ok
08:24:57.0845 2132 IntuitUpdateService (7bdb4e00e1cb174b56e5b2c31dde68a7) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
08:24:57.0845 2132 IntuitUpdateService - ok
08:24:57.0923 2132 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll
08:24:57.0923 2132 IPBusEnum - ok
08:24:57.0954 2132 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
08:24:57.0970 2132 IpFilterDriver - ok
08:24:58.0032 2132 iphlpsvc (a34a587fffd45fa649fba6d03784d257) C:\Windows\System32\iphlpsvc.dll
08:24:58.0032 2132 iphlpsvc - ok
08:24:58.0110 2132 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
08:24:58.0126 2132 IPMIDRV - ok
08:24:58.0157 2132 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
08:24:58.0173 2132 IPNAT - ok
08:24:58.0251 2132 iPod Service (9b812a3484d89eb934982d67fb7d9313) C:\Program Files\iPod\bin\iPodService.exe
08:24:58.0251 2132 iPod Service - ok
08:24:58.0344 2132 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
08:24:58.0360 2132 IRENUM - ok
08:24:58.0391 2132 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
08:24:58.0391 2132 isapnp - ok
08:24:58.0422 2132 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
08:24:58.0422 2132 iScsiPrt - ok
08:24:58.0454 2132 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
08:24:58.0454 2132 kbdclass - ok
08:24:58.0563 2132 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
08:24:58.0563 2132 kbdhid - ok
08:24:58.0610 2132 KeyIso (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
08:24:58.0610 2132 KeyIso - ok
08:24:58.0625 2132 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\Windows\system32\Drivers\ksecdd.sys
08:24:58.0625 2132 KSecDD - ok
08:24:58.0641 2132 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\Windows\system32\Drivers\ksecpkg.sys
08:24:58.0656 2132 KSecPkg - ok
08:24:58.0734 2132 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
08:24:58.0734 2132 ksthunk - ok
08:24:58.0797 2132 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll
08:24:58.0797 2132 KtmRm - ok
08:24:58.0890 2132 LanmanServer (d9f42719019740baa6d1c6d536cbdaa6) C:\Windows\System32\srvsvc.dll
08:24:58.0906 2132 LanmanServer - ok
08:24:58.0937 2132 LanmanWorkstation (851a1382eed3e3a7476db004f4ee3e1a) C:\Windows\System32\wkssvc.dll
08:24:58.0937 2132 LanmanWorkstation - ok
08:24:59.0000 2132 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
08:24:59.0000 2132 lltdio - ok
08:24:59.0124 2132 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll
08:24:59.0140 2132 lltdsvc - ok
08:24:59.0171 2132 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll
08:24:59.0171 2132 lmhosts - ok
08:24:59.0265 2132 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
08:24:59.0265 2132 LSI_FC - ok
08:24:59.0280 2132 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
08:24:59.0280 2132 LSI_SAS - ok
08:24:59.0312 2132 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
08:24:59.0312 2132 LSI_SAS2 - ok
08:24:59.0405 2132 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
08:24:59.0405 2132 LSI_SCSI - ok
08:24:59.0452 2132 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
08:24:59.0452 2132 luafv - ok
08:24:59.0483 2132 Mcx2Svc (0be09cd858abf9df6ed259d57a1a1663) C:\Windows\system32\Mcx2Svc.dll
08:24:59.0483 2132 Mcx2Svc - ok
08:24:59.0514 2132 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
08:24:59.0514 2132 megasas - ok
08:24:59.0608 2132 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
08:24:59.0608 2132 MegaSR - ok
08:24:59.0639 2132 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
08:24:59.0639 2132 MMCSS - ok
08:24:59.0670 2132 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
08:24:59.0670 2132 Modem - ok
08:24:59.0717 2132 MODEMCSA (e38aef079cd3bcfa19f2072a214f829d) C:\Windows\system32\drivers\MODEMCSA.sys
08:24:59.0717 2132 MODEMCSA - ok
08:24:59.0811 2132 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
08:24:59.0811 2132 monitor - ok
08:24:59.0842 2132 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
08:24:59.0858 2132 mouclass - ok
08:24:59.0904 2132 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
08:24:59.0904 2132 mouhid - ok
08:24:59.0982 2132 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
08:24:59.0982 2132 mountmgr - ok
08:25:00.0029 2132 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
08:25:00.0029 2132 mpio - ok
08:25:00.0060 2132 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
08:25:00.0060 2132 mpsdrv - ok
08:25:00.0185 2132 MpsSvc (54ffc9c8898113ace189d4aa7199d2c1) C:\Windows\system32\mpssvc.dll
08:25:00.0201 2132 MpsSvc - ok
08:25:00.0248 2132 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
08:25:00.0263 2132 MRxDAV - ok
08:25:00.0341 2132 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
08:25:00.0341 2132 mrxsmb - ok
08:25:00.0404 2132 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
08:25:00.0404 2132 mrxsmb10 - ok
08:25:00.0450 2132 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
08:25:00.0450 2132 mrxsmb20 - ok
08:25:00.0528 2132 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
08:25:00.0528 2132 msahci - ok
08:25:00.0591 2132 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
08:25:00.0591 2132 msdsm - ok
08:25:00.0622 2132 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe
08:25:00.0622 2132 MSDTC - ok
08:25:00.0731 2132 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
08:25:00.0731 2132 Msfs - ok
08:25:00.0747 2132 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
08:25:00.0747 2132 mshidkmdf - ok
08:25:00.0794 2132 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
08:25:00.0794 2132 msisadrv - ok
08:25:00.0840 2132 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll
08:25:00.0840 2132 MSiSCSI - ok
