Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef.DN Infection


  • This topic is locked This topic is locked
24 replies to this topic

#1 Skipper240

Skipper240

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 23 March 2012 - 08:08 AM

Hi, ESET says I have a Sirefef.DN problem and I was hoping to get some help. I've been getting alot of redirects when I click on google links.

Thanks in advance!

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Lap at 6:06:06 on 2012-03-23
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8170.6850 [GMT -7:00]
.
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bigfoot Networks\Killer Network Manager\BFNService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Razer\DeathAdder\razertra.exe
C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe
C:\Program Files (x86)\Razer\DeathAdder\vdDaemon.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
mRun: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
dRun: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe -autorun
dRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RAINME~1.LNK - C:\Program Files\Rainmeter\Rainmeter.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1A6B290D-02CD-48B0-AB55-87C8C868E491} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1A6B290D-02CD-48B0-AB55-87C8C868E491}\3595349405 : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2 sxssrv,4
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe
mRun-x64: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Lap\AppData\Roaming\Mozilla\Firefox\Profiles\y5gaxbo1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R1 BfLwf;Bigfoot Networks Bandwidth Control;C:\Windows\system32\DRIVERS\bflwfx64.sys --> C:\Windows\system32\DRIVERS\bflwfx64.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;C:\Program Files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2011-11-7 467456]
R2 cpuz135;cpuz135;\??\C:\Windows\system32\drivers\cpuz135_x64.sys --> C:\Windows\system32\drivers\cpuz135_x64.sys [?]
R3 Ak27x64;Killer Wireless-N 1102 device driver;C:\Windows\system32\DRIVERS\Ak27x64.sys --> C:\Windows\system32\DRIVERS\Ak27x64.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 danewFltr;NewDeathAdder Mouse;C:\Windows\system32\drivers\danew.sys --> C:\Windows\system32\drivers\danew.sys [?]
R3 JMCR;JMCR;C:\Windows\system32\DRIVERS\jmcr.sys --> C:\Windows\system32\DRIVERS\jmcr.sys [?]
R3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);C:\Windows\system32\DRIVERS\JME.sys --> C:\Windows\system32\DRIVERS\JME.sys [?]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\DRIVERS\nusb3hub.sys --> C:\Windows\system32\DRIVERS\nusb3hub.sys [?]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\DRIVERS\nusb3xhc.sys --> C:\Windows\system32\DRIVERS\nusb3xhc.sys [?]
R3 VKbms;Virtual HID Minidriver;C:\Windows\system32\DRIVERS\VKbms.sys --> C:\Windows\system32\DRIVERS\VKbms.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-3-22 652360]
S3 dmvsc;dmvsc;C:\Windows\system32\drivers\dmvsc.sys --> C:\Windows\system32\drivers\dmvsc.sys [?]
S3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 Synth3dVsc;Synth3dVsc;C:\Windows\system32\drivers\synth3dvsc.sys --> C:\Windows\system32\drivers\synth3dvsc.sys [?]
S3 terminpt;Microsoft Remote Desktop Input Driver;C:\Windows\system32\drivers\terminpt.sys --> C:\Windows\system32\drivers\terminpt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 tsusbhub;tsusbhub;C:\Windows\system32\drivers\tsusbhub.sys --> C:\Windows\system32\drivers\tsusbhub.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
.
=============== Created Last 30 ================
.
2012-03-23 13:43:50 -------- d-----w- C:\FRST
2012-03-23 08:51:10 -------- d-s---w- C:\ComboFix
2012-03-23 08:49:21 -------- d-----w- C:\$RECYCLE.BIN
2012-03-23 08:26:31 -------- d-----w- C:\Program Files (x86)\VS Revo Group
2012-03-23 02:53:52 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-22 10:33:00 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-03-18 00:38:54 592824 ----a-w- C:\Program Files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-18 00:38:54 44472 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozglue.dll
2012-02-24 06:34:45 -------- d-----w- C:\Users\Lap\AppData\Roaming\mIRC
2012-02-24 06:34:45 -------- d-----w- C:\Program Files (x86)\mIRC
.
==================== Find3M ====================
.
2012-03-23 08:30:50 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-02-16 10:06:48 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2012-01-17 00:45:27 709968 ----a-w- C:\Windows\is-9F0CI.exe
2012-01-07 10:08:38 279616 ----a-w- C:\Windows\System32\drivers\dtsoftbus01.sys
.
============= FINISH: 6:06:18.14 ===============

Edited by Skipper240, 23 March 2012 - 08:15 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:29 PM

Posted 24 March 2012 - 12:05 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Backup any files that cannot be replaced

If you have not done it yet spend a few minutes to backup any files that cannot be replaced. Removing malware can be unpredictable and this may save you and me allot of grief later.

You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

you may want to backup the whole harddrive there is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the files backed up you may do the following.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Skipper240

Skipper240
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 24 March 2012 - 07:07 AM

I haven't had anymore redirects in the few minutes since I ran the test. That's good!

