Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with smitfraud-c.gp svchost.exe trojan


  • This topic is locked This topic is locked
24 replies to this topic

#1 flatrate1

flatrate1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 21 March 2012 - 05:02 PM

I have a Win 7 64bit laptop.

I recently was browing a website and a link I clicked on actually caused my computer to reboot. When it came back on it went to some sort of a system fix screen for maybe 10 minutes before booting to windows. Now I have a google redirect virus and Malware Bytes is detecting that my SVChost.exe is trying to send info to an IP address based out of Romania. Awesome! On one other occation while browing a help forum my computer turned OFF, instantly like someone had pulled the cord on a desktop.

I havn't had to ask for help in solving a virus probem in 5 or so years, but I surrender this one has bested me. So far I've tried the following unsuccessfully:
-Fully Updated SpyBot finds it but does not fix it, even in safemode
-Malware Bytes finds it but does not fix it
-System Restore to 2 weeks prior did not remove it
-I am not a HijackThis expert but my HJT log didn't show many red flags from what I could see.
-I have also just installed McAfee since it was long overdue. (Was uninstalled after virus infestation)

Thank you for any help you can give. It is much appreciated!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Tad at 18:33:55 on 2012-03-21
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3957.1276 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRAY.EXE
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Users\Tad\AppData\Local\Apps\2.0\JEMZTC86.WRD\YVWAJRRT.0XG\curs..tion_eee711038731a406_0004.0000_2bd39706d04e72c8\CurseClient.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\Roxio\Roxio Burn\Roxio Burn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xkcd.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
BHO: DeLorme Send To GPS: {fbaad182-3c7a-4bc4-a5e9-207b8e0f02fd} - C:\Program Files (x86)\DeLorme\SendToGPS\PNPluginForIE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [Google Update] "C:\Users\Tad\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activex
mRun: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\Users\Tad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
StartupFolder: C:\Users\Tad\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\DELLDO~1.LNK - C:\Program Files (x86)\Dell\DellDock\DellDock.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\HPDIGI~1.LNK - C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files (x86)\PokerStars.NET\PokerStarsUpdate.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 4.2.2.5 209.18.47.61
TCP: Interfaces\{96815812-2295-458E-A2D8-2E07D80ACB77} : DhcpNameServer = 4.2.2.5 209.18.47.61
TCP: Interfaces\{96815812-2295-458E-A2D8-2E07D80ACB77}\262756E64616 : DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.2.1
TCP: Interfaces\{96815812-2295-458E-A2D8-2E07D80ACB77}\5533034403 : DhcpNameServer = 192.168.1.1 71.242.0.12
TCP: Interfaces\{96815812-2295-458E-A2D8-2E07D80ACB77}\8686F6E6F62737 : DhcpNameServer = 207.181.101.4 207.181.101.5
TCP: Interfaces\{96815812-2295-458E-A2D8-2E07D80ACB77}\C696E6B6379737 : DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{B8E83BB9-4733-4E76-92E1-6FC0BC574343} : DhcpNameServer = 8.8.8.8 4.2.2.2 4.2.2.1
Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
BHO-X64: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO-X64: HP Print Enhancer - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
BHO-X64: DeLorme Send To GPS: {FBAAD182-3C7A-4BC4-A5E9-207B8E0F02FD} - C:\Program Files (x86)\DeLorme\SendToGPS\PNPluginForIE.dll
BHO-X64: PNBHO - No File
BHO-X64: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
BHO-X64: HP Smart BHO Class - No File
TB-X64: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
mRun-x64: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
mRun-x64: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
mRun-x64: [DellSupportCenter] "C:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
IE-X64: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
IE-X64: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files (x86)\PokerStars.NET\PokerStarsUpdate.exe
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Tad\AppData\Roaming\Mozilla\Firefox\Profiles\jax7j5wg.default\
FF - prefs.js: browser.startup.homepage - hxxp://xkcd.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~2\mcafee\msc\npMcSnFFPl.dll
FF - plugin: C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Tad\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AERTFilters;Andrea RT Filters Service;C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe [2010-5-11 98208]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 cvhsvc;Client Virtualization Handler;C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE [2012-1-4 822624]
R2 DockLoginService;Dock Login Service;C:\Program Files\Dell\DellDock\DockLogin.exe [2009-6-9 155648]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-21 366152]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe [2009-12-10 65536]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-7-14 1153368]
R2 sftlist;Application Virtualization Client;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-1 508776]
R2 TurboB;Turbo Boost UI Monitor driver;C:\Windows\system32\DRIVERS\TurboB.sys --> C:\Windows\system32\DRIVERS\TurboB.sys [?]
R2 UNS;Intel® Management & Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-7-9 2320920]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atipmdag.sys --> C:\Windows\system32\DRIVERS\atipmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 HECIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 Impcd;Impcd;C:\Windows\system32\DRIVERS\Impcd.sys --> C:\Windows\system32\DRIVERS\Impcd.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R3 Sftfs;Sftfs;C:\Windows\system32\DRIVERS\Sftfslh.sys --> C:\Windows\system32\DRIVERS\Sftfslh.sys [?]
R3 Sftplay;Sftplay;C:\Windows\system32\DRIVERS\Sftplaylh.sys --> C:\Windows\system32\DRIVERS\Sftplaylh.sys [?]
R3 Sftredir;Sftredir;C:\Windows\system32\DRIVERS\Sftredirlh.sys --> C:\Windows\system32\DRIVERS\Sftredirlh.sys [?]
R3 Sftvol;Sftvol;C:\Windows\system32\DRIVERS\Sftvollh.sys --> C:\Windows\system32\DRIVERS\Sftvollh.sys [?]
R3 sftvsa;Application Virtualization Service Agent;C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-1 219496]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RtsUStor.sys --> C:\Windows\system32\Drivers\RtsUStor.sys [?]
S3 TurboBoost;TurboBoost;C:\Program Files\Intel\TurboBoost\TurboBoost.exe [2009-11-2 126352]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-21 21:54:23 20480 ----a-w- C:\Windows\svchost.exe
2012-03-21 20:36:50 -------- d-----w- C:\ComboFix
2012-03-21 19:03:28 -------- d-----w- C:\Users\Tad\AppData\Roaming\SUPERAntiSpyware.com
2012-03-21 19:02:55 -------- d-----w- C:\ProgramData\SUPERAntiSpyware.com
2012-03-21 19:02:55 -------- d-----w- C:\Program Files\SUPERAntiSpyware
2012-03-21 09:00:22 -------- d-----w- C:\Users\Tad\AppData\Roaming\QuickScan
2012-03-21 06:08:21 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\8125.tmp
2012-03-21 06:08:21 5120 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\80D6.tmp
.
==================== Find3M ====================
.
2012-01-14 04:02:25 3143168 ----a-w- C:\Windows\System32\win32k.sys
2012-01-11 06:50:26 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-04 09:58:13 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 09:03:07 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2012-01-03 06:24:52 515584 ----a-w- C:\Windows\System32\timedate.cpl
2012-01-03 05:44:24 478208 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-12-28 03:59:11 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
.
============= FINISH: 18:36:34.49 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:11 AM

Posted 22 March 2012 - 02:46 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 flatrate1

flatrate1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 23 March 2012 - 12:21 AM

Thank you for the speedy reply. However I cannot run Combofix. When I run Combofix under normal windows conditions it initiates, and begins its normal 'boot' process about half way then causes a blue screen of death (this is before the command window opens). This has happened all three times I tried running it. So I booted to Safe Mode and tried running it there. It boots and goes through all the steps. It got through step 50, THEN it blue screened. I did close spybot and malwarebytes before running combofix and I don't think I have any other spyware/antivirus running

In addition to this my computer has randomly turned off or rebooted three times in the last 24 hours. Once it was in sleep mode and when I pressed the power button like normal to turn it on it instantly turned off. When I turned it back on it went to System Restore and spent 30 minutes in system restore before booting to windows.

Internet explorer seems to have upgraded to a new version without my doing so during one of these reboots.

Just now after the blue screen in safe mode during combofix I have rebooted to normal mode and am getting a series of Spybot registry change notifications coming up. If I Deny changes they cycle immediately right back through the list requesting me to change them again. They are:
Winlogon - Value Changed - UserInit- UserInit.exe
Winlogon - Value deleted - Shell - explorer.exe
Winlogon - Value deleted - TaskMan
Winlogon - Value deleted - System
Winlogon - Value deleted - DefaultUserName
Disable command - Value added - DisableCMD

No idea if these are related to the BlueScreen during combofix or not.

I also get a popup on startup that Catalyst Control center has crashed, a registry request to update flashplayerinstaller, and a request to update Java. Regardless of the choice I make yes/no on these popups nothing seems to change and they come back on startup next time.

Thanks for any help you can give!

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:11 AM

Posted 23 March 2012 - 12:28 AM

Greetings

as we are trying to change things on the computer why would you deny the changes?