08:25:00.0887 2132 msiserver - ok
08:25:00.0965 2132 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
08:25:00.0965 2132 MSKSSRV - ok
08:25:00.0981 2132 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
08:25:00.0981 2132 MSPCLOCK - ok
08:25:00.0996 2132 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
08:25:00.0996 2132 MSPQM - ok
08:25:01.0043 2132 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
08:25:01.0043 2132 MsRPC - ok
08:25:01.0137 2132 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
08:25:01.0137 2132 mssmbios - ok
08:25:01.0168 2132 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
08:25:01.0168 2132 MSTEE - ok
08:25:01.0184 2132 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
08:25:01.0184 2132 MTConfig - ok
08:25:01.0230 2132 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
08:25:01.0230 2132 Mup - ok
08:25:01.0324 2132 napagent (582ac6d9873e31dfa28a4547270862dd) C:\Windows\system32\qagentRT.dll
08:25:01.0340 2132 napagent - ok
08:25:01.0402 2132 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
08:25:01.0402 2132 NativeWifiP - ok
08:25:01.0527 2132 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
08:25:01.0542 2132 NDIS - ok
08:25:01.0589 2132 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
08:25:01.0589 2132 NdisCap - ok
08:25:01.0667 2132 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
08:25:01.0667 2132 NdisTapi - ok
08:25:01.0698 2132 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
08:25:01.0698 2132 Ndisuio - ok
08:25:01.0745 2132 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
08:25:01.0745 2132 NdisWan - ok
08:25:01.0776 2132 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
08:25:01.0776 2132 NDProxy - ok
08:25:01.0870 2132 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
08:25:01.0870 2132 NetBIOS - ok
08:25:01.0917 2132 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
08:25:01.0917 2132 NetBT - ok
08:25:01.0964 2132 Netlogon (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
08:25:01.0964 2132 Netlogon - ok
08:25:02.0073 2132 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll
08:25:02.0073 2132 Netman - ok
08:25:02.0104 2132 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll
08:25:02.0104 2132 netprofm - ok
08:25:02.0198 2132 NetTcpPortSharing (3e5a36127e201ddf663176b66828fafe) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
08:25:02.0198 2132 NetTcpPortSharing - ok
08:25:02.0291 2132 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
08:25:02.0291 2132 nfrd960 - ok
08:25:02.0338 2132 NlaSvc (1ee99a89cc788ada662441d1e9830529) C:\Windows\System32\nlasvc.dll
08:25:02.0338 2132 NlaSvc - ok
08:25:02.0369 2132 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
08:25:02.0369 2132 Npfs - ok
08:25:02.0447 2132 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll
08:25:02.0447 2132 nsi - ok
08:25:02.0494 2132 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
08:25:02.0494 2132 nsiproxy - ok
08:25:02.0572 2132 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
08:25:02.0588 2132 Ntfs - ok
08:25:02.0666 2132 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
08:25:02.0666 2132 Null - ok
08:25:03.0149 2132 nvlddmkm (aaf5559039e99d0cc22e25255f3dc06e) C:\Windows\system32\DRIVERS\nvlddmkm.sys
08:25:03.0446 2132 nvlddmkm - ok
08:25:03.0539 2132 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
08:25:03.0539 2132 nvraid - ok
08:25:03.0555 2132 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
08:25:03.0570 2132 nvstor - ok
08:25:03.0617 2132 nvsvc (c20f9e2deec656c67f7986dd3a50ec62) C:\Windows\system32\nvvsvc.exe
08:25:03.0633 2132 nvsvc - ok
08:25:03.0711 2132 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
08:25:03.0726 2132 nv_agp - ok
08:25:03.0742 2132 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
08:25:03.0742 2132 ohci1394 - ok
08:25:03.0773 2132 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
08:25:03.0773 2132 p2pimsvc - ok
08:25:03.0804 2132 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll
08:25:03.0804 2132 p2psvc - ok
08:25:03.0914 2132 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
08:25:03.0914 2132 Parport - ok
08:25:03.0945 2132 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
08:25:03.0945 2132 partmgr - ok
08:25:03.0976 2132 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll
08:25:03.0992 2132 PcaSvc - ok
08:25:04.0023 2132 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
08:25:04.0023 2132 pci - ok
08:25:04.0085 2132 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
08:25:04.0101 2132 pciide - ok
08:25:04.0132 2132 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
08:25:04.0132 2132 pcmcia - ok
08:25:04.0148 2132 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
08:25:04.0163 2132 pcw - ok
08:25:04.0194 2132 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
08:25:04.0194 2132 PEAUTH - ok
08:25:04.0304 2132 PeerDistSvc (b9b0a4299dd2d76a4243f75fd54dc680) C:\Windows\system32\peerdistsvc.dll
08:25:04.0319 2132 PeerDistSvc - ok
08:25:04.0382 2132 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe
08:25:04.0397 2132 PerfHost - ok
08:25:04.0506 2132 pla (c7cf6a6e137463219e1259e3f0f0dd6c) C:\Windows\system32\pla.dll
08:25:04.0538 2132 pla - ok
08:25:04.0584 2132 PlugPlay (25fbdef06c4d92815b353f6e792c8129) C:\Windows\system32\umpnpmgr.dll
08:25:04.0600 2132 PlugPlay - ok
08:25:04.0678 2132 PnkBstrA - ok
08:25:04.0709 2132 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll
08:25:04.0709 2132 PNRPAutoReg - ok
08:25:04.0740 2132 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
08:25:04.0756 2132 PNRPsvc - ok
08:25:04.0787 2132 PolicyAgent (4f15d75adf6156bf56eced6d4a55c389) C:\Windows\System32\ipsecsvc.dll