ComboFix 12-03-22.01 - Lap 03/24/2012 4:59.4.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8170.6325 [GMT -7:00]
Running from: c:\users\Lap\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\consrv.dll
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-02-24 to 2012-03-24 )))))))))))))))))))))))))))))))
.
.
2012-03-24 12:01 . 2012-03-24 12:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-23 13:43 . 2012-03-23 13:45 -------- d-----w- C:\FRST
2012-03-23 08:30 . 2012-03-23 08:30 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-23 08:30 . 2012-03-23 08:30 -------- d-----w- c:\program files (x86)\Java
2012-03-23 08:26 . 2012-03-23 08:26 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-03-23 02:53 . 2012-03-24 03:07 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-18 00:38 . 2012-03-18 00:38 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-18 00:38 . 2012-03-18 00:38 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-02-24 06:34 . 2012-03-23 08:12 -------- d-----w- c:\users\Lap\AppData\Roaming\mIRC
2012-02-24 06:34 . 2012-03-23 06:26 -------- d-----w- c:\program files (x86)\mIRC
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-23 08:30 . 2011-11-29 05:02 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-16 10:06 . 2012-02-16 10:06 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
2012-01-17 00:45 . 2012-01-17 00:45 709968 ----a-w- c:\windows\is-9F0CI.exe
2012-01-07 10:08 . 2012-01-07 10:08 279616 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-26 343168]
"DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-18 113288]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-04-20 26192680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2011-9-18 102912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
R3 ALSysIO;ALSysIO;c:\users\Lap\AppData\Local\Temp\ALSysIO64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RTCore64;RTCore64;c:\users\Lap\Desktop\rmclock_235_bin\RTCore64.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S1 BfLwf;Bigfoot Networks Bandwidth Control;c:\windows\system32\DRIVERS\bflwfx64.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;c:\program files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2011-11-08 467456]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S3 Ak27x64;Killer Wireless-N 1102 device driver;c:\windows\system32\DRIVERS\Ak27x64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);c:\windows\system32\DRIVERS\JME.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-10-17 13307496]
"combofix"="c:\combofix\CF23453.3XE" [2010-11-21 345088]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
houdiniserver
mindretrieve
bc_filter
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Lap\AppData\Roaming\Mozilla\Firefox\Profiles\y5gaxbo1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-41634663.sys
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=hex:51,66,7a,6c,4c,1d,38,12,c2,99,1a,
36,00,8f,58,04,e1,8c,0d,76,4f,1c,0a,03
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG14.00.00.01PROFESSIONAL"="F450EB73684ED6B9D73418EB79D41F3DF33908EF744345B0AEE9ED754E414BA8851AF1A52B7507C523227703FD283A7C07ECFBD2B7B5B1ADBCD780E2865AF70E9E56021623BE9760B17788482D6073FE0AADBCFC21C51DAE3D6D13E1CB82D34EEE960A1B638C7FCAE43372E89DDE46682D864812E5EF2EDCD3E21E2C15754F37AADD1A2543F6151621C67E2726B81732A77442490166F0B72765BD8C9C1FBEECFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98085D575E7D6A3B9808A2D97226D213B555FEBC9E127BECC74C71873D0B970BB0A14BB8CA5DFCCFEC9CDF126B343933F021D2C53437895E9A07AED59C01A0307CA2E3B42424223D496E47AA0EF2322A5DFB2C192BA916CD4E418A01B4D95EA48D32B6E3B8A9A9979AA523EE92E7718E45933FF573ECE6558115D3C181C263D149C202ACFEB3E7068EDEC40E060FA9E3BE478AF7D24D307853455AC09F028556F61F08658B1BF3623686FDAD18F2D3E2C2CC15B1B32EECE9456DF41FD2EBDE0340E590DA1C4B28BA046128679E36AC76AE2966A9A48458933EF77D6F836D4EDC3788E4CB10C4A453D2049E47130E33BDC3B98AD9D5DCF48F88A650B73B05F41E4D4B556E6C1B4B215DDB40CE12422B0D28AE93B09DD308B1520ED0F32847B934594AB3E857F6444F43A5F0F3DA331F6A648A148E779C1AFBAF9664931FD9C64019F156581F9579BC8BF4181ED44F5812E6A527CA7FFCF628947E73F716F98997AA0417CCB0461CF99CB0A22B071D68F400AC6730F84F32225CD46B79A7F434451117D64922ED1DD04393FD6C9F36A3B4659D767AC702A08A467FBFE212AD3D853413F6462A8335B8B0AB2026EE47A22931CD795D7896D9B673B665733A1EDF4A5FB8DD312695DFE1F75DFE916911405F5F64187EB7243C2E6B8755DDA54F9839421777E69442DAAE92DD975BA86A9C15535C7F78D655692D18D20EC88062AA2B6F95B1BF1ABE2AB5DBB8E826E8BA9C3E5107DFD84C67C426C6CC904F97091BAD5F6DFD7FFDD29440964C76858B01E8838207EEA032AD78BB2C7E63815F893583EDAB54652DDB254EE34BC883954D6C3FF3D4E3C6C50D7147DCC48F61ED428721D7B32F9F36C82B13CDBDE91BB045D801183CFB366902E15454D0A2E57F2162AFC23A8D53CD203AF1C17CEABFA7A2200C44DCF74B2318BD25EFA7AD7B7128DC0EB6C8F096CB77A8880EB75ED5EC327C5931A91DD99C73BEACF220C700C6EF514D9C3E61F82CFA92A4E8F15DB49555E993FCEBB3A6A349611503680AC528A35EB146CB68760EED5747690182AB5981279AA83E876B2B6567B92B0391955F82E437E5769506B72298290D916D7B16BEB8001A90EAD64724D62B59C080A9D95F0C09121A7B8E0E81BE34B3A0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe
c:\program files (x86)\Razer\DeathAdder\razertra.exe
c:\program files (x86)\Razer\DeathAdder\razerofa.exe
c:\program files (x86)\Razer\DeathAdder\vdDaemon.exe
.
**************************************************************************
.
Completion time: 2012-03-24 05:03:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-24 12:03
ComboFix2.txt 2012-03-23 08:50
.
Pre-Run: 110,743,236,608 bytes free
Post-Run: 110,586,294,272 bytes free
.
- - End Of File - - 4C2A1B703F799D526D128DD0D1CC122C

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:29 PM

Posted 24 March 2012 - 10:04 AM

Greetings

There are other things that need to be taken care of but first I want to check for any rootkits.

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Skipper240

Skipper240
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 24 March 2012 - 04:11 PM