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 flatrate1

flatrate1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 23 March 2012 - 02:34 AM

Greetings

as we are trying to change things on the computer why would you deny the changes?please reply with the reports from TDSSKiller and aswMBR

Gringo


Hehe, when you put it that way I guess denying the changes can seem silly. I had just though that since Combofix had not completed that any registry changes were more likely from the virus than anything else. However I was still able to accept the changes so I allowed all the changes to go through. I then ran TDSkiller and awsMBR with no issues. Below are the logs:

02:08:24.0226 4492 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
02:08:24.0522 4492 ============================================================
02:08:24.0522 4492 Current date / time: 2012/03/23 02:08:24.0522
02:08:24.0522 4492 SystemInfo:
02:08:24.0522 4492
02:08:24.0522 4492 OS Version: 6.1.7600 ServicePack: 0.0
02:08:24.0522 4492 Product type: Workstation
02:08:24.0522 4492 ComputerName: TAD-PC
02:08:24.0522 4492 UserName: Tad
02:08:24.0522 4492 Windows directory: C:\Windows
02:08:24.0522 4492 System windows directory: C:\Windows
02:08:24.0522 4492 Running under WOW64
02:08:24.0522 4492 Processor architecture: Intel x64
02:08:24.0522 4492 Number of processors: 4
02:08:24.0522 4492 Page size: 0x1000
02:08:24.0522 4492 Boot type: Normal boot
02:08:24.0522 4492 ============================================================
02:08:25.0957 4492 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
02:08:25.0957 4492 \Device\Harddisk0\DR0:
02:08:25.0957 4492 MBR used
02:08:25.0957 4492 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1D4C000
02:08:25.0957 4492 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1D7E800, BlocksNum 0x38607030
02:08:25.0989 4492 Initialize success
02:08:25.0989 4492 ============================================================
02:08:48.0468 3972 ============================================================
02:08:48.0468 3972 Scan started
02:08:48.0468 3972 Mode: Manual;
02:08:48.0468 3972 ============================================================
02:08:49.0420 3972 1394ohci (69aa89a20dee08bfa650aab6ce37bd10) C:\Windows\system32\DRIVERS\1394ohci.sys
02:08:49.0420 3972 1394ohci - ok
02:08:49.0529 3972 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
02:08:49.0545 3972 ACPI - ok
02:08:49.0638 3972 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
02:08:49.0638 3972 AcpiPmi - ok
02:08:49.0763 3972 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
02:08:49.0763 3972 adp94xx - ok
02:08:49.0903 3972 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
02:08:49.0903 3972 adpahci - ok
02:08:50.0013 3972 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
02:08:50.0013 3972 adpu320 - ok
02:08:50.0091 3972 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
02:08:50.0091 3972 AeLookupSvc - ok
02:08:50.0153 3972 AERTFilters (d1e343bc00136ce03c4d403194d06a80) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
02:08:50.0169 3972 AERTFilters - ok
02:08:50.0309 3972 AFD (db9d6c6b2cd95a9ca414d045b627422e) C:\Windows\system32\drivers\afd.sys
02:08:50.0325 3972 AFD - ok
02:08:50.0434 3972 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
02:08:50.0434 3972 agp440 - ok
02:08:50.0543 3972 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
02:08:50.0543 3972 ALG - ok
02:08:50.0652 3972 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
02:08:50.0652 3972 aliide - ok
02:08:50.0746 3972 AMD External Events Utility (3d90cf67db75823a8480e56bbcd2e028) C:\Windows\system32\atiesrxx.exe
02:08:50.0761 3972 AMD External Events Utility - ok
02:08:50.0808 3972 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
02:08:50.0808 3972 amdide - ok
02:08:50.0902 3972 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
02:08:50.0902 3972 AmdK8 - ok
02:08:51.0183 3972 amdkmdag (52679612d742bf74ca1ba6ab86ddf431) C:\Windows\system32\DRIVERS\atipmdag.sys
02:08:51.0354 3972 amdkmdag - ok
02:08:51.0448 3972 amdkmdap (414e0788920a8c856032be2cbf29f984) C:\Windows\system32\DRIVERS\atikmpag.sys
02:08:51.0448 3972 amdkmdap - ok
02:08:51.0557 3972 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
02:08:51.0557 3972 AmdPPM - ok
02:08:51.0682 3972 amdsata (ec7ebab00a4d8448bab68d1e49b4beb9) C:\Windows\system32\drivers\amdsata.sys
02:08:51.0682 3972 amdsata - ok
02:08:51.0791 3972 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
02:08:51.0791 3972 amdsbs - ok
02:08:51.0916 3972 amdxata (db27766102c7bf7e95140a2aa81d042e) C:\Windows\system32\drivers\amdxata.sys
02:08:51.0916 3972 amdxata - ok
02:08:52.0025 3972 ApfiltrService (7142aa0dbcd3a4960f01799309a737ff) C:\Windows\system32\DRIVERS\Apfiltr.sys
02:08:52.0025 3972 ApfiltrService - ok
02:08:52.0134 3972 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
02:08:52.0134 3972 AppID - ok
02:08:52.0259 3972 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
02:08:52.0259 3972 AppIDSvc - ok
02:08:52.0384 3972 Appinfo (d065be66822847b7f127d1f90158376e) C:\Windows\System32\appinfo.dll
02:08:52.0384 3972 Appinfo - ok
02:08:52.0571 3972 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
02:08:52.0571 3972 Apple Mobile Device - ok
02:08:52.0711 3972 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
02:08:52.0711 3972 arc - ok
02:08:52.0805 3972 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
02:08:52.0821 3972 arcsas - ok
02:08:52.0914 3972 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
02:08:52.0914 3972 AsyncMac - ok
02:08:52.0992 3972 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
02:08:52.0992 3972 atapi - ok
02:08:53.0101 3972 AtiHdmiService (fb7602c5c508be281368aae0b61b51c6) C:\Windows\system32\drivers\AtiHdmi.sys
02:08:53.0101 3972 AtiHdmiService - ok
02:08:53.0226 3972 AudioEndpointBuilder (07721a77180edd4d39ccb865bf63c7fd) C:\Windows\System32\Audiosrv.dll
02:08:53.0226 3972 AudioEndpointBuilder - ok
02:08:53.0242 3972 AudioSrv (07721a77180edd4d39ccb865bf63c7fd) C:\Windows\System32\Audiosrv.dll
02:08:53.0257 3972 AudioSrv - ok
02:08:53.0351 3972 AxInstSV (b20b5fa5ca050e9926e4d1db81501b32) C:\Windows\System32\AxInstSV.dll
02:08:53.0351 3972 AxInstSV - ok
02:08:53.0491 3972 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
02:08:53.0491 3972 b06bdrv - ok
02:08:53.0616 3972 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
02:08:53.0616 3972 b57nd60a - ok
02:08:53.0725 3972 BCM42RLY (e001dd475a7c27ebe5a0db45c11bad71) C:\Windows\system32\drivers\BCM42RLY.sys
02:08:53.0725 3972 BCM42RLY - ok
02:08:53.0913 3972 BCM43XX (37394d3553e220fb732c21e217e1bd8b) C:\Windows\system32\DRIVERS\bcmwl664.sys
02:08:53.0959 3972 BCM43XX - ok
02:08:54.0069 3972 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll
02:08:54.0084 3972 BDESVC - ok
02:08:54.0193 3972 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
02:08:54.0193 3972 Beep - ok
02:08:54.0334 3972 BFE (4992c609a6315671463e30f6512bc022) C:\Windows\System32\bfe.dll
02:08:54.0349 3972 BFE - ok
02:08:54.0443 3972 BITS (7f0c323fe3da28aa4aa1bda3f575707f) C:\Windows\System32\qmgr.dll
02:08:54.0459 3972 BITS - ok
02:08:54.0568 3972 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
02:08:54.0568 3972 blbdrive - ok
02:08:54.0661 3972 Bonjour Service (f832f1505ad8b83474bd9a5b1b985e01) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
02:08:54.0677 3972 Bonjour Service - ok
02:08:54.0786 3972 bowser (19d20159708e152267e53b66677a4995) C:\Windows\system32\DRIVERS\bowser.sys
02:08:54.0786 3972 bowser - ok
02:08:54.0895 3972 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
02:08:54.0895 3972 BrFiltLo - ok
02:08:54.0973 3972 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
02:08:54.0973 3972 BrFiltUp - ok
02:08:55.0098 3972 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
02:08:55.0098 3972 BridgeMP - ok
02:08:55.0223 3972 Browser (94fbc06f294d58d02361918418f996e3) C:\Windows\System32\browser.dll
02:08:55.0223 3972 Browser - ok
02:08:55.0348 3972 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
02:08:55.0348 3972 Brserid - ok
02:08:55.0473 3972 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
02:08:55.0488 3972 BrSerWdm - ok
02:08:55.0582 3972 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
02:08:55.0582 3972 BrUsbMdm - ok
02:08:55.0691 3972 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
02:08:55.0691 3972 BrUsbSer - ok
02:08:55.0800 3972 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
02:08:55.0800 3972 BTHMODEM - ok
02:08:55.0847 3972 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll
02:08:55.0847 3972 bthserv - ok
02:08:55.0956 3972 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
02:08:55.0956 3972 cdfs - ok
02:08:56.0081 3972 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
02:08:56.0081 3972 cdrom - ok
02:08:56.0206 3972 CertPropSvc (312e2f82af11e79906898ac3e3d58a1f) C:\Windows\System32\certprop.dll
02:08:56.0206 3972 CertPropSvc - ok
02:08:56.0315 3972 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
02:08:56.0315 3972 circlass - ok
02:08:56.0424 3972 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
02:08:56.0424 3972 CLFS - ok
02:08:56.0565 3972 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
02:08:56.0565 3972 clr_optimization_v2.0.50727_32 - ok
02:08:56.0627 3972 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
02:08:56.0627 3972 clr_optimization_v2.0.50727_64 - ok
02:08:56.0814 3972 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
02:08:56.0861 3972 clr_optimization_v4.0.30319_32 - ok
02:08:57.0033 3972 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
02:08:57.0033 3972 clr_optimization_v4.0.30319_64 - ok
02:08:57.0142 3972 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
02:08:57.0142 3972 CmBatt - ok
02:08:57.0329 3972 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
02:08:57.0345 3972 cmdide - ok
02:08:57.0610 3972 CNG (937beb186a735aca91d717044a49d17e) C:\Windows\system32\Drivers\cng.sys
02:08:57.0610 3972 CNG - ok
02:08:57.0719 3972 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
02:08:57.0719 3972 Compbatt - ok
02:08:57.0813 3972 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
02:08:57.0813 3972 CompositeBus - ok
02:08:57.0906 3972 COMSysApp - ok
02:08:57.0953 3972 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
02:08:57.0953 3972 crcdisk - ok
02:08:58.0047 3972 CryptSvc (8c57411b66282c01533cb776f98ad384) C:\Windows\system32\cryptsvc.dll
02:08:58.0047 3972 CryptSvc - ok
02:08:58.0171 3972 CtClsFlt (ed5cf92396a62f4c15110dcdb5e854d9) C:\Windows\system32\DRIVERS\CtClsFlt.sys
02:08:58.0171 3972 CtClsFlt - ok
02:08:58.0296 3972 cvhsvc (72794d112cbaff3bc0c29bf7350d4741) C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
02:08:58.0312 3972 cvhsvc - ok
02:08:58.0421 3972 DcomLaunch (7266972e86890e2b30c0c322e906b027) C:\Windows\system32\rpcss.dll
02:08:58.0437 3972 DcomLaunch - ok
02:08:58.0515 3972 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll
02:08:58.0530 3972 defragsvc - ok
02:08:58.0655 3972 DfsC (9c253ce7311ca60fc11c774692a13208) C:\Windows\system32\Drivers\dfsc.sys
02:08:58.0655 3972 DfsC - ok
02:08:58.0764 3972 Dhcp (ce3b9562d997f69b330d181a8875960f) C:\Windows\system32\dhcpcore.dll
02:08:58.0764 3972 Dhcp - ok
02:08:58.0842 3972 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
02:08:58.0858 3972 discache - ok
02:08:58.0983 3972 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
02:08:58.0983 3972 Disk - ok
02:08:59.0076 3972 Dnscache (85cf424c74a1d5ec33533e1dbff9920a) C:\Windows\System32\dnsrslvr.dll
02:08:59.0076 3972 Dnscache - ok
02:08:59.0185 3972 DockLoginService (0840abbbdf438691ee65a20040635cbe) C:\Program Files\Dell\DellDock\DockLogin.exe
02:08:59.0185 3972 DockLoginService - ok
02:08:59.0248 3972 dot3svc (14452acdb09b70964c8c21bf80a13acb) C:\Windows\System32\dot3svc.dll
02:08:59.0263 3972 dot3svc - ok
02:08:59.0435 3972 Dot4 (b42ed0320c6e41102fde0005154849bb) C:\Windows\system32\DRIVERS\Dot4.sys
02:08:59.0435 3972 Dot4 - ok
02:08:59.0591 3972 Dot4Print (85135ad27e79b689335c08167d917cde) C:\Windows\system32\DRIVERS\Dot4Prt.sys
02:08:59.0607 3972 Dot4Print - ok
02:08:59.0716 3972 dot4usb (fd05a02b0370bc3000f402e543ca5814) C:\Windows\system32\DRIVERS\dot4usb.sys
02:08:59.0716 3972 dot4usb - ok
02:08:59.0794 3972 DPS (8c2ba6bea949ee6e68385f5692bafb94) C:\Windows\system32\dps.dll
02:08:59.0794 3972 DPS - ok
02:08:59.0887 3972 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
02:08:59.0887 3972 drmkaud - ok
02:08:59.0997 3972 DXGKrnl (1633b9abf52784a1331476397a48cbef) C:\Windows\System32\drivers\dxgkrnl.sys
02:09:00.0012 3972 DXGKrnl - ok
02:09:00.0121 3972 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll
02:09:00.0121 3972 EapHost - ok
02:09:00.0215 3972 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
02:09:00.0277 3972 ebdrv - ok
02:09:00.0387 3972 EFS (156f6159457d0aa7e59b62681b56eb90) C:\Windows\System32\lsass.exe
02:09:00.0387 3972 EFS - ok
02:09:00.0527 3972 ehRecvr (47c071994c3f649f23d9cd075ac9304a) C:\Windows\ehome\ehRecvr.exe
02:09:00.0527 3972 ehRecvr - ok
02:09:00.0558 3972 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe
02:09:00.0574 3972 ehSched - ok