08:25:04.0803 2132 PolicyAgent - ok
08:25:04.0850 2132 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll
08:25:04.0850 2132 Power - ok
08:25:04.0943 2132 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
08:25:04.0943 2132 PptpMiniport - ok
08:25:04.0974 2132 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
08:25:04.0990 2132 Processor - ok
08:25:05.0021 2132 ProfSvc (5c78838b4d166d1a27db3a8a820c799a) C:\Windows\system32\profsvc.dll
08:25:05.0021 2132 ProfSvc - ok
08:25:05.0068 2132 ProtectedStorage (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
08:25:05.0068 2132 ProtectedStorage - ok
08:25:05.0146 2132 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
08:25:05.0162 2132 Psched - ok
08:25:05.0193 2132 pxkbf (ba5f7c107eace67973b4b798832a74c7) C:\Windows\system32\drivers\pxkbf.sys
08:25:05.0208 2132 pxkbf - ok
08:25:05.0208 2132 pxrts (007e57428802f587d0d6737ae7a9d989) C:\Windows\system32\drivers\pxrts.sys
08:25:05.0224 2132 pxrts - ok
08:25:05.0240 2132 pxscan (66d4d00c8908888a68b749d91f1e6789) C:\Windows\system32\drivers\pxscan.sys
08:25:05.0240 2132 pxscan - ok
08:25:05.0364 2132 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
08:25:05.0380 2132 ql2300 - ok
08:25:05.0411 2132 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
08:25:05.0411 2132 ql40xx - ok
08:25:05.0505 2132 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll
08:25:05.0505 2132 QWAVE - ok
08:25:05.0552 2132 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
08:25:05.0552 2132 QWAVEdrv - ok
08:25:05.0567 2132 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
08:25:05.0567 2132 RasAcd - ok
08:25:05.0645 2132 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
08:25:05.0645 2132 RasAgileVpn - ok
08:25:05.0676 2132 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll
08:25:05.0676 2132 RasAuto - ok
08:25:05.0786 2132 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
08:25:05.0786 2132 Rasl2tp - ok
08:25:05.0801 2132 RasMan (ee867a0870fc9e4972ba9eaad35651e2) C:\Windows\System32\rasmans.dll
08:25:05.0817 2132 RasMan - ok
08:25:05.0848 2132 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
08:25:05.0848 2132 RasPppoe - ok
08:25:05.0926 2132 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
08:25:05.0926 2132 RasSstp - ok
08:25:05.0973 2132 Razerlow (81ddbf4fe998ef1f4ba230f7e8d8c67e) C:\Windows\system32\drivers\Razerlow.sys
08:25:05.0973 2132 Razerlow - ok
08:25:06.0020 2132 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
08:25:06.0035 2132 rdbss - ok
08:25:06.0113 2132 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
08:25:06.0113 2132 rdpbus - ok
08:25:06.0129 2132 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
08:25:06.0129 2132 RDPCDD - ok
08:25:06.0176 2132 RDPDR (1b6163c503398b23ff8b939c67747683) C:\Windows\system32\drivers\rdpdr.sys
08:25:06.0176 2132 RDPDR - ok
08:25:06.0207 2132 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
08:25:06.0207 2132 RDPENCDD - ok
08:25:06.0238 2132 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
08:25:06.0238 2132 RDPREFMP - ok
08:25:06.0332 2132 RdpVideoMiniport (70cba1a0c98600a2aa1863479b35cb90) C:\Windows\system32\drivers\rdpvideominiport.sys
08:25:06.0332 2132 RdpVideoMiniport - ok
08:25:06.0363 2132 RDPWD (6d76e6433574b058adcb0c50df834492) C:\Windows\system32\drivers\RDPWD.sys
08:25:06.0378 2132 RDPWD - ok
08:25:06.0410 2132 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
08:25:06.0410 2132 rdyboost - ok
08:25:06.0503 2132 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll
08:25:06.0519 2132 RemoteAccess - ok
08:25:06.0550 2132 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll
08:25:06.0550 2132 RemoteRegistry - ok
08:25:06.0581 2132 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll
08:25:06.0581 2132 RpcEptMapper - ok
08:25:06.0612 2132 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe
08:25:06.0612 2132 RpcLocator - ok
08:25:06.0722 2132 RpcSs (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
08:25:06.0722 2132 RpcSs - ok
08:25:06.0784 2132 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
08:25:06.0784 2132 rspndr - ok
08:25:06.0862 2132 s3cap (e60c0a09f997826c7627b244195ab581) C:\Windows\system32\drivers\vms3cap.sys
08:25:06.0862 2132 s3cap - ok
08:25:06.0909 2132 SamSs (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
08:25:06.0909 2132 SamSs - ok
08:25:06.0940 2132 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
08:25:06.0940 2132 sbp2port - ok
08:25:06.0971 2132 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll
08:25:06.0971 2132 SCardSvr - ok
08:25:07.0049 2132 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
08:25:07.0049 2132 scfilter - ok
08:25:07.0112 2132 Schedule (262f6592c3299c005fd6bec90fc4463a) C:\Windows\system32\schedsvc.dll
08:25:07.0127 2132 Schedule - ok
08:25:07.0158 2132 SCPolicySvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
08:25:07.0158 2132 SCPolicySvc - ok
08:25:07.0252 2132 SDRSVC (6ea4234dc55346e0709560fe7c2c1972) C:\Windows\System32\SDRSVC.dll
08:25:07.0252 2132 SDRSVC - ok
08:25:07.0330 2132 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
08:25:07.0330 2132 secdrv - ok
08:25:07.0361 2132 seclogon (bc617a4e1b4fa8df523a061739a0bd87) C:\Windows\system32\seclogon.dll
08:25:07.0361 2132 seclogon - ok
08:25:07.0455 2132 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\system32\sens.dll
08:25:07.0455 2132 SENS - ok
08:25:07.0470 2132 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll
08:25:07.0470 2132 SensrSvc - ok
08:25:07.0533 2132 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
08:25:07.0533 2132 Serenum - ok