14:08:17.0676 3656 TDSS rootkit removing tool 2.7.22.0 Mar 21 2012 17:40:00
14:08:18.0034 3656 ============================================================
14:08:18.0034 3656 Current date / time: 2012/03/24 14:08:18.0034
14:08:18.0034 3656 SystemInfo:
14:08:18.0034 3656
14:08:18.0034 3656 OS Version: 6.1.7601 ServicePack: 1.0
14:08:18.0034 3656 Product type: Workstation
14:08:18.0034 3656 ComputerName: LAPTOP
14:08:18.0034 3656 UserName: Lap
14:08:18.0034 3656 Windows directory: C:\Windows
14:08:18.0034 3656 System windows directory: C:\Windows
14:08:18.0034 3656 Running under WOW64
14:08:18.0034 3656 Processor architecture: Intel x64
14:08:18.0034 3656 Number of processors: 8
14:08:18.0034 3656 Page size: 0x1000
14:08:18.0034 3656 Boot type: Normal boot
14:08:18.0034 3656 ============================================================
14:08:18.0362 3656 Drive \Device\Harddisk0\DR0 - Size: 0x3B9E656000 (238.47 Gb), SectorSize: 0x200, Cylinders: 0x799A, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
14:08:18.0362 3656 \Device\Harddisk0\DR0:
14:08:18.0362 3656 MBR used
14:08:18.0362 3656 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
14:08:18.0362 3656 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1DCC0000
14:08:18.0362 3656 Initialize success
14:08:18.0362 3656 ============================================================
14:08:32.0698 3004 ============================================================
14:08:32.0698 3004 Scan started
14:08:32.0698 3004 Mode: Manual;
14:08:32.0698 3004 ============================================================
14:08:32.0808 3004 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\DRIVERS\1394ohci.sys
14:08:32.0808 3004 1394ohci - ok
14:08:32.0839 3004 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
14:08:32.0839 3004 ACPI - ok
14:08:32.0854 3004 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
14:08:32.0854 3004 AcpiPmi - ok
14:08:32.0854 3004 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
14:08:32.0854 3004 AdobeARMservice - ok
14:08:32.0886 3004 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\drivers\adp94xx.sys
14:08:32.0886 3004 adp94xx - ok
14:08:32.0901 3004 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\drivers\adpahci.sys
14:08:32.0917 3004 adpahci - ok
14:08:32.0932 3004 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\drivers\adpu320.sys
14:08:32.0932 3004 adpu320 - ok
14:08:32.0948 3004 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
14:08:32.0948 3004 AeLookupSvc - ok
14:08:32.0964 3004 AFD (d5b031c308a409a0a576bff4cf083d30) C:\Windows\system32\drivers\afd.sys
14:08:32.0964 3004 AFD - ok
14:08:32.0979 3004 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
14:08:32.0995 3004 agp440 - ok
14:08:33.0026 3004 Ak27x64 (3a6471dc6859ae05aa8bf63c10a95ec1) C:\Windows\system32\DRIVERS\Ak27x64.sys
14:08:33.0042 3004 Ak27x64 - ok
14:08:33.0057 3004 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
14:08:33.0057 3004 ALG - ok
14:08:33.0073 3004 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
14:08:33.0073 3004 aliide - ok
14:08:33.0088 3004 ALSysIO - ok
14:08:33.0104 3004 AMD External Events Utility (812349d328eb406815183a5d17b49e7c) C:\Windows\system32\atiesrxx.exe
14:08:33.0104 3004 AMD External Events Utility - ok
14:08:33.0120 3004 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
14:08:33.0120 3004 amdide - ok
14:08:33.0135 3004 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\drivers\amdk8.sys
14:08:33.0135 3004 AmdK8 - ok
14:08:33.0244 3004 amdkmdag (0415ffe1b6a6ea141feafca57567f57f) C:\Windows\system32\DRIVERS\atikmdag.sys
14:08:33.0307 3004 amdkmdag - ok
14:08:33.0322 3004 amdkmdap (dc24d6f38f17c0d643d9aa8a6852f8d0) C:\Windows\system32\DRIVERS\atikmpag.sys
14:08:33.0322 3004 amdkmdap - ok
14:08:33.0338 3004 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\drivers\amdppm.sys
14:08:33.0338 3004 AmdPPM - ok
14:08:33.0354 3004 amdsata (6ec6d772eae38dc17c14aed9b178d24b) C:\Windows\system32\drivers\amdsata.sys
14:08:33.0354 3004 amdsata - ok
14:08:33.0369 3004 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\drivers\amdsbs.sys
14:08:33.0369 3004 amdsbs - ok
14:08:33.0385 3004 amdxata (1142a21db581a84ea5597b03a26ebaa0) C:\Windows\system32\drivers\amdxata.sys
14:08:33.0385 3004 amdxata - ok
14:08:33.0400 3004 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
14:08:33.0400 3004 AppID - ok
14:08:33.0416 3004 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
14:08:33.0416 3004 AppIDSvc - ok
14:08:33.0432 3004 Appinfo (3977d4a871ca0d4f2ed1e7db46829731) C:\Windows\System32\appinfo.dll
14:08:33.0432 3004 Appinfo - ok
14:08:33.0447 3004 Apple Mobile Device (3debbecf665dcdde3a95d9b902010817) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
14:08:33.0447 3004 Apple Mobile Device - ok
14:08:33.0463 3004 AppMgmt (4aba3e75a76195a3e38ed2766c962899) C:\Windows\System32\appmgmts.dll
14:08:33.0463 3004 AppMgmt - ok
14:08:33.0478 3004 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\drivers\arc.sys
14:08:33.0478 3004 arc - ok
14:08:33.0494 3004 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\drivers\arcsas.sys
14:08:33.0494 3004 arcsas - ok
14:08:33.0510 3004 aspnet_state (9217d874131ae6ff8f642f124f00a555) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
14:08:33.0525 3004 aspnet_state - ok
14:08:33.0541 3004 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
14:08:33.0541 3004 AsyncMac - ok
14:08:33.0556 3004 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
14:08:33.0556 3004 atapi - ok
14:08:33.0572 3004 AudioEndpointBuilder (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
14:08:33.0588 3004 AudioEndpointBuilder - ok
14:08:33.0588 3004 AudioSrv (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
14:08:33.0588 3004 AudioSrv - ok
14:08:33.0603 3004 AxInstSV (a6bf31a71b409dfa8cac83159e1e2aff) C:\Windows\System32\AxInstSV.dll
14:08:33.0603 3004 AxInstSV - ok
14:08:33.0634 3004 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\drivers\bxvbda.sys
14:08:33.0634 3004 b06bdrv - ok
14:08:33.0650 3004 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
14:08:33.0650 3004 b57nd60a - ok
14:08:33.0666 3004 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll
14:08:33.0666 3004 BDESVC - ok
14:08:33.0681 3004 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
14:08:33.0681 3004 Beep - ok
14:08:33.0712 3004 BFE (82974d6a2fd19445cc5171fc378668a4) C:\Windows\System32\bfe.dll
14:08:33.0712 3004 BFE - ok
14:08:33.0728 3004 BfLwf (be24e62bed109ca1a53b8d8d380df02a) C:\Windows\system32\DRIVERS\bflwfx64.sys
14:08:33.0728 3004 BfLwf - ok
14:08:33.0744 3004 Bigfoot Networks Killer Service (6278d97184d4aa83e29f8f8ce14e7650) C:\Program Files\Bigfoot Networks\Killer Network Manager\BFNService.exe
14:08:33.0744 3004 Bigfoot Networks Killer Service - ok
14:08:33.0759 3004 BITS (1ea7969e3271cbc59e1730697dc74682) C:\Windows\system32\qmgr.dll
14:08:33.0775 3004 BITS - ok
14:08:33.0790 3004 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
14:08:33.0790 3004 blbdrive - ok
14:08:33.0790 3004 Bonjour Service (ebbcd5dfbb1de70e8f4af8fa59e401fd) C:\Program Files\Bonjour\mDNSResponder.exe
14:08:33.0790 3004 Bonjour Service - ok
14:08:33.0806 3004 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
14:08:33.0822 3004 bowser - ok
14:08:33.0837 3004 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\BrFiltLo.sys
14:08:33.0837 3004 BrFiltLo - ok
14:08:33.0853 3004 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\BrFiltUp.sys
14:08:33.0853 3004 BrFiltUp - ok
14:08:33.0868 3004 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
14:08:33.0868 3004 BridgeMP - ok
14:08:33.0884 3004 Browser (8ef0d5c41ec907751b8429162b1239ed) C:\Windows\System32\browser.dll
14:08:33.0884 3004 Browser - ok
14:08:33.0900 3004 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
14:08:33.0900 3004 Brserid - ok
14:08:33.0931 3004 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
14:08:33.0931 3004 BrSerWdm - ok
14:08:33.0946 3004 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
14:08:33.0946 3004 BrUsbMdm - ok
14:08:33.0962 3004 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
14:08:33.0962 3004 BrUsbSer - ok