02:09:00.0714 3972 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
02:09:00.0714 3972 elxstor - ok
02:09:00.0792 3972 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
02:09:00.0792 3972 ErrDev - ok
02:09:00.0901 3972 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll
02:09:00.0917 3972 EventSystem - ok
02:09:01.0026 3972 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
02:09:01.0026 3972 exfat - ok
02:09:01.0120 3972 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
02:09:01.0120 3972 fastfat - ok
02:09:01.0245 3972 Fax (d607b2f1bee3992aa6c2c92c0a2f0855) C:\Windows\system32\fxssvc.exe
02:09:01.0260 3972 Fax - ok
02:09:01.0338 3972 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
02:09:01.0338 3972 fdc - ok
02:09:01.0416 3972 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll
02:09:01.0416 3972 fdPHost - ok
02:09:01.0432 3972 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll
02:09:01.0432 3972 FDResPub - ok
02:09:01.0541 3972 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
02:09:01.0541 3972 FileInfo - ok
02:09:01.0635 3972 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
02:09:01.0635 3972 Filetrace - ok
02:09:01.0713 3972 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
02:09:01.0713 3972 flpydisk - ok
02:09:01.0806 3972 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
02:09:01.0822 3972 FltMgr - ok
02:09:01.0931 3972 FontCache (cb5e4b9c319e3c6bb363eb7e58a4a051) C:\Windows\system32\FntCache.dll
02:09:01.0947 3972 FontCache - ok
02:09:02.0056 3972 FontCache3.0.0.0 (8d89e3131c27fdd6932189cb785e1b7a) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
02:09:02.0056 3972 FontCache3.0.0.0 - ok
02:09:02.0134 3972 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
02:09:02.0134 3972 FsDepends - ok
02:09:02.0259 3972 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
02:09:02.0259 3972 Fs_Rec - ok
02:09:02.0383 3972 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
02:09:02.0383 3972 fvevol - ok
02:09:02.0493 3972 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
02:09:02.0493 3972 gagp30kx - ok
02:09:02.0851 3972 GameConsoleService (1fda0df739234c4023851a282dd28704) C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe
02:09:02.0867 3972 GameConsoleService - ok
02:09:03.0070 3972 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
02:09:03.0085 3972 GEARAspiWDM - ok
02:09:03.0117 3972 GoToAssist (d3316f6e3c011435f36e3d6e49b3196c) C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
02:09:03.0117 3972 GoToAssist - ok
02:09:03.0241 3972 gpsvc (fe5ab4525bc2ec68b9119a6e5d40128b) C:\Windows\System32\gpsvc.dll
02:09:03.0257 3972 gpsvc - ok
02:09:03.0366 3972 grmnusb (2ed7ff3e1ada4092632393781518b3a7) C:\Windows\system32\drivers\grmnusb.sys
02:09:03.0366 3972 grmnusb - ok
02:09:03.0460 3972 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
02:09:03.0460 3972 hcw85cir - ok
02:09:03.0585 3972 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
02:09:03.0585 3972 HDAudBus - ok
02:09:03.0678 3972 HECIx64 (b6ac71aaa2b10848f57fc49d55a651af) C:\Windows\system32\DRIVERS\HECIx64.sys
02:09:03.0678 3972 HECIx64 - ok
02:09:03.0772 3972 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
02:09:03.0772 3972 HidBatt - ok
02:09:03.0865 3972 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
02:09:03.0881 3972 HidBth - ok
02:09:03.0990 3972 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
02:09:03.0990 3972 HidIr - ok
02:09:04.0068 3972 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\System32\hidserv.dll
02:09:04.0068 3972 hidserv - ok
02:09:04.0177 3972 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
02:09:04.0177 3972 HidUsb - ok
02:09:04.0240 3972 hkmsvc (efa58ede58dd74388ffd04cb32681518) C:\Windows\system32\kmsvc.dll
02:09:04.0240 3972 hkmsvc - ok
02:09:04.0255 3972 HomeGroupListener (046b2673767ca626e2cfb7fdf735e9e8) C:\Windows\system32\ListSvc.dll
02:09:04.0271 3972 HomeGroupListener - ok
02:09:04.0333 3972 HomeGroupProvider (06a7422224d9865a5613710a089987df) C:\Windows\system32\provsvc.dll
02:09:04.0333 3972 HomeGroupProvider - ok
02:09:04.0521 3972 hpqcxs08 (1dae5c46d42b02a6d5862e1482efb390) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll
02:09:04.0521 3972 hpqcxs08 - ok
02:09:04.0677 3972 hpqddsvc (99e8eef42fe2f4af29b08c3355dd7685) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll
02:09:04.0677 3972 hpqddsvc - ok
02:09:04.0817 3972 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
02:09:04.0817 3972 HpSAMD - ok
02:09:04.0942 3972 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
02:09:04.0942 3972 HTTP - ok
02:09:05.0051 3972 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
02:09:05.0067 3972 hwpolicy - ok
02:09:05.0176 3972 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
02:09:05.0176 3972 i8042prt - ok
02:09:05.0285 3972 iaStorV (b75e45c564e944a2657167d197ab29da) C:\Windows\system32\drivers\iaStorV.sys
02:09:05.0301 3972 iaStorV - ok
02:09:05.0410 3972 idsvc (2f2be70d3e02b6fa877921ab9516d43c) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
02:09:05.0425 3972 idsvc - ok
02:09:05.0535 3972 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
02:09:05.0535 3972 iirsp - ok
02:09:05.0613 3972 IKEEXT (c5b4683680df085b57bc53e5ef34861f) C:\Windows\System32\ikeext.dll
02:09:05.0628 3972 IKEEXT - ok
02:09:05.0706 3972 Impcd (36fdf367a1dabff903e2214023d71368) C:\Windows\system32\DRIVERS\Impcd.sys
02:09:05.0706 3972 Impcd - ok
02:09:05.0847 3972 IntcAzAudAddService (697c927e0de2abaf1a5f455033f687cd) C:\Windows\system32\drivers\RTKVHD64.sys
02:09:05.0878 3972 IntcAzAudAddService - ok
02:09:05.0956 3972 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
02:09:05.0956 3972 intelide - ok
02:09:06.0049 3972 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
02:09:06.0049 3972 intelppm - ok
02:09:06.0112 3972 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll
02:09:06.0127 3972 IPBusEnum - ok
02:09:06.0237 3972 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
02:09:06.0237 3972 IpFilterDriver - ok
02:09:06.0346 3972 iphlpsvc (f8e058d17363ec580e4b7232778b6cb5) C:\Windows\System32\iphlpsvc.dll
02:09:06.0346 3972 iphlpsvc - ok
02:09:06.0439 3972 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
02:09:06.0439 3972 IPMIDRV - ok
02:09:06.0533 3972 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
02:09:06.0533 3972 IPNAT - ok
02:09:06.0673 3972 iPod Service (81826a13598a7feaa9e391190e9b539a) C:\Program Files\iPod\bin\iPodService.exe
02:09:06.0673 3972 iPod Service - ok
02:09:06.0783 3972 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
02:09:06.0783 3972 IRENUM - ok
02:09:06.0907 3972 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
02:09:06.0907 3972 isapnp - ok
02:09:07.0079 3972 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
02:09:07.0079 3972 iScsiPrt - ok
02:09:07.0204 3972 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
02:09:07.0204 3972 kbdclass - ok
02:09:07.0407 3972 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
02:09:07.0407 3972 kbdhid - ok
02:09:07.0532 3972 KeyIso (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe
02:09:07.0532 3972 KeyIso - ok
02:09:07.0610 3972 KSecDD (16c1b906fc5ead84769f90b736b6bf0e) C:\Windows\system32\Drivers\ksecdd.sys
02:09:07.0625 3972 KSecDD - ok
02:09:07.0812 3972 KSecPkg (0b711550c56444879d71c7daabda6c83) C:\Windows\system32\Drivers\ksecpkg.sys
02:09:07.0828 3972 KSecPkg - ok
02:09:07.0968 3972 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
02:09:07.0968 3972 ksthunk - ok
02:09:08.0046 3972 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll
02:09:08.0062 3972 KtmRm - ok
02:09:08.0171 3972 LanmanServer (81f1d04d4d0e433099365127375fd501) C:\Windows\System32\srvsvc.dll
02:09:08.0187 3972 LanmanServer - ok
02:09:08.0296 3972 LanmanWorkstation (27026eac8818e8a6c00a1cad2f11d29a) C:\Windows\System32\wkssvc.dll
02:09:08.0296 3972 LanmanWorkstation - ok
02:09:08.0499 3972 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
02:09:08.0499 3972 lltdio - ok
02:09:08.0577 3972 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll
02:09:08.0577 3972 lltdsvc - ok
02:09:08.0686 3972 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll
02:09:08.0686 3972 lmhosts - ok
02:09:08.0873 3972 LMS (7485fbcef9136f530953575e2977859d) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
02:09:08.0873 3972 LMS - ok
02:09:08.0998 3972 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
02:09:08.0998 3972 LSI_FC - ok
02:09:09.0107 3972 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
02:09:09.0107 3972 LSI_SAS - ok
02:09:09.0326 3972 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
02:09:09.0326 3972 LSI_SAS2 - ok
02:09:09.0450 3972 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
02:09:09.0450 3972 LSI_SCSI - ok
02:09:09.0575 3972 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
02:09:09.0575 3972 luafv - ok
02:09:09.0778 3972 MBAMProtector (79da94b35371b9e7104460c7693dcb2c) C:\Windows\system32\drivers\mbam.sys
02:09:09.0778 3972 MBAMProtector - ok
02:09:09.0903 3972 MBAMService (94e920be59b9ab65d95e582dbaa136ac) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
02:09:09.0903 3972 MBAMService - ok
02:09:09.0981 3972 Mcx2Svc (f84c8f1000bc11e3b7b23cbd3baff111) C:\Windows\system32\Mcx2Svc.dll
02:09:09.0981 3972 Mcx2Svc - ok
02:09:10.0028 3972 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
02:09:10.0028 3972 megasas - ok
02:09:10.0137 3972 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
02:09:10.0152 3972 MegaSR - ok
02:09:10.0230 3972 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
02:09:10.0230 3972 MMCSS - ok
02:09:10.0418 3972 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
02:09:10.0418 3972 Modem - ok
02:09:10.0527 3972 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
02:09:10.0527 3972 monitor - ok
02:09:10.0730 3972 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
02:09:10.0730 3972 mouclass - ok
02:09:10.0854 3972 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
02:09:10.0854 3972 mouhid - ok
02:09:10.0979 3972 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
02:09:10.0979 3972 mountmgr - ok
02:09:11.0073 3972 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
02:09:11.0073 3972 mpio - ok
02:09:11.0166 3972 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
02:09:11.0166 3972 mpsdrv - ok
02:09:11.0260 3972 MpsSvc (aecab449567d1846dad63ece49e893e3) C:\Windows\system32\mpssvc.dll
02:09:11.0276 3972 MpsSvc - ok
02:09:11.0354 3972 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
02:09:11.0354 3972 MRxDAV - ok
02:09:11.0447 3972 mrxsmb (040d62a9d8ad28922632137acdd984f2) C:\Windows\system32\DRIVERS\mrxsmb.sys
02:09:11.0447 3972 mrxsmb - ok
02:09:11.0666 3972 mrxsmb10 (f0067552f8f9b33d7c59403ab808a3cb) C:\Windows\system32\DRIVERS\mrxsmb10.sys
02:09:11.0666 3972 mrxsmb10 - ok
02:09:11.0759 3972 mrxsmb20 (3c142d31de9f2f193218a53fe2632051) C:\Windows\system32\DRIVERS\mrxsmb20.sys
02:09:11.0759 3972 mrxsmb20 - ok
02:09:11.0822 3972 msahci (bccf16d5fb1109162380e3e28dc9e4e5) C:\Windows\system32\DRIVERS\msahci.sys
02:09:11.0822 3972 msahci - ok
02:09:11.0915 3972 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
02:09:11.0915 3972 msdsm - ok
02:09:12.0009 3972 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe
02:09:12.0009 3972 MSDTC - ok
02:09:12.0118 3972 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
02:09:12.0118 3972 Msfs - ok
02:09:12.0321 3972 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
02:09:12.0321 3972 mshidkmdf - ok
02:09:12.0492 3972 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
02:09:12.0492 3972 msisadrv - ok
02:09:12.0586 3972 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll
02:09:12.0586 3972 MSiSCSI - ok
02:09:12.0602 3972 msiserver - ok
02:09:13.0085 3972 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
02:09:13.0085 3972 MSKSSRV - ok
02:09:13.0210 3972 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
02:09:13.0210 3972 MSPCLOCK - ok
02:09:13.0226 3972 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
02:09:13.0226 3972 MSPQM - ok
02:09:13.0319 3972 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
02:09:13.0335 3972 MsRPC - ok
02:09:13.0413 3972 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
02:09:13.0413 3972 mssmbios - ok
02:09:13.0522 3972 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
02:09:13.0522 3972 MSTEE - ok
02:09:13.0974 3972 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
02:09:14.0021 3972 MTConfig - ok
02:09:14.0099 3972 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
02:09:14.0099 3972 Mup - ok
02:09:14.0177 3972 napagent (4987e079a4530fa737a128be54b63b12) C:\Windows\system32\qagentRT.dll
02:09:14.0177 3972 napagent - ok
02:09:14.0583 3972 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
02:09:14.0583 3972 NativeWifiP - ok
02:09:14.0723 3972 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
02:09:14.0739 3972 NDIS - ok
02:09:14.0848 3972 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
02:09:14.0848 3972 NdisCap - ok
02:09:14.0957 3972 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
02:09:14.0957 3972 NdisTapi - ok