08:25:07.0548 2132 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
08:25:07.0564 2132 Serial - ok
08:25:07.0626 2132 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
08:25:07.0642 2132 sermouse - ok
08:25:07.0689 2132 SessionEnv (0b6231bf38174a1628c4ac812cc75804) C:\Windows\system32\sessenv.dll
08:25:07.0689 2132 SessionEnv - ok
08:25:07.0736 2132 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
08:25:07.0736 2132 sffdisk - ok
08:25:07.0798 2132 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
08:25:07.0798 2132 sffp_mmc - ok
08:25:07.0814 2132 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
08:25:07.0814 2132 sffp_sd - ok
08:25:07.0860 2132 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
08:25:07.0860 2132 sfloppy - ok
08:25:07.0970 2132 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\Windows\System32\ipnathlp.dll
08:25:07.0985 2132 SharedAccess - ok
08:25:08.0016 2132 ShellHWDetection (aaf932b4011d14052955d4b212a4da8d) C:\Windows\System32\shsvcs.dll
08:25:08.0032 2132 ShellHWDetection - ok
08:25:08.0079 2132 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
08:25:08.0079 2132 SiSRaid2 - ok
08:25:08.0141 2132 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
08:25:08.0141 2132 SiSRaid4 - ok
08:25:08.0188 2132 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
08:25:08.0188 2132 Smb - ok
08:25:08.0266 2132 smserial (22631aaf0ac9e9881ce76beac27d8030) C:\Windows\system32\DRIVERS\smserial.sys
08:25:08.0282 2132 smserial - ok
08:25:08.0375 2132 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe
08:25:08.0391 2132 SNMPTRAP - ok
08:25:08.0422 2132 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
08:25:08.0422 2132 spldr - ok
08:25:08.0469 2132 Spooler (b96c17b5dc1424d56eea3a99e97428cd) C:\Windows\System32\spoolsv.exe
08:25:08.0484 2132 Spooler - ok
08:25:08.0796 2132 sppsvc (e17e0188bb90fae42d83e98707efa59c) C:\Windows\system32\sppsvc.exe
08:25:08.0890 2132 sppsvc - ok
08:25:08.0968 2132 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll
08:25:08.0968 2132 sppuinotify - ok
08:25:09.0015 2132 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
08:25:09.0030 2132 srv - ok
08:25:09.0062 2132 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
08:25:09.0077 2132 srv2 - ok
08:25:09.0155 2132 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
08:25:09.0155 2132 srvnet - ok
08:25:09.0186 2132 sscdbus (f4f1e1ff6986fe8914525af751ea3eac) C:\Windows\system32\DRIVERS\sscdbus.sys
08:25:09.0202 2132 sscdbus - ok
08:25:09.0249 2132 sscdmdfl (5447690d2cfe1bde1be3a5a5a3e2f796) C:\Windows\system32\DRIVERS\sscdmdfl.sys
08:25:09.0249 2132 sscdmdfl - ok
08:25:09.0327 2132 sscdmdm (bfda292053aeb76a0c1d63b2279d5138) C:\Windows\system32\DRIVERS\sscdmdm.sys
08:25:09.0327 2132 sscdmdm - ok
08:25:09.0374 2132 sscdserd (208731a751357dd71c5a0345c77afd0a) C:\Windows\system32\DRIVERS\sscdserd.sys
08:25:09.0374 2132 sscdserd - ok
08:25:09.0405 2132 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll
08:25:09.0420 2132 SSDPSRV - ok
08:25:09.0483 2132 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll
08:25:09.0483 2132 SstpSvc - ok
08:25:09.0514 2132 Steam Client Service - ok
08:25:09.0576 2132 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
08:25:09.0576 2132 stexstor - ok
08:25:09.0670 2132 stisvc (8dd52e8e6128f4b2da92ce27402871c1) C:\Windows\System32\wiaservc.dll
08:25:09.0686 2132 stisvc - ok
08:25:09.0732 2132 storflt (7785dc213270d2fc066538daf94087e7) C:\Windows\system32\drivers\vmstorfl.sys
08:25:09.0732 2132 storflt - ok
08:25:09.0748 2132 storvsc (d34e4943d5ac096c8edeebfd80d76e23) C:\Windows\system32\drivers\storvsc.sys
08:25:09.0748 2132 storvsc - ok
08:25:09.0764 2132 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
08:25:09.0764 2132 swenum - ok
08:25:09.0857 2132 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll
08:25:09.0857 2132 swprv - ok
08:25:09.0920 2132 Synth3dVsc - ok
08:25:09.0982 2132 SysMain (bf9ccc0bf39b418c8d0ae8b05cf95b7d) C:\Windows\system32\sysmain.dll
08:25:10.0013 2132 SysMain - ok
08:25:10.0091 2132 TabletInputService (e3c61fd7b7c2557e1f1b0b4cec713585) C:\Windows\System32\TabSvc.dll
08:25:10.0091 2132 TabletInputService - ok
08:25:10.0122 2132 TapiSrv (40f0849f65d13ee87b9a9ae3c1dd6823) C:\Windows\System32\tapisrv.dll
08:25:10.0122 2132 TapiSrv - ok
08:25:10.0154 2132 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll
08:25:10.0154 2132 TBS - ok
08:25:10.0232 2132 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
08:25:10.0263 2132 Tcpip - ok
08:25:10.0372 2132 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
08:25:10.0388 2132 TCPIP6 - ok
08:25:10.0419 2132 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
08:25:10.0419 2132 tcpipreg - ok
08:25:10.0450 2132 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
08:25:10.0450 2132 TDPIPE - ok
08:25:10.0481 2132 TDTCP (51c5eceb1cdee2468a1748be550cfbc8) C:\Windows\system32\drivers\tdtcp.sys
08:25:10.0481 2132 TDTCP - ok
08:25:10.0590 2132 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
08:25:10.0590 2132 tdx - ok
08:25:10.0622 2132 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
08:25:10.0637 2132 TermDD - ok
08:25:10.0668 2132 TermService (2e648163254233755035b46dd7b89123) C:\Windows\System32\termsrv.dll
08:25:10.0684 2132 TermService - ok
08:25:10.0762 2132 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll
08:25:10.0762 2132 Themes - ok
08:25:10.0793 2132 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
08:25:10.0809 2132 THREADORDER - ok
08:25:10.0824 2132 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll
08:25:10.0824 2132 TrkWks - ok
08:25:10.0887 2132 TrustedInstaller (773212b2aaa24c1e31f10246b15b276c) C:\Windows\servicing\TrustedInstaller.exe