14:08:33.0978 3004 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\drivers\bthmodem.sys
14:08:33.0978 3004 BTHMODEM - ok
14:08:33.0993 3004 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll
14:08:33.0993 3004 bthserv - ok
14:08:33.0993 3004 catchme - ok
14:08:34.0024 3004 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
14:08:34.0024 3004 cdfs - ok
14:08:34.0040 3004 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
14:08:34.0040 3004 cdrom - ok
14:08:34.0056 3004 CertPropSvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
14:08:34.0056 3004 CertPropSvc - ok
14:08:34.0071 3004 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\drivers\circlass.sys
14:08:34.0071 3004 circlass - ok
14:08:34.0087 3004 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
14:08:34.0087 3004 CLFS - ok
14:08:34.0102 3004 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
14:08:34.0102 3004 clr_optimization_v2.0.50727_32 - ok
14:08:34.0118 3004 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
14:08:34.0118 3004 clr_optimization_v2.0.50727_64 - ok
14:08:34.0134 3004 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
14:08:34.0134 3004 clr_optimization_v4.0.30319_32 - ok
14:08:34.0149 3004 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
14:08:34.0149 3004 clr_optimization_v4.0.30319_64 - ok
14:08:34.0165 3004 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
14:08:34.0165 3004 CmBatt - ok
14:08:34.0180 3004 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
14:08:34.0180 3004 cmdide - ok
14:08:34.0196 3004 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
14:08:34.0212 3004 CNG - ok
14:08:34.0227 3004 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
14:08:34.0227 3004 Compbatt - ok
14:08:34.0243 3004 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\DRIVERS\CompositeBus.sys
14:08:34.0243 3004 CompositeBus - ok
14:08:34.0258 3004 COMSysApp - ok
14:08:34.0274 3004 cpuz135 (262969a3fab32b9e17e63e2d17a57744) C:\Windows\system32\drivers\cpuz135_x64.sys
14:08:34.0274 3004 cpuz135 - ok
14:08:34.0290 3004 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\drivers\crcdisk.sys
14:08:34.0290 3004 crcdisk - ok
14:08:34.0305 3004 CryptSvc (15597883fbe9b056f276ada3ad87d9af) C:\Windows\system32\cryptsvc.dll
14:08:34.0305 3004 CryptSvc - ok
14:08:34.0336 3004 CSC (54da3dfd29ed9f1619b6f53f3ce55e49) C:\Windows\system32\drivers\csc.sys
14:08:34.0336 3004 CSC - ok
14:08:34.0352 3004 CscService (3ab183ab4d2c79dcf459cd2c1266b043) C:\Windows\System32\cscsvc.dll
14:08:34.0352 3004 CscService - ok
14:08:34.0383 3004 danewFltr (003626f7ca17c204f16cd5047af0703a) C:\Windows\system32\drivers\danew.sys
14:08:34.0383 3004 danewFltr - ok
14:08:34.0399 3004 DcomLaunch (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
14:08:34.0399 3004 DcomLaunch - ok
14:08:34.0414 3004 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll
14:08:34.0414 3004 defragsvc - ok
14:08:34.0430 3004 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
14:08:34.0430 3004 DfsC - ok
14:08:34.0461 3004 Dhcp (43d808f5d9e1a18e5eeb5ebc83969e4e) C:\Windows\system32\dhcpcore.dll
14:08:34.0461 3004 Dhcp - ok
14:08:34.0477 3004 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
14:08:34.0477 3004 discache - ok
14:08:34.0492 3004 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\drivers\disk.sys
14:08:34.0492 3004 Disk - ok
14:08:34.0508 3004 dmvsc (5db085a8a6600be6401f2b24eecb5415) C:\Windows\system32\drivers\dmvsc.sys
14:08:34.0508 3004 dmvsc - ok
14:08:34.0524 3004 Dnscache (16835866aaa693c7d7fceba8fff706e4) C:\Windows\System32\dnsrslvr.dll
14:08:34.0524 3004 Dnscache - ok
14:08:34.0539 3004 dot3svc (b1fb3ddca0fdf408750d5843591afbc6) C:\Windows\System32\dot3svc.dll
14:08:34.0539 3004 dot3svc - ok
14:08:34.0555 3004 DPS (b26f4f737e8f9df4f31af6cf31d05820) C:\Windows\system32\dps.dll
14:08:34.0555 3004 DPS - ok
14:08:34.0570 3004 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
14:08:34.0570 3004 drmkaud - ok
14:08:34.0602 3004 dtsoftbus01 (400582b09e0bb557d0ec28a945150eeb) C:\Windows\system32\DRIVERS\dtsoftbus01.sys
14:08:34.0602 3004 dtsoftbus01 - ok
14:08:34.0617 3004 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
14:08:34.0633 3004 DXGKrnl - ok
14:08:34.0633 3004 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll
14:08:34.0633 3004 EapHost - ok
14:08:34.0680 3004 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\drivers\evbda.sys
14:08:34.0695 3004 ebdrv - ok
14:08:34.0711 3004 EFS (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\System32\lsass.exe
14:08:34.0711 3004 EFS - ok
14:08:34.0726 3004 ehRecvr (c4002b6b41975f057d98c439030cea07) C:\Windows\ehome\ehRecvr.exe
14:08:34.0742 3004 ehRecvr - ok
14:08:34.0742 3004 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe
14:08:34.0742 3004 ehSched - ok
14:08:34.0758 3004 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\drivers\elxstor.sys
14:08:34.0758 3004 elxstor - ok
14:08:34.0773 3004 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
14:08:34.0773 3004 ErrDev - ok
14:08:34.0804 3004 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll
14:08:34.0804 3004 EventSystem - ok
14:08:34.0820 3004 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
14:08:34.0820 3004 exfat - ok
14:08:34.0836 3004 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
14:08:34.0836 3004 fastfat - ok
14:08:34.0867 3004 Fax (dbefd454f8318a0ef691fdd2eaab44eb) C:\Windows\system32\fxssvc.exe
14:08:34.0867 3004 Fax - ok
14:08:34.0882 3004 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\drivers\fdc.sys
14:08:34.0882 3004 fdc - ok
14:08:34.0898 3004 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll
14:08:34.0898 3004 fdPHost - ok
14:08:34.0914 3004 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll
14:08:34.0914 3004 FDResPub - ok
14:08:34.0929 3004 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
14:08:34.0929 3004 FileInfo - ok
14:08:34.0945 3004 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
14:08:34.0945 3004 Filetrace - ok
14:08:34.0960 3004 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\drivers\flpydisk.sys
14:08:34.0960 3004 flpydisk - ok
14:08:34.0976 3004 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
14:08:34.0976 3004 FltMgr - ok
14:08:35.0007 3004 FontCache (5c4cb4086fb83115b153e47add961a0c) C:\Windows\system32\FntCache.dll
14:08:35.0007 3004 FontCache - ok
14:08:35.0023 3004 FontCache3.0.0.0 (a8b7f3818ab65695e3a0bb3279f6dce6) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
14:08:35.0023 3004 FontCache3.0.0.0 - ok
14:08:35.0038 3004 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
14:08:35.0038 3004 FsDepends - ok
14:08:35.0054 3004 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
14:08:35.0054 3004 Fs_Rec - ok
14:08:35.0070 3004 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
14:08:35.0070 3004 fvevol - ok
14:08:35.0085 3004 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\drivers\gagp30kx.sys
14:08:35.0085 3004 gagp30kx - ok
14:08:35.0116 3004 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
14:08:35.0116 3004 GEARAspiWDM - ok
14:08:35.0132 3004 gpsvc (277bbc7e1aa1ee957f573a10eca7ef3a) C:\Windows\System32\gpsvc.dll
14:08:35.0132 3004 gpsvc - ok
14:08:35.0163 3004 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
14:08:35.0163 3004 hcw85cir - ok
14:08:35.0179 3004 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
14:08:35.0179 3004 HdAudAddService - ok
14:08:35.0194 3004 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\DRIVERS\HDAudBus.sys
14:08:35.0194 3004 HDAudBus - ok
14:08:35.0210 3004 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\drivers\HidBatt.sys
14:08:35.0210 3004 HidBatt - ok
14:08:35.0226 3004 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\drivers\hidbth.sys
14:08:35.0226 3004 HidBth - ok
14:08:35.0257 3004 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\drivers\hidir.sys
14:08:35.0257 3004 HidIr - ok
14:08:35.0257 3004 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\System32\hidserv.dll
14:08:35.0257 3004 hidserv - ok
14:08:35.0272 3004 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
14:08:35.0288 3004 HidUsb - ok
14:08:35.0288 3004 hkmsvc (387e72e739e15e3d37907a86d9ff98e2) C:\Windows\system32\kmsvc.dll