02:09:15.0269 3972 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
02:09:15.0269 3972 Ndisuio - ok
02:09:15.0363 3972 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
02:09:15.0363 3972 NdisWan - ok
02:09:15.0378 3972 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
02:09:15.0394 3972 NDProxy - ok
02:09:15.0503 3972 Net Driver HPZ12 (d5ac41ae382738483faffbd7e373d49a) C:\Windows\system32\HPZinw12.dll
02:09:15.0503 3972 Net Driver HPZ12 - ok
02:09:15.0612 3972 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
02:09:15.0612 3972 NetBIOS - ok
02:09:15.0706 3972 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
02:09:15.0706 3972 NetBT - ok
02:09:15.0815 3972 Netlogon (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe
02:09:15.0815 3972 Netlogon - ok
02:09:15.0909 3972 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll
02:09:15.0909 3972 Netman - ok
02:09:15.0987 3972 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll
02:09:16.0002 3972 netprofm - ok
02:09:16.0080 3972 NetTcpPortSharing (3e5a36127e201ddf663176b66828fafe) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
02:09:16.0080 3972 NetTcpPortSharing - ok
02:09:16.0190 3972 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
02:09:16.0190 3972 nfrd960 - ok
02:09:16.0283 3972 NlaSvc (d9a0ce66046d6efa0c61baa885cba0a8) C:\Windows\System32\nlasvc.dll
02:09:16.0299 3972 NlaSvc - ok
02:09:16.0361 3972 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
02:09:16.0361 3972 Npfs - ok
02:09:16.0408 3972 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll
02:09:16.0424 3972 nsi - ok
02:09:16.0548 3972 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
02:09:16.0548 3972 nsiproxy - ok
02:09:16.0673 3972 Ntfs (378e0e0dfea67d98ae6ea53adbbd76bc) C:\Windows\system32\drivers\Ntfs.sys
02:09:16.0704 3972 Ntfs - ok
02:09:16.0782 3972 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
02:09:16.0782 3972 Null - ok
02:09:16.0907 3972 nvraid (a4d9c9a608a97f59307c2f2600edc6a4) C:\Windows\system32\drivers\nvraid.sys
02:09:16.0907 3972 nvraid - ok
02:09:17.0001 3972 nvstor (6c1d5f70e7a6a3fd1c90d840edc048b9) C:\Windows\system32\drivers\nvstor.sys
02:09:17.0001 3972 nvstor - ok
02:09:17.0110 3972 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
02:09:17.0126 3972 nv_agp - ok
02:09:17.0204 3972 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
02:09:17.0204 3972 ohci1394 - ok
02:09:17.0375 3972 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
02:09:17.0375 3972 ose - ok
02:09:17.0594 3972 osppsvc (61bffb5f57ad12f83ab64b7181829b34) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
02:09:17.0734 3972 osppsvc - ok
02:09:17.0828 3972 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
02:09:17.0828 3972 p2pimsvc - ok
02:09:17.0843 3972 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll
02:09:17.0859 3972 p2psvc - ok
02:09:17.0937 3972 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
02:09:17.0952 3972 Parport - ok
02:09:18.0030 3972 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
02:09:18.0030 3972 partmgr - ok
02:09:18.0108 3972 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll
02:09:18.0124 3972 PcaSvc - ok
02:09:18.0155 3972 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
02:09:18.0171 3972 pci - ok
02:09:18.0233 3972 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
02:09:18.0233 3972 pciide - ok
02:09:18.0280 3972 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
02:09:18.0280 3972 pcmcia - ok
02:09:18.0374 3972 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
02:09:18.0389 3972 pcw - ok
02:09:18.0483 3972 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
02:09:18.0483 3972 PEAUTH - ok
02:09:18.0592 3972 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe
02:09:18.0608 3972 PerfHost - ok
02:09:18.0795 3972 pgsql-8.3 (acc93675d78d1c07dad09d7837f2397a) C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe
02:09:18.0795 3972 pgsql-8.3 - ok
02:09:18.0904 3972 pla (557e9a86f65f0de18c9b6751dfe9d3f1) C:\Windows\system32\pla.dll
02:09:18.0920 3972 pla - ok
02:09:19.0013 3972 PlugPlay (98b1721b8718164293b9701b98c52d77) C:\Windows\system32\umpnpmgr.dll
02:09:19.0013 3972 PlugPlay - ok
02:09:19.0200 3972 Pml Driver HPZ12 (37f6046cdc630442d7dc087501ff6fc6) C:\Windows\system32\HPZipm12.dll
02:09:19.0200 3972 Pml Driver HPZ12 - ok
02:09:19.0278 3972 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll
02:09:19.0278 3972 PNRPAutoReg - ok
02:09:19.0294 3972 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
02:09:19.0310 3972 PNRPsvc - ok
02:09:19.0388 3972 PolicyAgent (166eb40d1f5b47e615de3d0fffe5f243) C:\Windows\System32\ipsecsvc.dll
02:09:19.0403 3972 PolicyAgent - ok
02:09:19.0481 3972 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll
02:09:19.0481 3972 Power - ok
02:09:19.0575 3972 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
02:09:19.0590 3972 PptpMiniport - ok
02:09:19.0668 3972 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
02:09:19.0668 3972 Processor - ok
02:09:19.0746 3972 ProfSvc (f381975e1f4346de875cb07339ce8d3a) C:\Windows\system32\profsvc.dll
02:09:19.0762 3972 ProfSvc - ok
02:09:19.0856 3972 ProtectedStorage (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe
02:09:19.0856 3972 ProtectedStorage - ok
02:09:19.0949 3972 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
02:09:19.0965 3972 Psched - ok
02:09:20.0043 3972 PxHlpa64 (4712cc14e720ecccc0aa16949d18aaf1) C:\Windows\system32\Drivers\PxHlpa64.sys
02:09:20.0043 3972 PxHlpa64 - ok
02:09:20.0168 3972 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
02:09:20.0183 3972 ql2300 - ok
02:09:20.0277 3972 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
02:09:20.0277 3972 ql40xx - ok
02:09:20.0355 3972 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll
02:09:20.0355 3972 QWAVE - ok
02:09:20.0464 3972 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
02:09:20.0464 3972 QWAVEdrv - ok
02:09:20.0542 3972 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
02:09:20.0542 3972 RasAcd - ok
02:09:20.0948 3972 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
02:09:20.0948 3972 RasAgileVpn - ok
02:09:21.0260 3972 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll
02:09:21.0260 3972 RasAuto - ok
02:09:22.0367 3972 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
02:09:22.0367 3972 Rasl2tp - ok
02:09:22.0757 3972 RasMan (47394ed3d16d053f5906efe5ab51cc83) C:\Windows\System32\rasmans.dll
02:09:22.0757 3972 RasMan - ok
02:09:23.0132 3972 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
02:09:23.0147 3972 RasPppoe - ok
02:09:23.0537 3972 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
02:09:23.0553 3972 RasSstp - ok
02:09:23.0927 3972 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
02:09:23.0943 3972 rdbss - ok
02:09:24.0083 3972 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
02:09:24.0083 3972 rdpbus - ok
02:09:24.0286 3972 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
02:09:24.0302 3972 RDPCDD - ok
02:09:24.0380 3972 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
02:09:24.0380 3972 RDPENCDD - ok
02:09:24.0504 3972 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
02:09:24.0504 3972 RDPREFMP - ok
02:09:24.0598 3972 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
02:09:24.0598 3972 RDPWD - ok
02:09:24.0707 3972 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
02:09:24.0707 3972 rdyboost - ok
02:09:26.0018 3972 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll
02:09:26.0018 3972 RemoteAccess - ok
02:09:26.0345 3972 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll
02:09:26.0345 3972 RemoteRegistry - ok
02:09:26.0454 3972 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll
02:09:26.0454 3972 RpcEptMapper - ok
02:09:26.0751 3972 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe
02:09:26.0751 3972 RpcLocator - ok
02:09:26.0844 3972 RpcSs (7266972e86890e2b30c0c322e906b027) C:\Windows\system32\rpcss.dll
02:09:26.0844 3972 RpcSs - ok
02:09:27.0032 3972 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
02:09:27.0047 3972 rspndr - ok
02:09:27.0234 3972 RSUSBSTOR (502b316947ea887cddd325d4745eb7d0) C:\Windows\system32\Drivers\RtsUStor.sys
02:09:27.0234 3972 RSUSBSTOR - ok
02:09:27.0344 3972 RTL8167 (3b01789ee4eaee97f5eb46b711387d5e) C:\Windows\system32\DRIVERS\Rt64win7.sys
02:09:27.0344 3972 RTL8167 - ok
02:09:27.0531 3972 SamSs (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe
02:09:27.0531 3972 SamSs - ok
02:09:27.0734 3972 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
02:09:27.0734 3972 sbp2port - ok
02:09:27.0874 3972 SBSDWSCService (794d4b48dfb6e999537c7c3947863463) C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
02:09:27.0890 3972 SBSDWSCService - ok
02:09:28.0061 3972 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll
02:09:28.0077 3972 SCardSvr - ok
02:09:28.0295 3972 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
02:09:28.0295 3972 scfilter - ok
02:09:28.0529 3972 Schedule (624d0f5ff99428bb90a5b8a4123e918e) C:\Windows\system32\schedsvc.dll
02:09:28.0545 3972 Schedule - ok
02:09:28.0685 3972 SCPolicySvc (312e2f82af11e79906898ac3e3d58a1f) C:\Windows\System32\certprop.dll
02:09:28.0685 3972 SCPolicySvc - ok
02:09:28.0748 3972 SDRSVC (765a27c3279ce11d14cb9e4f5869fca5) C:\Windows\System32\SDRSVC.dll
02:09:28.0748 3972 SDRSVC - ok
02:09:28.0982 3972 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
02:09:28.0982 3972 secdrv - ok
02:09:29.0060 3972 seclogon (463b386ebc70f98da5dff85f7e654346) C:\Windows\system32\seclogon.dll
02:09:29.0060 3972 seclogon - ok
02:09:29.0122 3972 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\System32\sens.dll
02:09:29.0122 3972 SENS - ok
02:09:29.0200 3972 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll
02:09:29.0216 3972 SensrSvc - ok
02:09:29.0434 3972 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
02:09:29.0450 3972 Serenum - ok
02:09:29.0668 3972 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
02:09:29.0668 3972 Serial - ok
02:09:29.0793 3972 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
02:09:29.0793 3972 sermouse - ok
02:09:29.0980 3972 SessionEnv (c3bc61ce47ff6f4e88ab8a3b429a36af) C:\Windows\system32\sessenv.dll
02:09:29.0980 3972 SessionEnv - ok
02:09:30.0651 3972 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
02:09:30.0651 3972 sffdisk - ok
02:09:30.0729 3972 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
02:09:30.0729 3972 sffp_mmc - ok
02:09:30.0885 3972 sffp_sd (5588b8c6193eb1522490c122eb94dffa) C:\Windows\system32\DRIVERS\sffp_sd.sys
02:09:30.0885 3972 sffp_sd - ok
02:09:31.0181 3972 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
02:09:31.0181 3972 sfloppy - ok
02:09:31.0368 3972 Sftfs (c6cc9297bd53e5229653303e556aa539) C:\Windows\system32\DRIVERS\Sftfslh.sys
02:09:31.0384 3972 Sftfs - ok
02:09:31.0493 3972 sftlist (13693b6354dd6e72dc5131da7d764b90) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
02:09:31.0493 3972 sftlist - ok
02:09:31.0587 3972 Sftplay (390aa7bc52cee43f6790cdea1e776703) C:\Windows\system32\DRIVERS\Sftplaylh.sys
02:09:31.0587 3972 Sftplay - ok
02:09:31.0852 3972 Sftredir (617e29a0b0a2807466560d4c4e338d3e) C:\Windows\system32\DRIVERS\Sftredirlh.sys
02:09:31.0852 3972 Sftredir - ok
02:09:31.0977 3972 Sftvol (8f571f016fa1976f445147e9e6c8ae9b) C:\Windows\system32\DRIVERS\Sftvollh.sys
02:09:31.0977 3972 Sftvol - ok
02:09:32.0070 3972 sftvsa (c3cddd18f43d44ab713cf8c4916f7696) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
02:09:32.0070 3972 sftvsa - ok
02:09:32.0133 3972 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\Windows\System32\ipnathlp.dll
02:09:32.0133 3972 SharedAccess - ok
02:09:32.0180 3972 ShellHWDetection (0298ac45d0efffb2db4baa7dd186e7bf) C:\Windows\System32\shsvcs.dll
02:09:32.0180 3972 ShellHWDetection - ok
02:09:32.0289 3972 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
02:09:32.0289 3972 SiSRaid2 - ok
02:09:32.0382 3972 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
02:09:32.0382 3972 SiSRaid4 - ok
02:09:32.0492 3972 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
02:09:32.0492 3972 Smb - ok
02:09:32.0616 3972 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe
02:09:32.0616 3972 SNMPTRAP - ok
02:09:32.0726 3972 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
02:09:32.0726 3972 spldr - ok
02:09:32.0819 3972 Spooler (f8e1fa03cb70d54a9892ac88b91d1e7b) C:\Windows\System32\spoolsv.exe
02:09:32.0835 3972 Spooler - ok
02:09:33.0069 3972 sppsvc (913d843498553a1bc8f8dbad6358e49f) C:\Windows\system32\sppsvc.exe
02:09:33.0131 3972 sppsvc - ok
02:09:33.0225 3972 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll
02:09:33.0225 3972 sppuinotify - ok
02:09:33.0365 3972 srv (2408c0366d96bcdf63e8f1c78e4a29c5) C:\Windows\system32\DRIVERS\srv.sys
02:09:33.0365 3972 srv - ok
02:09:33.0459 3972 srv2 (76548f7b818881b47d8d1ae1be9c11f8) C:\Windows\system32\DRIVERS\srv2.sys
02:09:33.0474 3972 srv2 - ok
02:09:33.0552 3972 srvnet (0af6e19d39c70844c5caa8fb0183c36e) C:\Windows\system32\DRIVERS\srvnet.sys
02:09:33.0552 3972 srvnet - ok
02:09:33.0599 3972 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll
02:09:33.0599 3972 SSDPSRV - ok