08:25:10.0887 2132 TrustedInstaller - ok
08:25:10.0965 2132 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
08:25:10.0965 2132 tssecsrv - ok
08:25:10.0996 2132 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
08:25:10.0996 2132 TsUsbFlt - ok
08:25:11.0027 2132 tsusbhub - ok
08:25:11.0121 2132 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
08:25:11.0121 2132 tunnel - ok
08:25:11.0152 2132 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
08:25:11.0152 2132 uagp35 - ok
08:25:11.0214 2132 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
08:25:11.0214 2132 udfs - ok
08:25:11.0292 2132 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe
08:25:11.0292 2132 UI0Detect - ok
08:25:11.0339 2132 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
08:25:11.0339 2132 uliagpkx - ok
08:25:11.0386 2132 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\drivers\umbus.sys
08:25:11.0386 2132 umbus - ok
08:25:11.0464 2132 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
08:25:11.0464 2132 UmPass - ok
08:25:11.0511 2132 UmRdpService (a293dcd756d04d8492a750d03b9a297c) C:\Windows\System32\umrdp.dll
08:25:11.0511 2132 UmRdpService - ok
08:25:11.0558 2132 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll
08:25:11.0573 2132 upnphost - ok
08:25:11.0651 2132 USBAAPL64 (f724b03c3dfaacf08d17d38bf3333583) C:\Windows\system32\Drivers\usbaapl64.sys
08:25:11.0651 2132 USBAAPL64 - ok
08:25:11.0714 2132 usbbus (c85b8247fadd432fa54fe11667c8d97d) C:\Windows\system32\DRIVERS\lgx64bus.sys
08:25:11.0714 2132 usbbus - ok
08:25:11.0760 2132 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
08:25:11.0760 2132 usbccgp - ok
08:25:11.0854 2132 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
08:25:11.0854 2132 usbcir - ok
08:25:11.0901 2132 UsbDiag (d8cdc12f5429878f23ddb3785a0fdf95) C:\Windows\system32\DRIVERS\lgx64diag.sys
08:25:11.0901 2132 UsbDiag - ok
08:25:11.0932 2132 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
08:25:11.0932 2132 usbehci - ok
08:25:12.0026 2132 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
08:25:12.0026 2132 usbhub - ok
08:25:12.0072 2132 USBModem (79fa7a22b0f6f0082f640cbc82a00fce) C:\Windows\system32\DRIVERS\lgx64modem.sys
08:25:12.0072 2132 USBModem - ok
08:25:12.0119 2132 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\DRIVERS\usbohci.sys
08:25:12.0119 2132 usbohci - ok
08:25:12.0213 2132 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
08:25:12.0213 2132 usbprint - ok
08:25:12.0228 2132 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
08:25:12.0228 2132 USBSTOR - ok
08:25:12.0260 2132 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\drivers\usbuhci.sys
08:25:12.0260 2132 usbuhci - ok
08:25:12.0291 2132 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll
08:25:12.0291 2132 UxSms - ok
08:25:12.0369 2132 VaultSvc (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
08:25:12.0369 2132 VaultSvc - ok
08:25:12.0447 2132 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
08:25:12.0447 2132 vdrvroot - ok
08:25:12.0478 2132 vds (8d6b481601d01a456e75c3210f1830be) C:\Windows\System32\vds.exe
08:25:12.0494 2132 vds - ok
08:25:12.0603 2132 vflt (70eb327d68d7cec357b734b0be5b4a21) C:\Windows\system32\DRIVERS\vfilter.sys
08:25:12.0603 2132 vflt - ok
08:25:12.0665 2132 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
08:25:12.0665 2132 vga - ok
08:25:12.0743 2132 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
08:25:12.0743 2132 VgaSave - ok
08:25:12.0743 2132 VGPU - ok
08:25:12.0790 2132 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
08:25:12.0790 2132 vhdmp - ok
08:25:12.0821 2132 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
08:25:12.0821 2132 viaide - ok
08:25:12.0868 2132 vmbus (86ea3e79ae350fea5331a1303054005f) C:\Windows\system32\drivers\vmbus.sys
08:25:12.0868 2132 vmbus - ok
08:25:12.0946 2132 VMBusHID (7de90b48f210d29649380545db45a187) C:\Windows\system32\drivers\VMBusHID.sys
08:25:12.0946 2132 VMBusHID - ok
08:25:12.0977 2132 vnet (71bf90872b6a7b34a26f4794dda7aec3) C:\Windows\system32\DRIVERS\virtualnet.sys
08:25:12.0977 2132 vnet - ok
08:25:13.0024 2132 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
08:25:13.0024 2132 volmgr - ok
08:25:13.0071 2132 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
08:25:13.0071 2132 volmgrx - ok
08:25:13.0133 2132 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
08:25:13.0149 2132 volsnap - ok
08:25:13.0180 2132 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
08:25:13.0180 2132 vsmraid - ok
08:25:13.0274 2132 VSS (b60ba0bc31b0cb414593e169f6f21cc2) C:\Windows\system32\vssvc.exe
08:25:13.0289 2132 VSS - ok
08:25:13.0367 2132 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
08:25:13.0367 2132 vwifibus - ok
08:25:13.0430 2132 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll
08:25:13.0445 2132 W32Time - ok
08:25:13.0461 2132 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
08:25:13.0461 2132 WacomPen - ok
08:25:13.0554 2132 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
08:25:13.0554 2132 WANARP - ok
08:25:13.0554 2132 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
08:25:13.0554 2132 Wanarpv6 - ok
08:25:13.0648 2132 WatAdminSvc (3cec96de223e49eaae3651fcf8faea6c) C:\Windows\system32\Wat\WatAdminSvc.exe
08:25:13.0664 2132 WatAdminSvc - ok
08:25:13.0757 2132 wbengine (78f4e7f5c56cb9716238eb57da4b6a75) C:\Windows\system32\wbengine.exe
08:25:13.0773 2132 wbengine - ok
08:25:13.0851 2132 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll
08:25:13.0851 2132 WbioSrvc - ok
08:25:13.0913 2132 wcncsvc (7368a2afd46e5a4481d1de9d14848edd) C:\Windows\System32\wcncsvc.dll
08:25:13.0929 2132 wcncsvc - ok