14:08:35.0288 3004 hkmsvc - ok
14:08:35.0304 3004 HomeGroupListener (efdfb3dd38a4376f93e7985173813abd) C:\Windows\system32\ListSvc.dll
14:08:35.0319 3004 HomeGroupListener - ok
14:08:35.0335 3004 HomeGroupProvider (908acb1f594274965a53926b10c81e89) C:\Windows\system32\provsvc.dll
14:08:35.0335 3004 HomeGroupProvider - ok
14:08:35.0350 3004 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
14:08:35.0350 3004 HpSAMD - ok
14:08:35.0382 3004 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
14:08:35.0382 3004 HTTP - ok
14:08:35.0397 3004 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
14:08:35.0397 3004 hwpolicy - ok
14:08:35.0413 3004 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
14:08:35.0428 3004 i8042prt - ok
14:08:35.0444 3004 iaStorV (3df4395a7cf8b7a72a5f4606366b8c2d) C:\Windows\system32\drivers\iaStorV.sys
14:08:35.0444 3004 iaStorV - ok
14:08:35.0460 3004 idsvc (5988fc40f8db5b0739cd1e3a5d0d78bd) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
14:08:35.0460 3004 idsvc - ok
14:08:35.0491 3004 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\drivers\iirsp.sys
14:08:35.0491 3004 iirsp - ok
14:08:35.0506 3004 IKEEXT (fcd84c381e0140af901e58d48882d26b) C:\Windows\System32\ikeext.dll
14:08:35.0506 3004 IKEEXT - ok
14:08:35.0553 3004 IntcAzAudAddService (f2744fd54be1580be05916d1c755c92a) C:\Windows\system32\drivers\RTKVHD64.sys
14:08:35.0569 3004 IntcAzAudAddService - ok
14:08:35.0584 3004 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
14:08:35.0584 3004 intelide - ok
14:08:35.0600 3004 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
14:08:35.0600 3004 intelppm - ok
14:08:35.0616 3004 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll
14:08:35.0616 3004 IPBusEnum - ok
14:08:35.0631 3004 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
14:08:35.0631 3004 IpFilterDriver - ok
14:08:35.0662 3004 iphlpsvc (a34a587fffd45fa649fba6d03784d257) C:\Windows\System32\iphlpsvc.dll
14:08:35.0662 3004 iphlpsvc - ok
14:08:35.0678 3004 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
14:08:35.0678 3004 IPMIDRV - ok
14:08:35.0694 3004 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
14:08:35.0694 3004 IPNAT - ok
14:08:35.0709 3004 iPod Service (46d249f9db7844cc01050a9345f0f61b) C:\Program Files\iPod\bin\iPodService.exe
14:08:35.0709 3004 iPod Service - ok
14:08:35.0725 3004 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
14:08:35.0740 3004 IRENUM - ok
14:08:35.0756 3004 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
14:08:35.0756 3004 isapnp - ok
14:08:35.0772 3004 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
14:08:35.0772 3004 iScsiPrt - ok
14:08:35.0787 3004 JMCR (e5f9a5ac854529efbe37e475149615c1) C:\Windows\system32\DRIVERS\jmcr.sys
14:08:35.0787 3004 JMCR - ok
14:08:35.0803 3004 JME (a4f45625ccd360de35da5051fda0b47f) C:\Windows\system32\DRIVERS\JME.sys
14:08:35.0803 3004 JME - ok
14:08:35.0818 3004 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
14:08:35.0818 3004 kbdclass - ok
14:08:35.0834 3004 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
14:08:35.0850 3004 kbdhid - ok
14:08:35.0850 3004 KeyIso (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
14:08:35.0850 3004 KeyIso - ok
14:08:35.0865 3004 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
14:08:35.0865 3004 KSecDD - ok
14:08:35.0881 3004 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
14:08:35.0896 3004 KSecPkg - ok
14:08:35.0912 3004 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
14:08:35.0912 3004 ksthunk - ok
14:08:35.0928 3004 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll
14:08:35.0928 3004 KtmRm - ok
14:08:35.0943 3004 LanmanServer (d9f42719019740baa6d1c6d536cbdaa6) C:\Windows\System32\srvsvc.dll
14:08:35.0943 3004 LanmanServer - ok
14:08:35.0959 3004 LanmanWorkstation (851a1382eed3e3a7476db004f4ee3e1a) C:\Windows\System32\wkssvc.dll
14:08:35.0959 3004 LanmanWorkstation - ok
14:08:35.0974 3004 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
14:08:35.0974 3004 lltdio - ok
14:08:35.0990 3004 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll
14:08:36.0006 3004 lltdsvc - ok
14:08:36.0021 3004 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll
14:08:36.0021 3004 lmhosts - ok
14:08:36.0037 3004 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\drivers\lsi_fc.sys
14:08:36.0037 3004 LSI_FC - ok
14:08:36.0052 3004 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\drivers\lsi_sas.sys
14:08:36.0052 3004 LSI_SAS - ok
14:08:36.0068 3004 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\drivers\lsi_sas2.sys
14:08:36.0068 3004 LSI_SAS2 - ok
14:08:36.0084 3004 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\drivers\lsi_scsi.sys
14:08:36.0084 3004 LSI_SCSI - ok
14:08:36.0099 3004 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
14:08:36.0099 3004 luafv - ok
14:08:36.0115 3004 MBAMProtector (79da94b35371b9e7104460c7693dcb2c) C:\Windows\system32\drivers\mbam.sys
14:08:36.0115 3004 MBAMProtector - ok
14:08:36.0130 3004 MBAMService (056b19651bd7b7ce5f89a3ac46dbdc08) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
14:08:36.0130 3004 MBAMService - ok
14:08:36.0146 3004 Mcx2Svc (0be09cd858abf9df6ed259d57a1a1663) C:\Windows\system32\Mcx2Svc.dll
14:08:36.0146 3004 Mcx2Svc - ok
14:08:36.0162 3004 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\drivers\megasas.sys
14:08:36.0162 3004 megasas - ok
14:08:36.0193 3004 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\drivers\MegaSR.sys
14:08:36.0193 3004 MegaSR - ok
14:08:36.0208 3004 mindretrieve (5f22132c9153639762708909f156b33d) C:\Windows\system32\db2das00.dll
14:08:36.0208 3004 mindretrieve ( Backdoor.Multi.ZAccess.gen ) - infected
14:08:36.0208 3004 mindretrieve - detected Backdoor.Multi.ZAccess.gen (0)
14:08:36.0208 3004 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
14:08:36.0224 3004 MMCSS - ok
14:08:36.0240 3004 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
14:08:36.0240 3004 Modem - ok
14:08:36.0255 3004 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
14:08:36.0255 3004 monitor - ok
14:08:36.0271 3004 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
14:08:36.0271 3004 mouclass - ok
14:08:36.0286 3004 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
14:08:36.0286 3004 mouhid - ok
14:08:36.0302 3004 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
14:08:36.0302 3004 mountmgr - ok
14:08:36.0318 3004 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
14:08:36.0318 3004 mpio - ok
14:08:36.0333 3004 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
14:08:36.0333 3004 mpsdrv - ok
14:08:36.0349 3004 MpsSvc (54ffc9c8898113ace189d4aa7199d2c1) C:\Windows\system32\mpssvc.dll
14:08:36.0364 3004 MpsSvc - ok
14:08:36.0380 3004 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
14:08:36.0380 3004 MRxDAV - ok
14:08:36.0396 3004 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
14:08:36.0396 3004 mrxsmb - ok
14:08:36.0411 3004 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
14:08:36.0427 3004 mrxsmb10 - ok
14:08:36.0442 3004 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
14:08:36.0442 3004 mrxsmb20 - ok
14:08:36.0458 3004 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
14:08:36.0458 3004 msahci - ok
14:08:36.0474 3004 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
14:08:36.0474 3004 msdsm - ok
14:08:36.0489 3004 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe
14:08:36.0489 3004 MSDTC - ok
14:08:36.0505 3004 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
14:08:36.0505 3004 Msfs - ok
14:08:36.0536 3004 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
14:08:36.0536 3004 mshidkmdf - ok
14:08:36.0552 3004 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
14:08:36.0552 3004 msisadrv - ok
14:08:36.0567 3004 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll
14:08:36.0567 3004 MSiSCSI - ok
14:08:36.0583 3004 msiserver - ok
14:08:36.0598 3004 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
14:08:36.0598 3004 MSKSSRV - ok
14:08:36.0614 3004 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
14:08:36.0614 3004 MSPCLOCK - ok
14:08:36.0630 3004 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