02:09:33.0693 3972 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll
02:09:33.0693 3972 SstpSvc - ok
02:09:33.0771 3972 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
02:09:33.0771 3972 stexstor - ok
02:09:33.0864 3972 stisvc (52d0e33b681bd0f33fdc08812fee4f7d) C:\Windows\System32\wiaservc.dll
02:09:33.0864 3972 stisvc - ok
02:09:33.0958 3972 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
02:09:33.0958 3972 swenum - ok
02:09:34.0036 3972 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll
02:09:34.0052 3972 swprv - ok
02:09:34.0161 3972 SysMain (3c1284516a62078fb68f768de4f1a7be) C:\Windows\system32\sysmain.dll
02:09:34.0192 3972 SysMain - ok
02:09:34.0270 3972 TabletInputService (238935c3cf2854886dc7cbb2a0e2cc66) C:\Windows\System32\TabSvc.dll
02:09:34.0286 3972 TabletInputService - ok
02:09:34.0379 3972 TapiSrv (884264ac597b690c5707c89723bb8e7b) C:\Windows\System32\tapisrv.dll
02:09:34.0379 3972 TapiSrv - ok
02:09:34.0457 3972 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll
02:09:34.0457 3972 TBS - ok
02:09:34.0551 3972 Tcpip (f18f56efc0bfb9c87ba01c37b27f4da5) C:\Windows\system32\drivers\tcpip.sys
02:09:34.0566 3972 Tcpip - ok
02:09:34.0800 3972 TCPIP6 (f18f56efc0bfb9c87ba01c37b27f4da5) C:\Windows\system32\DRIVERS\tcpip.sys
02:09:34.0816 3972 TCPIP6 - ok
02:09:34.0972 3972 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
02:09:34.0972 3972 tcpipreg - ok
02:09:35.0066 3972 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
02:09:35.0066 3972 TDPIPE - ok
02:09:35.0144 3972 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
02:09:35.0144 3972 TDTCP - ok
02:09:35.0237 3972 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
02:09:35.0237 3972 tdx - ok
02:09:35.0346 3972 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
02:09:35.0346 3972 TermDD - ok
02:09:35.0456 3972 TermService (0f05ec2887bfe197ad82a13287d2f404) C:\Windows\System32\termsrv.dll
02:09:35.0456 3972 TermService - ok
02:09:35.0534 3972 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll
02:09:35.0534 3972 Themes - ok
02:09:35.0612 3972 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
02:09:35.0612 3972 THREADORDER - ok
02:09:35.0690 3972 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll
02:09:35.0690 3972 TrkWks - ok
02:09:35.0768 3972 TrustedInstaller (840f7fb849f5887a49ba18c13b2da920) C:\Windows\servicing\TrustedInstaller.exe
02:09:35.0768 3972 TrustedInstaller - ok
02:09:35.0846 3972 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
02:09:35.0846 3972 tssecsrv - ok
02:09:35.0970 3972 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
02:09:35.0970 3972 tunnel - ok
02:09:36.0064 3972 TurboB (825e7a1f48fb8bcfba27c178aab4e275) C:\Windows\system32\DRIVERS\TurboB.sys
02:09:36.0064 3972 TurboB - ok
02:09:36.0126 3972 TurboBoost (b206be1174d5964d49a56bb6c4e0524a) C:\Program Files\Intel\TurboBoost\TurboBoost.exe
02:09:36.0126 3972 TurboBoost - ok
02:09:36.0220 3972 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
02:09:36.0220 3972 uagp35 - ok
02:09:36.0314 3972 udfs (31ba4a33afab6a69ea092b18017f737f) C:\Windows\system32\DRIVERS\udfs.sys
02:09:36.0314 3972 udfs - ok
02:09:36.0407 3972 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe
02:09:36.0407 3972 UI0Detect - ok
02:09:36.0516 3972 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
02:09:36.0516 3972 uliagpkx - ok
02:09:36.0610 3972 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
02:09:36.0610 3972 umbus - ok
02:09:36.0735 3972 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
02:09:36.0735 3972 UmPass - ok
02:09:36.0891 3972 UNS (765f2dd351ba064f657751d8d75e58c0) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
02:09:36.0922 3972 UNS - ok
02:09:37.0000 3972 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll
02:09:37.0016 3972 upnphost - ok
02:09:37.0234 3972 USBAAPL64 (54d4b48d443e7228bf64cf7cdc3118ac) C:\Windows\system32\Drivers\usbaapl64.sys
02:09:37.0234 3972 USBAAPL64 - ok
02:09:37.0343 3972 usbccgp (537a4e03d7103c12d42dfd8ffdb5bdc9) C:\Windows\system32\DRIVERS\usbccgp.sys
02:09:37.0343 3972 usbccgp - ok
02:09:37.0421 3972 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
02:09:37.0437 3972 usbcir - ok
02:09:37.0546 3972 usbehci (fbb21ebe49f6d560db37ac25fbc68e66) C:\Windows\system32\drivers\usbehci.sys
02:09:37.0546 3972 usbehci - ok
02:09:37.0686 3972 usbhub (6b7a8a99c4a459e73c286a6763ea24cc) C:\Windows\system32\DRIVERS\usbhub.sys
02:09:37.0686 3972 usbhub - ok
02:09:37.0827 3972 usbohci (8c88aa7617b4cbc2e4bed61d26b33a27) C:\Windows\system32\drivers\usbohci.sys
02:09:37.0842 3972 usbohci - ok
02:09:37.0967 3972 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
02:09:37.0967 3972 usbprint - ok
02:09:38.0076 3972 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
02:09:38.0076 3972 usbscan - ok
02:09:38.0201 3972 USBSTOR (f39983647bc1f3e6100778ddfe9dce29) C:\Windows\system32\DRIVERS\USBSTOR.SYS
02:09:38.0201 3972 USBSTOR - ok
02:09:38.0357 3972 usbuhci (0b5b3b2df3fd1709618acfa50b8392b0) C:\Windows\system32\drivers\usbuhci.sys
02:09:38.0357 3972 usbuhci - ok
02:09:38.0466 3972 usbvideo (7cb8c573c6e4a2714402cc0a36eab4fe) C:\Windows\system32\Drivers\usbvideo.sys
02:09:38.0482 3972 usbvideo - ok
02:09:38.0560 3972 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll
02:09:38.0560 3972 UxSms - ok
02:09:38.0607 3972 VaultSvc (156f6159457d0aa7e59b62681b56eb90) C:\Windows\system32\lsass.exe
02:09:38.0607 3972 VaultSvc - ok
02:09:38.0716 3972 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
02:09:38.0716 3972 vdrvroot - ok
02:09:38.0810 3972 vds (44d73e0bbc1d3c8981304ba15135c2f2) C:\Windows\System32\vds.exe
02:09:38.0810 3972 vds - ok
02:09:38.0934 3972 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
02:09:38.0934 3972 vga - ok
02:09:39.0122 3972 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
02:09:39.0122 3972 VgaSave - ok
02:09:39.0215 3972 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
02:09:39.0215 3972 vhdmp - ok
02:09:39.0293 3972 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
02:09:39.0309 3972 viaide - ok
02:09:39.0402 3972 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
02:09:39.0402 3972 volmgr - ok
02:09:39.0496 3972 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
02:09:39.0512 3972 volmgrx - ok
02:09:39.0543 3972 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
02:09:39.0543 3972 volsnap - ok
02:09:39.0652 3972 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
02:09:39.0652 3972 vsmraid - ok
02:09:39.0761 3972 VSS (787898bf9fb6d7bd87a36e2d95c899ba) C:\Windows\system32\vssvc.exe
02:09:39.0777 3972 VSS - ok
02:09:39.0870 3972 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
02:09:39.0870 3972 vwifibus - ok
02:09:39.0995 3972 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
02:09:39.0995 3972 vwififlt - ok
02:09:40.0198 3972 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll
02:09:40.0198 3972 W32Time - ok
02:09:40.0276 3972 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
02:09:40.0276 3972 WacomPen - ok
02:09:40.0416 3972 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
02:09:40.0416 3972 WANARP - ok
02:09:40.0432 3972 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
02:09:40.0432 3972 Wanarpv6 - ok
02:09:40.0572 3972 WatAdminSvc (3cec96de223e49eaae3651fcf8faea6c) C:\Windows\system32\Wat\WatAdminSvc.exe
02:09:40.0588 3972 WatAdminSvc - ok
02:09:40.0697 3972 wbengine (5ab1bb85bd8b5089cc5d64200dedae68) C:\Windows\system32\wbengine.exe
02:09:40.0728 3972 wbengine - ok
02:09:40.0806 3972 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll
02:09:40.0806 3972 WbioSrvc - ok
02:09:40.0853 3972 wcncsvc (dd1bae8ebfc653824d29ccf8c9054d68) C:\Windows\System32\wcncsvc.dll
02:09:40.0869 3972 wcncsvc - ok
02:09:40.0947 3972 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
02:09:40.0947 3972 WcsPlugInService - ok
02:09:41.0040 3972 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
02:09:41.0040 3972 Wd - ok
02:09:41.0134 3972 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
02:09:41.0150 3972 Wdf01000 - ok
02:09:41.0228 3972 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
02:09:41.0228 3972 WdiServiceHost - ok
02:09:41.0228 3972 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
02:09:41.0243 3972 WdiSystemHost - ok
02:09:41.0274 3972 WebClient (733006127f235be7c35354ebee7b9a7b) C:\Windows\System32\webclnt.dll
02:09:41.0274 3972 WebClient - ok
02:09:41.0352 3972 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
02:09:41.0352 3972 Wecsvc - ok
02:09:41.0368 3972 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
02:09:41.0368 3972 wercplsupport - ok
02:09:41.0477 3972 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
02:09:41.0493 3972 WerSvc - ok
02:09:41.0586 3972 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
02:09:41.0602 3972 WfpLwf - ok
02:09:41.0711 3972 WimFltr (b14ef15bd757fa488f9c970eee9c0d35) C:\Windows\system32\DRIVERS\wimfltr.sys
02:09:41.0711 3972 WimFltr - ok
02:09:41.0789 3972 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
02:09:41.0789 3972 WIMMount - ok
02:09:41.0852 3972 WinDefend - ok
02:09:41.0852 3972 WinHttpAutoProxySvc - ok
02:09:41.0945 3972 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
02:09:41.0945 3972 Winmgmt - ok
02:09:42.0070 3972 WinRM (41fbb751936b387f9179e7f03a74fe29) C:\Windows\system32\WsmSvc.dll
02:09:42.0086 3972 WinRM - ok
02:09:42.0210 3972 WinUsb (4d52c872018af7e18d078978dcc3f6f2) C:\Windows\system32\DRIVERS\WinUsb.sys
02:09:42.0210 3972 WinUsb - ok
02:09:42.0366 3972 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
02:09:42.0382 3972 Wlansvc - ok
02:09:42.0460 3972 wltrysvc (13b0a570e1ae451c92da550085d72cf3) C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
02:09:42.0460 3972 wltrysvc - ok
02:09:42.0632 3972 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
02:09:42.0632 3972 WmiAcpi - ok
02:09:42.0725 3972 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
02:09:42.0725 3972 wmiApSrv - ok
02:09:42.0866 3972 WMPNetworkSvc - ok
02:09:42.0944 3972 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
02:09:42.0959 3972 WPCSvc - ok
02:09:42.0990 3972 WPDBusEnum (2e57ddf2880a7e52e76f41c7e96d327b) C:\Windows\system32\wpdbusenum.dll
02:09:42.0990 3972 WPDBusEnum - ok
02:09:43.0084 3972 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
02:09:43.0084 3972 ws2ifsl - ok
02:09:43.0146 3972 wscsvc (8f9f3969933c02da96eb0f84576db43e) C:\Windows\system32\wscsvc.dll
02:09:43.0146 3972 wscsvc - ok
02:09:43.0162 3972 WSearch - ok
02:09:43.0240 3972 wuauserv (38340204a2d0228f1e87740fc5e554a7) C:\Windows\system32\wuaueng.dll
02:09:43.0318 3972 wuauserv - ok
02:09:43.0396 3972 WudfPf (c63907207b837a5c05cf6d1606aa0008) C:\Windows\system32\drivers\WudfPf.sys
02:09:43.0396 3972 WudfPf - ok
02:09:43.0474 3972 WUDFRd (d885a873d733020f8b9b9ff4b1666158) C:\Windows\system32\DRIVERS\WUDFRd.sys
02:09:43.0474 3972 WUDFRd - ok
02:09:43.0552 3972 wudfsvc (27b9bee5aac00139e3a3af5d6227a0dc) C:\Windows\System32\WUDFSvc.dll
02:09:43.0552 3972 wudfsvc - ok
02:09:43.0630 3972 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
02:09:43.0630 3972 WwanSvc - ok
02:09:43.0692 3972 MBR (0x1B8) (0f84f2562620c40d8a3e1908c8075675) \Device\Harddisk0\DR0
02:09:43.0708 3972 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
02:09:43.0708 3972 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
02:09:43.0739 3972 Boot (0x1200) (6a5a9b7f1fa5118063177c08c70bd72e) \Device\Harddisk0\DR0\Partition0
02:09:43.0739 3972 \Device\Harddisk0\DR0\Partition0 - ok
02:09:43.0755 3972 Boot (0x1200) (c1740bac022275dc192dbcbf79e59d7c) \Device\Harddisk0\DR0\Partition1
02:09:43.0755 3972 \Device\Harddisk0\DR0\Partition1 - ok
02:09:43.0770 3972 ============================================================
02:09:43.0770 3972 Scan finished
02:09:43.0770 3972 ============================================================
02:09:43.0770 5112 Detected object count: 1
02:09:43.0770 5112 Actual detected object count: 1
02:10:04.0628 5112 \Device\Harddisk0\DR0\# - copied to quarantine
02:10:04.0628 5112 \Device\Harddisk0\DR0 - copied to quarantine
02:10:05.0657 5112 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
02:10:05.0657 5112 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
02:10:05.0657 5112 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
02:10:05.0657 5112 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
02:10:05.0673 5112 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
02:10:05.0688 5112 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
02:10:05.0688 5112 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
02:10:05.0688 5112 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
02:10:05.0688 5112 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
02:10:05.0688 5112 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
02:10:05.0688 5112 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
02:10:05.0688 5112 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
02:10:05.0766 5112 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
02:10:05.0766 5112 \Device\Harddisk0\DR0 - ok
02:10:05.0782 5112 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
02:10:11.0008 3552 Deinitialize success






aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-23 02:13:17
-----------------------------
02:13:17.842 OS Version: Windows x64 6.1.7600
02:13:17.842 Number of processors: 4 586 0x2502
02:13:17.842 ComputerName: TAD-PC UserName: Tad
02:13:19.652 Initialize success
02:14:46.783 AVAST engine defs: 12032000
02:15:42.568 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
02:15:42.584 Disk 0 Vendor: TOSHIBA_MK5065GSX GJ002D Size: 476940MB BusType: 11
02:15:42.600 Disk 0 MBR read successfully
02:15:42.600 Disk 0 MBR scan
02:15:42.600 Disk 0 Windows 7 default MBR code
02:15:42.615 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 100 MB offset 2048
02:15:42.631 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15000 MB offset 206848
02:15:42.646 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461838 MB offset 30926848
02:15:42.678 Disk 0 scanning C:\Windows\system32\drivers
02:15:52.724 Service scanning
02:16:39.431 Modules scanning
02:16:39.431 Disk 0 trace - called modules:
02:16:39.493 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
02:16:39.493 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a18460]
02:16:39.509 3 CLASSPNP.SYS[fffff8800103b43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80048f7060]
02:16:40.507 AVAST engine scan C:\Windows
02:16:43.409 AVAST engine scan C:\Windows\system32
02:20:36.910 AVAST engine scan C:\Windows\system32\drivers
02:20:55.334 AVAST engine scan C:\Users\Tad
02:49:25.862 AVAST engine scan C:\ProgramData
03:28:46.115 Scan finished successfully
03:29:30.497 Disk 0 MBR has been saved successfully to "C:\Users\Tad\Desktop\MBR.dat"
03:29:30.497 The log file has been saved successfully to "C:\Users\Tad\Desktop\aswMBR.txt"