08:25:13.0929 2132 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
08:25:13.0944 2132 WcsPlugInService - ok
08:25:13.0991 2132 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
08:25:13.0991 2132 Wd - ok
08:25:14.0054 2132 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
08:25:14.0069 2132 Wdf01000 - ok
08:25:14.0100 2132 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
08:25:14.0116 2132 WdiServiceHost - ok
08:25:14.0116 2132 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
08:25:14.0116 2132 WdiSystemHost - ok
08:25:14.0163 2132 WebClient (3db6d04e1c64272f8b14eb8bc4616280) C:\Windows\System32\webclnt.dll
08:25:14.0178 2132 WebClient - ok
08:25:14.0241 2132 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
08:25:14.0241 2132 Wecsvc - ok
08:25:14.0272 2132 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
08:25:14.0272 2132 wercplsupport - ok
08:25:14.0319 2132 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
08:25:14.0319 2132 WerSvc - ok
08:25:14.0412 2132 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
08:25:14.0412 2132 WfpLwf - ok
08:25:14.0428 2132 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
08:25:14.0428 2132 WIMMount - ok
08:25:14.0475 2132 WinDefend - ok
08:25:14.0490 2132 WinHttpAutoProxySvc - ok
08:25:14.0553 2132 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
08:25:14.0553 2132 Winmgmt - ok
08:25:14.0678 2132 WinRM (bcb1310604aa415c4508708975b3931e) C:\Windows\system32\WsmSvc.dll
08:25:14.0709 2132 WinRM - ok
08:25:14.0818 2132 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUsb.sys
08:25:14.0834 2132 WinUsb - ok
08:25:14.0880 2132 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
08:25:14.0896 2132 Wlansvc - ok
08:25:15.0021 2132 wlidsvc (7e47c328fc4768cb8beafbcfafa70362) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
08:25:15.0052 2132 wlidsvc - ok
08:25:15.0130 2132 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
08:25:15.0130 2132 WmiAcpi - ok
08:25:15.0192 2132 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
08:25:15.0208 2132 wmiApSrv - ok
08:25:15.0239 2132 WMPNetworkSvc - ok
08:25:15.0317 2132 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
08:25:15.0333 2132 WPCSvc - ok
08:25:15.0348 2132 WPDBusEnum (93221146d4ebbf314c29b23cd6cc391d) C:\Windows\system32\wpdbusenum.dll
08:25:15.0364 2132 WPDBusEnum - ok
08:25:15.0411 2132 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
08:25:15.0411 2132 ws2ifsl - ok
08:25:15.0504 2132 wscsvc (e8b1fe6669397d1772d8196df0e57a9e) C:\Windows\system32\wscsvc.dll
08:25:15.0504 2132 wscsvc - ok
08:25:15.0520 2132 WSearch - ok
08:25:15.0614 2132 wuauserv (9df12edbc698b0bc353b3ef84861e430) C:\Windows\system32\wuaueng.dll
08:25:15.0645 2132 wuauserv - ok
08:25:15.0723 2132 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
08:25:15.0738 2132 WudfPf - ok
08:25:15.0770 2132 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
08:25:15.0770 2132 WUDFRd - ok
08:25:15.0816 2132 wudfsvc (7a95c95b6c4cf292d689106bcae49543) C:\Windows\System32\WUDFSvc.dll
08:25:15.0816 2132 wudfsvc - ok
08:25:15.0863 2132 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
08:25:15.0863 2132 WwanSvc - ok
08:25:15.0988 2132 yukonw7 (64f88af327aa74e03658ae32b48ccb8b) C:\Windows\system32\DRIVERS\yk62x64.sys
08:25:16.0004 2132 yukonw7 - ok
08:25:16.0035 2132 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
08:25:16.0082 2132 \Device\Harddisk0\DR0 - ok
08:25:16.0097 2132 MBR (0x1B8) (25a853d87f74184ae65b48f3c5d1c82b) \Device\Harddisk1\DR1
08:25:23.0850 2132 \Device\Harddisk1\DR1 - ok
08:25:23.0850 2132 Boot (0x1200) (d103b7455d85f456119b26e216bc33a7) \Device\Harddisk0\DR0\Partition0
08:25:23.0850 2132 \Device\Harddisk0\DR0\Partition0 - ok
08:25:23.0866 2132 Boot (0x1200) (d3942d36dbd8b23855bcc12c3e7a270e) \Device\Harddisk0\DR0\Partition1
08:25:23.0866 2132 \Device\Harddisk0\DR0\Partition1 - ok
08:25:23.0882 2132 Boot (0x1200) (7b88fe8388746d9eceafc59a4587b72a) \Device\Harddisk1\DR1\Partition0
08:25:23.0882 2132 \Device\Harddisk1\DR1\Partition0 - ok
08:25:23.0882 2132 ============================================================
08:25:23.0882 2132 Scan finished
08:25:23.0882 2132 ============================================================
08:25:23.0897 0748 Detected object count: 0
08:25:23.0897 0748 Actual detected object count: 0

And the log from aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-24 08:28:41
-----------------------------
08:28:41.199 OS Version: Windows x64 6.1.7601 Service Pack 1
08:28:41.199 Number of processors: 2 586 0x4B02
08:28:41.199 ComputerName: AMD4200 UserName: Dad
08:28:41.839 Initialize success
08:29:28.470 AVAST engine defs: 12032400
08:29:44.148 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000060
08:29:44.148 Disk 0 Vendor: Hitachi_ V54O Size: 305245MB BusType: 3
08:29:44.164 Disk 0 MBR read successfully
08:29:44.164 Disk 0 MBR scan
08:29:44.179 Disk 0 Windows 7 default MBR code
08:29:44.179 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 6997 MB offset 63
08:29:44.195 Disk 0 Partition 2 80 (A) 06 FAT16 NTFS 149299 MB offset 14329980
08:29:44.211 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 74528 MB offset 320095125
08:29:44.211 Disk 0 Partition - 00 0F Extended LBA 74410 MB offset 472744755
08:29:44.242 Disk 0 Partition 4 00 83 Linux 70402 MB offset 480953970
08:29:44.242 Disk 0 Partition - 00 05 Extended 4000 MB offset 472744756
08:29:44.257 Disk 0 Partition 5 00 82 Linux swap 4000 MB offset 472744881
08:29:44.289 Disk 0 scanning C:\Windows\system32\drivers
08:29:57.798 Service scanning
08:30:41.993 Modules scanning
08:30:41.993 Disk 0 trace - called modules:
08:30:42.009 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor.sys