14:08:36.0645 3004 MSPQM - ok
14:08:36.0661 3004 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
14:08:36.0661 3004 MsRPC - ok
14:08:36.0676 3004 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
14:08:36.0676 3004 mssmbios - ok
14:08:36.0692 3004 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
14:08:36.0692 3004 MSTEE - ok
14:08:36.0708 3004 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\drivers\MTConfig.sys
14:08:36.0708 3004 MTConfig - ok
14:08:36.0723 3004 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
14:08:36.0723 3004 Mup - ok
14:08:36.0754 3004 napagent (582ac6d9873e31dfa28a4547270862dd) C:\Windows\system32\qagentRT.dll
14:08:36.0754 3004 napagent - ok
14:08:36.0770 3004 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
14:08:36.0770 3004 NativeWifiP - ok
14:08:36.0801 3004 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
14:08:36.0801 3004 NDIS - ok
14:08:36.0817 3004 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
14:08:36.0817 3004 NdisCap - ok
14:08:36.0832 3004 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
14:08:36.0832 3004 NdisTapi - ok
14:08:36.0864 3004 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
14:08:36.0864 3004 Ndisuio - ok
14:08:36.0879 3004 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
14:08:36.0879 3004 NdisWan - ok
14:08:36.0895 3004 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
14:08:36.0895 3004 NDProxy - ok
14:08:36.0910 3004 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
14:08:36.0910 3004 NetBIOS - ok
14:08:36.0926 3004 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
14:08:36.0942 3004 NetBT - ok
14:08:36.0942 3004 Netlogon (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
14:08:36.0942 3004 Netlogon - ok
14:08:36.0973 3004 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll
14:08:36.0973 3004 Netman - ok
14:08:36.0973 3004 NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
14:08:36.0988 3004 NetMsmqActivator - ok
14:08:36.0988 3004 NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
14:08:36.0988 3004 NetPipeActivator - ok
14:08:37.0004 3004 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll
14:08:37.0004 3004 netprofm - ok
14:08:37.0020 3004 NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
14:08:37.0020 3004 NetTcpActivator - ok
14:08:37.0020 3004 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
14:08:37.0020 3004 NetTcpPortSharing - ok
14:08:37.0035 3004 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\drivers\nfrd960.sys
14:08:37.0035 3004 nfrd960 - ok
14:08:37.0051 3004 NlaSvc (1ee99a89cc788ada662441d1e9830529) C:\Windows\System32\nlasvc.dll
14:08:37.0066 3004 NlaSvc - ok
14:08:37.0082 3004 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
14:08:37.0082 3004 Npfs - ok
14:08:37.0082 3004 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll
14:08:37.0082 3004 nsi - ok
14:08:37.0098 3004 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
14:08:37.0113 3004 nsiproxy - ok
14:08:37.0129 3004 Ntfs (05d78aa5cb5f3f5c31160bdb955d0b7c) C:\Windows\system32\drivers\Ntfs.sys
14:08:37.0144 3004 Ntfs - ok
14:08:37.0160 3004 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
14:08:37.0160 3004 Null - ok
14:08:37.0176 3004 nusb3hub (a7127e86f9ffe2a53e271b56b2c4cedf) C:\Windows\system32\DRIVERS\nusb3hub.sys
14:08:37.0176 3004 nusb3hub - ok
14:08:37.0191 3004 nusb3xhc (49bbec6f48d5f9284b03abf3a959b19b) C:\Windows\system32\DRIVERS\nusb3xhc.sys
14:08:37.0207 3004 nusb3xhc - ok
14:08:37.0222 3004 nvraid (5d9fd91f3d38dc9da01e3cb5fa89cd48) C:\Windows\system32\drivers\nvraid.sys
14:08:37.0222 3004 nvraid - ok
14:08:37.0238 3004 nvstor (f7cd50fe7139f07e77da8ac8033d1832) C:\Windows\system32\drivers\nvstor.sys
14:08:37.0238 3004 nvstor - ok
14:08:37.0254 3004 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
14:08:37.0254 3004 nv_agp - ok
14:08:37.0269 3004 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
14:08:37.0269 3004 ohci1394 - ok
14:08:37.0285 3004 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
14:08:37.0285 3004 p2pimsvc - ok
14:08:37.0316 3004 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll
14:08:37.0316 3004 p2psvc - ok
14:08:37.0332 3004 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\drivers\parport.sys
14:08:37.0332 3004 Parport - ok
14:08:37.0347 3004 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
14:08:37.0347 3004 partmgr - ok
14:08:37.0363 3004 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll
14:08:37.0363 3004 PcaSvc - ok
14:08:37.0378 3004 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
14:08:37.0378 3004 pci - ok
14:08:37.0394 3004 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
14:08:37.0394 3004 pciide - ok
14:08:37.0425 3004 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\drivers\pcmcia.sys
14:08:37.0425 3004 pcmcia - ok
14:08:37.0441 3004 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
14:08:37.0441 3004 pcw - ok
14:08:37.0456 3004 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
14:08:37.0472 3004 PEAUTH - ok
14:08:37.0488 3004 PeerDistSvc (b9b0a4299dd2d76a4243f75fd54dc680) C:\Windows\system32\peerdistsvc.dll
14:08:37.0503 3004 PeerDistSvc - ok
14:08:37.0519 3004 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe
14:08:37.0519 3004 PerfHost - ok
14:08:37.0550 3004 pla (c7cf6a6e137463219e1259e3f0f0dd6c) C:\Windows\system32\pla.dll
14:08:37.0550 3004 pla - ok
14:08:37.0566 3004 PlugPlay (25fbdef06c4d92815b353f6e792c8129) C:\Windows\system32\umpnpmgr.dll
14:08:37.0581 3004 PlugPlay - ok
14:08:37.0597 3004 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll
14:08:37.0597 3004 PNRPAutoReg - ok
14:08:37.0612 3004 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
14:08:37.0612 3004 PNRPsvc - ok
14:08:37.0628 3004 PolicyAgent (4f15d75adf6156bf56eced6d4a55c389) C:\Windows\System32\ipsecsvc.dll
14:08:37.0628 3004 PolicyAgent - ok
14:08:37.0644 3004 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll
14:08:37.0644 3004 Power - ok
14:08:37.0659 3004 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
14:08:37.0659 3004 PptpMiniport - ok
14:08:37.0675 3004 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\drivers\processr.sys
14:08:37.0675 3004 Processor - ok
14:08:37.0690 3004 ProfSvc (5c78838b4d166d1a27db3a8a820c799a) C:\Windows\system32\profsvc.dll
14:08:37.0690 3004 ProfSvc - ok
14:08:37.0706 3004 ProtectedStorage (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
14:08:37.0722 3004 ProtectedStorage - ok
14:08:37.0737 3004 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
14:08:37.0737 3004 Psched - ok
14:08:37.0753 3004 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\drivers\ql2300.sys
14:08:37.0768 3004 ql2300 - ok
14:08:37.0784 3004 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\drivers\ql40xx.sys
14:08:37.0784 3004 ql40xx - ok
14:08:37.0800 3004 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll
14:08:37.0800 3004 QWAVE - ok
14:08:37.0831 3004 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
14:08:37.0831 3004 QWAVEdrv - ok
14:08:37.0846 3004 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
14:08:37.0846 3004 RasAcd - ok
14:08:37.0862 3004 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
14:08:37.0862 3004 RasAgileVpn - ok
14:08:37.0878 3004 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll
14:08:37.0878 3004 RasAuto - ok
14:08:37.0893 3004 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
14:08:37.0909 3004 Rasl2tp - ok
14:08:37.0924 3004 RasMan (ee867a0870fc9e4972ba9eaad35651e2) C:\Windows\System32\rasmans.dll
14:08:37.0924 3004 RasMan - ok
14:08:37.0940 3004 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
14:08:37.0940 3004 RasPppoe - ok
14:08:37.0956 3004 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
14:08:37.0956 3004 RasSstp - ok
14:08:37.0971 3004 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
14:08:37.0971 3004 rdbss - ok
14:08:37.0987 3004 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
14:08:37.0987 3004 rdpbus - ok
14:08:38.0002 3004 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
14:08:38.0002 3004 RDPCDD - ok
14:08:38.0018 3004 RDPDR (1b6163c503398b23ff8b939c67747683) C:\Windows\system32\drivers\rdpdr.sys