Thanks again! Very much appreciate the free and willing help!

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:11 AM

Posted 23 March 2012 - 03:02 AM

Now lets try to run combofix again as the rootkit was removed


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 flatrate1

flatrate1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 23 March 2012 - 03:23 AM

Here is the combofix log. No issues this time, restarted on its own and seemed to make good changes. Hard to say for sure but the computer appears to be running much smoother now than it was just a few minutes ago.


ComboFix 12-03-22.01 - Tad 03/23/2012 4:07.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3957.1886 [GMT -4:00]
Running from: c:\users\Tad\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Tad\Desktop\Privacy Protection.lnk
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-02-23 to 2012-03-23 )))))))))))))))))))))))))))))))
.
.
2012-03-23 08:13 . 2012-03-23 08:13 -------- d-----w- c:\users\postgres\AppData\Local\temp
2012-03-23 08:13 . 2012-03-23 08:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-23 06:10 . 2012-03-23 06:10 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-23 04:34 . 2012-03-23 04:34 -------- d-----w- C:\1291f23aad990d6bc01bbe
2012-03-21 22:39 . 2012-03-01 18:21 8643640 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{03AB2C92-D1B4-484C-B7EE-59365FC47098}\mpengine.dll
2012-03-21 22:39 . 2012-02-23 13:18 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-03-21 19:03 . 2012-03-21 19:03 -------- d-----w- c:\users\Tad\AppData\Roaming\SUPERAntiSpyware.com
2012-03-21 19:02 . 2012-03-21 21:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-21 19:02 . 2012-03-21 19:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-21 09:00 . 2012-03-21 09:00 -------- d-----w- c:\users\Tad\AppData\Roaming\QuickScan
2012-03-21 06:08 . 2012-03-21 06:08 5120 ----a-w- c:\programdata\Microsoft\Windows\DRM\8125.tmp
2012-03-21 06:08 . 2012-03-21 06:08 5120 ----a-w- c:\programdata\Microsoft\Windows\DRM\80D6.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-14 04:02 . 2012-02-16 05:07 3143168 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 06:50 . 2011-06-16 05:01 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-04 09:58 . 2012-02-16 16:28 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-04 09:03 . 2012-02-16 16:28 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-01-03 06:24 . 2012-02-16 05:07 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-01-03 05:44 . 2012-02-16 05:07 478208 ----a-w- c:\windows\SysWow64\timedate.cpl
2011-12-28 03:59 . 2012-02-16 05:07 499200 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files (x86)\AIM\aim.exe" [2010-10-12 4258136]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-01-22 98304]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-02 421160]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
.
c:\users\Tad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-9-28 0]
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe [2009-12-10 65536]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-09-30 2320920]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2937538760-1736647523-861001363-1000Core.job
- c:\users\Tad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-11 17:35]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2937538760-1736647523-861001363-1000UA.job
- c:\users\Tad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-11 17:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-01-25 369152]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-03 10038304]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2010-04-02 3217056]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://xkcd.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 4.2.2.5 209.18.47.61
FF - ProfilePath - c:\users\Tad\AppData\Roaming\Mozilla\Firefox\Profiles\jax7j5wg.default\
FF - prefs.js: browser.startup.homepage - hxxp://xkcd.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-DellSupportCenter - c:\program files (x86)\Dell Support Center\bin\sprtcmd.exe
Wow6432Node-HKLM-RunOnce-c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe - c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\Roxio\Roxio Burn\Roxio Burn.exe
c:\program files (x86)\Common Files\Java\Java Update\jusched.exe
.
**************************************************************************
.
Completion time: 2012-03-23 04:21:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-23 08:21
.
Pre-Run: 362,298,335,232 bytes free
Post-Run: 362,502,742,016 bytes free
.
- - End Of File - - BC7AF630F0A801BF6540DE5EE564122C

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:11 AM

Posted 23 March 2012 - 03:30 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
Folder::
c:\programdata\Microsoft\Windows\DRM

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 flatrate1

flatrate1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 23 March 2012 - 06:00 PM

So far my computer has been running much smoother. I have not encountered any sign of the virus, though firefox and AOL instant messanger are still broken and will likely need to be reinstalled. The appearance of internet explorer changed when the virus attacked and it is now back to what it was looking like pre-virus. Here is the combofix log, it functioned fine.