08:30:42.024 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800266c060]
08:30:42.024 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa80023bcd30]
08:30:42.040 5 ACPI.sys[fffff88000f4e7a1] -> nt!IofCallDriver -> \Device\00000060[0xfffffa800229d060]
08:30:42.695 AVAST engine scan C:\Windows
08:30:47.999 AVAST engine scan C:\Windows\system32
08:31:03.131 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
08:34:32.233 AVAST engine scan C:\Windows\system32\drivers
08:34:52.935 AVAST engine scan C:\Users\Dad
08:45:32.425 AVAST engine scan C:\ProgramData
08:46:28.757 Scan finished successfully
08:49:19.749 Disk 0 MBR has been saved successfully to "C:\Users\Dad\Desktop\MBR.dat"
08:49:19.764 The log file has been saved successfully to "C:\Users\Dad\Desktop\aswMBR.txt"

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 24 March 2012 - 10:13 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::

File::
C:\Windows\system32\consrv.dll

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 MPJ

MPJ
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 24 March 2012 - 01:43 PM

HI Gringo - Here's the latest from the Combofix run. It ran without a problem:

ComboFix 12-03-22.01 - Dad 03/24/2012 12:00:36.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2048.1070 [GMT -4:00]
Running from: c:\users\Dad\Desktop\ComboFix.exe
Command switches used :: c:\users\Dad\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\consrv.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\consrv.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-24 to 2012-03-24 )))))))))))))))))))))))))))))))
.
.
2012-03-24 16:10 . 2012-03-24 16:10 -------- d-----w- c:\users\Mom\AppData\Local\temp
2012-03-24 16:10 . 2012-03-24 16:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-24 12:21 . 2012-03-20 07:51 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{F60265E7-C97E-4649-A69D-53BC8D5DDBB1}\mpengine.dll
2012-03-24 01:22 . 2011-12-10 19:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-23 23:17 . 2012-03-23 23:18 -------- d-----w- C:\FRST
2012-03-19 03:25 . 2012-03-19 20:10 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-19 00:48 . 2012-03-19 00:48 -------- d-----w- c:\program files (x86)\ESET
2012-03-18 02:07 . 2012-03-18 02:07 -------- d-----w- c:\windows\Battle Academy Demo
2012-03-14 07:02 . 2011-11-19 15:20 5559152 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-03-14 07:02 . 2011-11-19 14:50 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-03-14 07:02 . 2011-11-19 14:50 3913584 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-03-14 04:02 . 2012-02-03 04:34 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-03-14 04:02 . 2012-02-10 06:36 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-03-14 04:02 . 2012-02-10 05:38 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-03-14 04:01 . 2012-01-25 06:38 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-03-14 04:01 . 2012-01-25 06:38 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-03-14 04:01 . 2012-01-25 06:33 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-03-14 04:01 . 2012-02-17 06:38 1112064 ----a-w- c:\windows\system32\rdpcorets.dll
2012-03-14 04:01 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-03-14 04:01 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-03-14 04:01 . 2012-02-17 04:58 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-14 04:01 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-03-11 21:27 . 2012-03-11 21:27 -------- d-----w- c:\users\Dad\AppData\Local\WinZip
2012-03-10 16:06 . 2010-04-27 02:25 172104 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2012-03-10 16:06 . 2010-04-27 02:25 15944 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2012-03-10 16:06 . 2010-04-27 02:25 15944 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2012-03-10 16:06 . 2010-04-27 02:25 141384 ----a-w- c:\windows\system32\drivers\sscdserd.sys
2012-03-10 16:06 . 2012-03-10 16:06 -------- d-----w- c:\program files\SAMSUNG
2012-03-10 16:06 . 2010-04-27 02:25 19016 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2012-03-10 16:06 . 2010-04-27 02:25 15432 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2012-03-10 16:06 . 2010-04-27 02:25 15432 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2012-03-10 16:06 . 2010-04-27 02:25 136264 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2012-03-10 16:06 . 2012-03-10 16:06 -------- d-----w- c:\programdata\Samsung
2012-03-10 16:06 . 2012-03-10 16:06 53248 ----a-r- c:\users\Dad\AppData\Roaming\Microsoft\Installer\{F42F3704-4CA7-4D28-9F5B-FDBF2E589EB2}\ARPPRODUCTICON.exe
2012-03-10 16:06 . 2012-03-10 16:06 -------- d-----w- c:\users\Dad\AppData\Roaming\Verizon
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-14 22:41 . 2011-06-22 11:33 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 13:18 . 2010-02-05 13:34 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-18 17:18 . 2011-11-24 23:49 111928 ----a-w- c:\windows\SysWow64\PnkBstrB.exe
2012-02-18 17:17 . 2011-11-24 23:49 794408 ----a-w- c:\windows\SysWow64\pbsvc.exe
2012-01-04 10:44 . 2012-02-14 19:52 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-04 08:58 . 2012-02-14 19:52 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-01-01 20:45 . 2012-01-01 20:45 62976 ----a-w- c:\windows\SysWow64\PxSecure.dll
2012-01-01 20:45 . 2012-01-01 20:45 65736 ----a-w- c:\windows\system32\drivers\pxrts.sys
2012-01-01 20:45 . 2012-01-01 20:45 36384 ----a-w- c:\windows\system32\drivers\pxscan.sys
2012-01-01 20:45 . 2012-01-01 20:45 24024 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2011-12-30 06:26 . 2012-02-14 19:52 515584 ----a-w- c:\windows\system32\timedate.cpl