14:08:38.0034 3004 RDPDR - ok
14:08:38.0049 3004 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
14:08:38.0049 3004 RDPENCDD - ok
14:08:38.0065 3004 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
14:08:38.0065 3004 RDPREFMP - ok
14:08:38.0080 3004 RdpVideoMiniport (70cba1a0c98600a2aa1863479b35cb90) C:\Windows\system32\drivers\rdpvideominiport.sys
14:08:38.0080 3004 RdpVideoMiniport - ok
14:08:38.0096 3004 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
14:08:38.0096 3004 RDPWD - ok
14:08:38.0112 3004 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
14:08:38.0112 3004 rdyboost - ok
14:08:38.0127 3004 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll
14:08:38.0127 3004 RemoteAccess - ok
14:08:38.0143 3004 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll
14:08:38.0143 3004 RemoteRegistry - ok
14:08:38.0158 3004 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll
14:08:38.0158 3004 RpcEptMapper - ok
14:08:38.0174 3004 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe
14:08:38.0174 3004 RpcLocator - ok
14:08:38.0190 3004 RpcSs (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
14:08:38.0205 3004 RpcSs - ok
14:08:38.0221 3004 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
14:08:38.0221 3004 rspndr - ok
14:08:38.0221 3004 RTCore64 - ok
14:08:38.0236 3004 s3cap (e60c0a09f997826c7627b244195ab581) C:\Windows\system32\drivers\vms3cap.sys
14:08:38.0236 3004 s3cap - ok
14:08:38.0252 3004 SamSs (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
14:08:38.0252 3004 SamSs - ok
14:08:38.0268 3004 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
14:08:38.0268 3004 sbp2port - ok
14:08:38.0283 3004 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll
14:08:38.0283 3004 SCardSvr - ok
14:08:38.0299 3004 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
14:08:38.0299 3004 scfilter - ok
14:08:38.0330 3004 Schedule (262f6592c3299c005fd6bec90fc4463a) C:\Windows\system32\schedsvc.dll
14:08:38.0330 3004 Schedule - ok
14:08:38.0346 3004 SCPolicySvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
14:08:38.0346 3004 SCPolicySvc - ok
14:08:38.0361 3004 sdbus (111e0ebc0ad79cb0fa014b907b231cf0) C:\Windows\system32\DRIVERS\sdbus.sys
14:08:38.0361 3004 sdbus - ok
14:08:38.0377 3004 SDRSVC (6ea4234dc55346e0709560fe7c2c1972) C:\Windows\System32\SDRSVC.dll
14:08:38.0377 3004 SDRSVC - ok
14:08:38.0392 3004 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
14:08:38.0392 3004 secdrv - ok
14:08:38.0408 3004 seclogon (bc617a4e1b4fa8df523a061739a0bd87) C:\Windows\system32\seclogon.dll
14:08:38.0408 3004 seclogon - ok
14:08:38.0424 3004 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\system32\sens.dll
14:08:38.0424 3004 SENS - ok
14:08:38.0439 3004 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll
14:08:38.0439 3004 SensrSvc - ok
14:08:38.0455 3004 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\drivers\serenum.sys
14:08:38.0455 3004 Serenum - ok
14:08:38.0486 3004 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\drivers\serial.sys
14:08:38.0486 3004 Serial - ok
14:08:38.0502 3004 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\drivers\sermouse.sys
14:08:38.0502 3004 sermouse - ok
14:08:38.0517 3004 SessionEnv (0b6231bf38174a1628c4ac812cc75804) C:\Windows\system32\sessenv.dll
14:08:38.0517 3004 SessionEnv - ok
14:08:38.0533 3004 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
14:08:38.0533 3004 sffdisk - ok
14:08:38.0548 3004 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
14:08:38.0548 3004 sffp_mmc - ok
14:08:38.0564 3004 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
14:08:38.0564 3004 sffp_sd - ok
14:08:38.0580 3004 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\drivers\sfloppy.sys
14:08:38.0580 3004 sfloppy - ok
14:08:38.0595 3004 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\Windows\System32\ipnathlp.dll
14:08:38.0595 3004 SharedAccess - ok
14:08:38.0611 3004 ShellHWDetection (aaf932b4011d14052955d4b212a4da8d) C:\Windows\System32\shsvcs.dll
14:08:38.0626 3004 ShellHWDetection - ok
14:08:38.0642 3004 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\drivers\SiSRaid2.sys
14:08:38.0642 3004 SiSRaid2 - ok
14:08:38.0658 3004 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\drivers\sisraid4.sys
14:08:38.0658 3004 SiSRaid4 - ok
14:08:38.0673 3004 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
14:08:38.0673 3004 Smb - ok
14:08:38.0689 3004 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe
14:08:38.0689 3004 SNMPTRAP - ok
14:08:38.0704 3004 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
14:08:38.0704 3004 spldr - ok
14:08:38.0720 3004 Spooler (b96c17b5dc1424d56eea3a99e97428cd) C:\Windows\System32\spoolsv.exe
14:08:38.0720 3004 Spooler - ok
14:08:38.0767 3004 sppsvc (e17e0188bb90fae42d83e98707efa59c) C:\Windows\system32\sppsvc.exe
14:08:38.0798 3004 sppsvc - ok
14:08:38.0798 3004 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll
14:08:38.0814 3004 sppuinotify - ok
14:08:38.0829 3004 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
14:08:38.0829 3004 srv - ok
14:08:38.0845 3004 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
14:08:38.0845 3004 srv2 - ok
14:08:38.0860 3004 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
14:08:38.0876 3004 srvnet - ok
14:08:38.0892 3004 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll
14:08:38.0892 3004 SSDPSRV - ok
14:08:38.0907 3004 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll
14:08:38.0907 3004 SstpSvc - ok
14:08:38.0907 3004 Steam Client Service - ok
14:08:38.0923 3004 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\drivers\stexstor.sys
14:08:38.0923 3004 stexstor - ok
14:08:38.0938 3004 stisvc (8dd52e8e6128f4b2da92ce27402871c1) C:\Windows\System32\wiaservc.dll
14:08:38.0954 3004 stisvc - ok
14:08:38.0970 3004 storflt (7785dc213270d2fc066538daf94087e7) C:\Windows\system32\drivers\vmstorfl.sys
14:08:38.0970 3004 storflt - ok
14:08:38.0985 3004 storvsc (d34e4943d5ac096c8edeebfd80d76e23) C:\Windows\system32\drivers\storvsc.sys
14:08:38.0985 3004 storvsc - ok
14:08:39.0001 3004 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
14:08:39.0001 3004 swenum - ok
14:08:39.0016 3004 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll
14:08:39.0032 3004 swprv - ok
14:08:39.0048 3004 Synth3dVsc (c3a39c4079305480972d29c44b868c78) C:\Windows\system32\drivers\synth3dvsc.sys
14:08:39.0048 3004 Synth3dVsc - ok
14:08:39.0079 3004 SynTP (f4db1d9e6a42d491f0f8e21854301c0b) C:\Windows\system32\DRIVERS\SynTP.sys
14:08:39.0079 3004 SynTP - ok
14:08:39.0110 3004 SysMain (bf9ccc0bf39b418c8d0ae8b05cf95b7d) C:\Windows\system32\sysmain.dll
14:08:39.0126 3004 SysMain - ok
14:08:39.0141 3004 TabletInputService (e3c61fd7b7c2557e1f1b0b4cec713585) C:\Windows\System32\TabSvc.dll
14:08:39.0141 3004 TabletInputService - ok
14:08:39.0157 3004 TapiSrv (40f0849f65d13ee87b9a9ae3c1dd6823) C:\Windows\System32\tapisrv.dll
14:08:39.0157 3004 TapiSrv - ok
14:08:39.0172 3004 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll
14:08:39.0172 3004 TBS - ok
14:08:39.0204 3004 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
14:08:39.0219 3004 Tcpip - ok
14:08:39.0250 3004 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
14:08:39.0250 3004 TCPIP6 - ok
14:08:39.0266 3004 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
14:08:39.0282 3004 tcpipreg - ok
14:08:39.0297 3004 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
14:08:39.0297 3004 TDPIPE - ok
14:08:39.0313 3004 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
14:08:39.0313 3004 TDTCP - ok
14:08:39.0328 3004 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
14:08:39.0328 3004 tdx - ok
14:08:39.0344 3004 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\DRIVERS\termdd.sys
14:08:39.0344 3004 TermDD - ok
14:08:39.0360 3004 terminpt (2b5bdff688ec9871d7ec5837833374e9) C:\Windows\system32\drivers\terminpt.sys
14:08:39.0360 3004 terminpt - ok
14:08:39.0375 3004 TermService (2e648163254233755035b46dd7b89123) C:\Windows\System32\termsrv.dll
14:08:39.0375 3004 TermService - ok
14:08:39.0391 3004 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll
14:08:39.0391 3004 Themes - ok