ComboFix 12-03-22.01 - Tad 03/23/2012 17:20:13.3.4 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3957.2535 [GMT -4:00]
Running from: c:\users\Tad\Desktop\ComboFix.exe
Command switches used :: c:\users\Tad\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\DRM
c:\programdata\Microsoft\Windows\DRM\80D6.tmp
c:\programdata\Microsoft\Windows\DRM\8125.tmp
c:\programdata\Microsoft\Windows\DRM\blackbox.bin
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv_SID_S-1-5-20\Indiv01_64.key
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv_SID_S-1-5-21-2937538760-1736647523-861001363-1000\Indiv01.key
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01.bla
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01.key
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01.tmp
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01_64.key
c:\programdata\Microsoft\Windows\DRM\drmstore.hds
c:\programdata\Microsoft\Windows\DRM\DRMv1.bak
c:\programdata\Microsoft\Windows\DRM\DRMv1.key
c:\programdata\Microsoft\Windows\DRM\IndivBox.key
c:\programdata\Microsoft\Windows\DRM\IndivBox_64.key
c:\programdata\Microsoft\Windows\DRM\v2ksndv.bla
c:\programdata\Microsoft\Windows\DRM\v3ks.bla
c:\programdata\Microsoft\Windows\DRM\v3ks.sec
.
.
((((((((((((((((((((((((( Files Created from 2012-02-23 to 2012-03-23 )))))))))))))))))))))))))))))))
.
.
2012-03-23 21:29 . 2012-03-23 21:29 -------- d-----w- c:\users\postgres\AppData\Local\temp
2012-03-23 21:29 . 2012-03-23 21:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-23 06:10 . 2012-03-23 06:10 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-23 04:34 . 2012-03-23 04:34 -------- d-----w- C:\1291f23aad990d6bc01bbe
2012-03-21 22:39 . 2012-03-01 18:21 8643640 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{03AB2C92-D1B4-484C-B7EE-59365FC47098}\mpengine.dll
2012-03-21 22:39 . 2012-02-23 13:18 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-03-21 19:03 . 2012-03-21 19:03 -------- d-----w- c:\users\Tad\AppData\Roaming\SUPERAntiSpyware.com
2012-03-21 19:02 . 2012-03-21 21:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-21 19:02 . 2012-03-21 19:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-03-21 09:00 . 2012-03-21 09:00 -------- d-----w- c:\users\Tad\AppData\Roaming\QuickScan
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-14 04:02 . 2012-02-16 05:07 3143168 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 06:50 . 2011-06-16 05:01 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-04 09:58 . 2012-02-16 16:28 509952 ----a-w- c:\windows\system32\ntshrui.dll
2012-01-04 09:03 . 2012-02-16 16:28 442880 ----a-w- c:\windows\SysWow64\ntshrui.dll
2012-01-03 06:24 . 2012-02-16 05:07 515584 ----a-w- c:\windows\system32\timedate.cpl
2012-01-03 05:44 . 2012-02-16 05:07 478208 ----a-w- c:\windows\SysWow64\timedate.cpl
2011-12-28 03:59 . 2012-02-16 05:07 499200 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-23_08.15.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-23 21:29 . 2012-03-23 21:29 13585 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-03-23 08:13 . 2012-03-23 08:13 13585 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2010-07-09 23:33 . 2012-03-23 08:16 44616 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-23 08:16 31170 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-07-17 07:25 . 2012-03-23 08:16 13302 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2937538760-1736647523-861001363-1000_UserData.bin
- 2010-07-16 01:19 . 2012-03-23 07:01 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-16 01:19 . 2012-03-23 21:30 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-16 01:19 . 2012-03-23 21:30 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-07-16 01:19 . 2012-03-23 07:01 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-23 07:01 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-23 21:30 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2012-03-23 08:19 78512 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2010-07-16 03:59 . 2012-03-23 08:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-16 03:59 . 2012-03-23 21:18 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-07-16 03:59 . 2012-03-23 21:18 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-07-16 03:59 . 2012-03-23 08:13 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-03-23 08:14 . 2012-03-23 08:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-23 21:30 . 2012-03-23 21:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-03-23 21:30 . 2012-03-23 21:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-23 08:14 . 2012-03-23 08:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 04:54 . 2012-03-23 08:14 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-03-23 21:30 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-03-23 08:14 245760 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-23 21:30 245760 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-16 04:56 . 2012-03-23 21:15 310502 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 02:36 . 2012-03-23 21:16 624864 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-03-22 03:36 624864 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-03-22 03:36 106950 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-03-23 21:16 106950 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-03-23 08:13 229236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-23 21:29 229236 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-03-23 21:30 3555328 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-23 08:14 3555328 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:45 . 2012-03-23 08:19 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-03-23 04:29 3802522 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 02:34 . 2012-03-23 07:00 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2012-03-23 08:25 10747904 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2012-03-23 08:06 . 2012-03-23 21:19 10502144 c:\windows\ERDNT\Hiv-backup\schema.dat
- 2012-03-23 08:06 . 2012-03-23 08:06 10502144 c:\windows\ERDNT\Hiv-backup\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim"="c:\program files (x86)\AIM\aim.exe" [2010-10-12 4258136]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-01-22 98304]
"PDVDDXSrv"="c:\program files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe" [2009-10-15 498160]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-03-02 421160]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"hpqSRMon"="c:\program files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-22 150528]
.
c:\users\Tad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-9-28 0]
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-9-20 270336]
.
c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-12-15 1324384]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [x]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-11-18 98208]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2009-06-09 155648]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe [2009-12-10 65536]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [x]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-09-30 2320920]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [x]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [x]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [x]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [x]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2937538760-1736647523-861001363-1000Core.job
- c:\users\Tad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-11 17:35]
.
2012-03-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2937538760-1736647523-861001363-1000UA.job
- c:\users\Tad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-11 17:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-01-25 369152]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-02-03 10038304]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://xkcd.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 4.2.2.5 209.18.47.61
FF - ProfilePath - c:\users\Tad\AppData\Roaming\Mozilla\Firefox\Profiles\jax7j5wg.default\
FF - prefs.js: browser.startup.homepage - hxxp://xkcd.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-RunOnce-c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe - c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\PostgreSQL\8.3\bin\postgres.exe
c:\program files (x86)\Common Files\Java\Java Update\jusched.exe
.
**************************************************************************
.
Completion time: 2012-03-23 17:42:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-23 21:42
ComboFix2.txt 2012-03-23 08:21
.
Pre-Run: 362,482,176,000 bytes free
Post-Run: 362,243,354,624 bytes free
.
- - End Of File - - BD107ABDC0D7C2F2E93B6AB093A6ADA5

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:11 AM

Posted 23 March 2012 - 06:34 PM

Hello

Now is a good time to reinstall firefox and AOL




These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java™ 6 Update 20 [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 flatrate1

flatrate1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 24 March 2012 - 11:22 PM

Thank you for the help once again! Very appreciated! So far things are going well except for a blue screen and a explorer access issue. I've been in and out all day so have been running the programs you listed in steps. While viewing an unrelated forum webpage I got a blue screen of death. After the computer rebooted without issue Windows popped up the window to send related info to Microsoft server for more info. This was the info from that popup if it is of any help:

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 1033

Additional information about the problem:
BCCode: 116
BCP1: FFFFFA800B4184E0
BCP2: FFFFF88002805C98
BCP3: 0000000000000000
BCP4: 0000000000000002
OS Version: 6_1_7600
Service Pack: 0_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\032412-44226-01.dmp
C:\Users\Tad\AppData\Local\Temp\WER-77579-0.sysdata.xml

Also, when looking around using windows explorer my folder trees have been moved around and renamed from what I can see and when I click on them it says I do not have access rights to the folder as if I am not the administrator (I am the only account on the computer and should have full admin).

I ran both a quick scan of Malware Bytes and a full scan since I had the time. Both found nothing, I posted the quick scan log below.

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.24.01

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Tad :: TAD-PC [administrator]

Protection: Enabled

3/25/2012 12:14:31 AM
mbam-log-2012-03-25 (00-14-31).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215266
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:04:48 AM, on 3/25/2012
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16930)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Roxio\Roxio Burn\Roxio Burn.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xkcd.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O2 - BHO: PNBHO - {FBAAD182-3C7A-4BC4-A5E9-207B8E0F02FD} - C:\Program Files (x86)\DeLorme\SendToGPS\PNPluginForIE.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files (x86)\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files (x86)\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [Dell Webcam Central] "C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" /mode2
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
O4 - HKCU\..\Run: [Aim] "C:\Program Files (x86)\AIM\aim.exe" /d locale=en-US
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: CurseClientStartup.ccip
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files (x86)\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files (x86)\PokerStars.NET\PokerStarsUpdate.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} - c:\Program Files (x86)\Cozi Express\CoziProtocolHandler.dll
O23 - Service: Andrea RT Filters Service (AERTFilters) - Andrea Electronics Corporation - C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: TurboBoost - Intel® Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11436 bytes


Thanks for any further input you can give! You are awesome!

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:11 AM

Posted 24 March 2012 - 11:45 PM

Hello

Please do the following:

Step One
Please download Junction.zip and save it to your desktop.
Unzip it and extract junction.exe to your C:\ drive.

Step Two
Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0
Save it to your desktop as File name: junc.bat
Save as type: All Files

Step Three
Double click junc.bat to run it. A log will be presented. Copy and paste or attach the content of the log in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 flatrate1

flatrate1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 24 March 2012 - 11:59 PM

Did what you said, EXCEPT... when I go to unzip to C:\ I get:

! C:\Users\Tad\Desktop\Junction.zip: Cannot create junction.exe
! Access is denied.

That error message. I pulled up User Accounts under control panel. Just shows the one (mine) listed as Admin. I never had access issues before the virus. Any suggestions? Thanks!!!!

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:11 AM

Posted 25 March 2012 - 12:16 AM

Hello

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 flatrate1

flatrate1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:11 AM

Posted 25 March 2012 - 12:30 AM

Running from: C:\Users\Tad\Desktop\win32kdiag.exe

Log file at : C:\Users\Tad\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl



Finished!



Thanks again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users