2011-12-30 05:27 . 2012-02-14 19:52 478720 ----a-w- c:\windows\SysWow64\timedate.cpl
2011-12-28 03:59 . 2012-02-14 19:52 498688 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-23_23.31.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-05 22:48 . 2012-03-24 16:15 45664 c:\windows\system64\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-24 16:15 45750 c:\windows\system64\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-02-05 22:48 . 2012-03-24 16:15 19680 c:\windows\system64\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2391858864-2636421006-2498368418-1000_UserData.bin
+ 2012-03-24 01:22 . 2011-12-10 19:24 23152 c:\windows\system64\drivers\mbam.sys
+ 2010-02-05 22:48 . 2012-03-24 16:15 45664 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-24 16:15 45750 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-02-05 22:48 . 2012-03-24 16:15 19680 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2391858864-2636421006-2498368418-1000_UserData.bin
- 2012-03-23 23:23 . 2012-03-23 23:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-24 16:12 . 2012-03-24 16:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-23 23:23 . 2012-03-23 23:23 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-24 16:12 . 2012-03-24 16:12 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-03-23 23:27 637218 c:\windows\system64\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-24 15:55 637218 c:\windows\system64\perfh009.dat
- 2009-07-14 02:36 . 2012-03-23 23:27 112654 c:\windows\system64\perfc009.dat
+ 2009-07-14 02:36 . 2012-03-24 15:55 112654 c:\windows\system64\perfc009.dat
+ 2010-02-05 13:34 . 2012-02-23 13:18 279656 c:\windows\system64\MpSigStub.exe
- 2009-07-14 02:36 . 2012-03-23 23:27 637218 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-24 15:55 637218 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-24 15:55 112654 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-03-23 23:27 112654 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-03-23 23:21 281904 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-24 16:11 281904 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-05-02 16:17 . 2012-03-23 23:21 38127395 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2391858864-2636421006-2498368418-1000-12288.dat
+ 2010-05-02 16:17 . 2012-03-24 16:11 38127395 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2391858864-2636421006-2498368418-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\Steam.exe" [2011-08-02 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"iTunesHelper"="d:\program files (x86)\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\Mom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R1 vflt;Shrew Soft Lightweight Filter;c:\windows\system32\DRIVERS\vfilter.sys [x]
R2 AMD FUEL Service;AMD FUEL Service;d:\ati technologies\ATI.ACE\Fuel\Fuel.Service.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-25 136176]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-25 136176]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vnet;Shrew Soft Virtual Adapter;c:\windows\system32\DRIVERS\virtualnet.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 pxscan;pxscan;c:\windows\System32\drivers\pxscan.sys [x]
S1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [2012-01-01 6746280]
S3 amdiox64;AMD IO Driver;c:\windows\system32\DRIVERS\amdiox64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [x]
S3 Razerlow;Razer Pro|Solutions;c:\windows\system32\drivers\Razerlow.sys [x]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-25 01:48]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-10-25 01:48]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391858864-2636421006-2498368418-1000Core.job
- c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-03 05:09]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2391858864-2636421006-2498368418-1000UA.job
- c:\users\Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-03 05:09]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-10-26 1702400]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Download with GetRight - d:\getright\GRdownload.htm
IE: Open With GetRight Browser - d:\getright\GRbrowse.htm
Trusted Zone: intuit.com\ttlc
Trusted Zone: org.com\www.cusa-hfs
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2391858864-2636421006-2498368418-1000\Software\SecuROM\License information*]
"datasecu"=hex:e0,84,22,10,7a,0a,c1,ba,4b,8b,bd,61,a9,04,2b,57,7f,24,70,c1,2e,
0b,fb,ef,ec,e8,70,9e,26,86,bf,e3,64,a6,5f,38,d1,11,e0,99,27,9d,34,e7,23,59,\
"rkeysecu"=hex:37,61,9f,a5,84,80,76,c6,6d,21,ba,c1,64,c3,81,a4
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11g_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11g.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Nico Mak Computing\WinZip]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-03-24 12:20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-24 16:20
ComboFix2.txt 2012-03-23 23:36
.
Pre-Run: 33,653,972,992 bytes free
Post-Run: 33,596,272,640 bytes free
.
- - End Of File - - F51B2AC1AA0722814DE95A92C0BD7AA1

Workstation seems okay. ESet scan shows this:

C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir Win64/Sirefef.G trojan
C:\Qoobox\Quarantine\C\Windows\SysWOW64\f3PSSavr.scr.vir Win32/Toolbar.MyWebSearch application
C:\Users\Dad\AppData\LocalLow\FunWebProducts\Installr\Cache\0AEFCAF5.exe a variant of Win32/Toolbar.MyWebSearch.O application

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:40 AM

Posted 24 March 2012 - 01:47 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Adobe Reader 9.5.0
Java™ 6 Update 30
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users