14:08:39.0406 3004 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
14:08:39.0406 3004 THREADORDER - ok
14:08:39.0422 3004 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll
14:08:39.0422 3004 TrkWks - ok
14:08:39.0438 3004 TrustedInstaller (773212b2aaa24c1e31f10246b15b276c) C:\Windows\servicing\TrustedInstaller.exe
14:08:39.0438 3004 TrustedInstaller - ok
14:08:39.0453 3004 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
14:08:39.0453 3004 tssecsrv - ok
14:08:39.0469 3004 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
14:08:39.0469 3004 TsUsbFlt - ok
14:08:39.0484 3004 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\Windows\system32\drivers\TsUsbGD.sys
14:08:39.0484 3004 TsUsbGD - ok
14:08:39.0516 3004 tsusbhub (e1748d04ae40118b62bc18ac86032192) C:\Windows\system32\drivers\tsusbhub.sys
14:08:39.0516 3004 tsusbhub - ok
14:08:39.0531 3004 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
14:08:39.0531 3004 tunnel - ok
14:08:39.0547 3004 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\drivers\uagp35.sys
14:08:39.0547 3004 uagp35 - ok
14:08:39.0562 3004 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
14:08:39.0562 3004 udfs - ok
14:08:39.0578 3004 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe
14:08:39.0578 3004 UI0Detect - ok
14:08:39.0594 3004 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
14:08:39.0609 3004 uliagpkx - ok
14:08:39.0625 3004 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
14:08:39.0625 3004 umbus - ok
14:08:39.0640 3004 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\drivers\umpass.sys
14:08:39.0640 3004 UmPass - ok
14:08:39.0656 3004 UmRdpService (a293dcd756d04d8492a750d03b9a297c) C:\Windows\System32\umrdp.dll
14:08:39.0656 3004 UmRdpService - ok
14:08:39.0672 3004 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll
14:08:39.0672 3004 upnphost - ok
14:08:39.0703 3004 USBAAPL64 (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows\system32\Drivers\usbaapl64.sys
14:08:39.0703 3004 USBAAPL64 - ok
14:08:39.0718 3004 usbccgp (481dff26b4dca8f4cbac1f7dce1d6829) C:\Windows\system32\DRIVERS\usbccgp.sys
14:08:39.0718 3004 usbccgp - ok
14:08:39.0734 3004 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
14:08:39.0734 3004 usbcir - ok
14:08:39.0750 3004 usbehci (74ee782b1d9c241efe425565854c661c) C:\Windows\system32\DRIVERS\usbehci.sys
14:08:39.0750 3004 usbehci - ok
14:08:39.0765 3004 usbhub (dc96bd9ccb8403251bcf25047573558e) C:\Windows\system32\DRIVERS\usbhub.sys
14:08:39.0765 3004 usbhub - ok
14:08:39.0781 3004 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\drivers\usbohci.sys
14:08:39.0781 3004 usbohci - ok
14:08:39.0796 3004 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\drivers\usbprint.sys
14:08:39.0812 3004 usbprint - ok
14:08:39.0828 3004 USBSTOR (d76510cfa0fc09023077f22c2f979d86) C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:08:39.0828 3004 USBSTOR - ok
14:08:39.0843 3004 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\drivers\usbuhci.sys
14:08:39.0843 3004 usbuhci - ok
14:08:39.0859 3004 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows\system32\Drivers\usbvideo.sys
14:08:39.0859 3004 usbvideo - ok
14:08:39.0874 3004 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll
14:08:39.0874 3004 UxSms - ok
14:08:39.0890 3004 VaultSvc (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
14:08:39.0890 3004 VaultSvc - ok
14:08:39.0906 3004 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
14:08:39.0906 3004 vdrvroot - ok
14:08:39.0921 3004 vds (8d6b481601d01a456e75c3210f1830be) C:\Windows\System32\vds.exe
14:08:39.0921 3004 vds - ok
14:08:39.0952 3004 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
14:08:39.0952 3004 vga - ok
14:08:39.0968 3004 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
14:08:39.0968 3004 VgaSave - ok
14:08:39.0984 3004 VGPU - ok
14:08:39.0999 3004 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
14:08:39.0999 3004 vhdmp - ok
14:08:40.0015 3004 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
14:08:40.0015 3004 viaide - ok
14:08:40.0030 3004 VKbms (3b59bb6d10cf969dbe4db93d9ead7fb4) C:\Windows\system32\DRIVERS\VKbms.sys
14:08:40.0030 3004 VKbms - ok
14:08:40.0046 3004 vmbus (86ea3e79ae350fea5331a1303054005f) C:\Windows\system32\drivers\vmbus.sys
14:08:40.0062 3004 vmbus - ok
14:08:40.0077 3004 VMBusHID (7de90b48f210d29649380545db45a187) C:\Windows\system32\drivers\VMBusHID.sys
14:08:40.0077 3004 VMBusHID - ok
14:08:40.0093 3004 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
14:08:40.0093 3004 volmgr - ok
14:08:40.0108 3004 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
14:08:40.0108 3004 volmgrx - ok
14:08:40.0124 3004 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
14:08:40.0124 3004 volsnap - ok
14:08:40.0140 3004 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\drivers\vsmraid.sys
14:08:40.0155 3004 vsmraid - ok
14:08:40.0171 3004 VSS (b60ba0bc31b0cb414593e169f6f21cc2) C:\Windows\system32\vssvc.exe
14:08:40.0186 3004 VSS - ok
14:08:40.0202 3004 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
14:08:40.0202 3004 vwifibus - ok
14:08:40.0218 3004 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
14:08:40.0218 3004 vwififlt - ok
14:08:40.0233 3004 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll
14:08:40.0233 3004 W32Time - ok
14:08:40.0249 3004 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\drivers\wacompen.sys
14:08:40.0249 3004 WacomPen - ok
14:08:40.0264 3004 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
14:08:40.0264 3004 WANARP - ok
14:08:40.0280 3004 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
14:08:40.0280 3004 Wanarpv6 - ok
14:08:40.0296 3004 wbengine (78f4e7f5c56cb9716238eb57da4b6a75) C:\Windows\system32\wbengine.exe
14:08:40.0311 3004 wbengine - ok
14:08:40.0327 3004 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll
14:08:40.0327 3004 WbioSrvc - ok
14:08:40.0342 3004 wcncsvc (7368a2afd46e5a4481d1de9d14848edd) C:\Windows\System32\wcncsvc.dll
14:08:40.0342 3004 wcncsvc - ok
14:08:40.0358 3004 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
14:08:40.0358 3004 WcsPlugInService - ok
14:08:40.0374 3004 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\drivers\wd.sys
14:08:40.0389 3004 Wd - ok
14:08:40.0405 3004 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
14:08:40.0405 3004 Wdf01000 - ok
14:08:40.0420 3004 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
14:08:40.0420 3004 WdiServiceHost - ok
14:08:40.0436 3004 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
14:08:40.0436 3004 WdiSystemHost - ok
14:08:40.0436 3004 WebClient (3db6d04e1c64272f8b14eb8bc4616280) C:\Windows\System32\webclnt.dll
14:08:40.0452 3004 WebClient - ok
14:08:40.0467 3004 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
14:08:40.0467 3004 Wecsvc - ok
14:08:40.0483 3004 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
14:08:40.0483 3004 wercplsupport - ok
14:08:40.0498 3004 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
14:08:40.0498 3004 WerSvc - ok
14:08:40.0514 3004 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
14:08:40.0514 3004 WfpLwf - ok
14:08:40.0530 3004 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
14:08:40.0545 3004 WIMMount - ok
14:08:40.0545 3004 WinDefend - ok
14:08:40.0545 3004 WinHttpAutoProxySvc - ok
14:08:40.0561 3004 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
14:08:40.0561 3004 Winmgmt - ok
14:08:40.0592 3004 WinRM (bcb1310604aa415c4508708975b3931e) C:\Windows\system32\WsmSvc.dll
14:08:40.0608 3004 WinRM - ok
14:08:40.0639 3004 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUSB.sys
14:08:40.0639 3004 WinUsb - ok
14:08:40.0654 3004 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
14:08:40.0654 3004 Wlansvc - ok
14:08:40.0670 3004 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
14:08:40.0670 3004 WmiAcpi - ok
14:08:40.0686 3004 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
14:08:40.0701 3004 wmiApSrv - ok
14:08:40.0701 3004 WMPNetworkSvc - ok
14:08:40.0717 3004 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
14:08:40.0717 3004 WPCSvc - ok
14:08:40.0732 3004 WPDBusEnum (93221146d4ebbf314c29b23cd6cc391d) C:\Windows\system32\wpdbusenum.dll
14:08:40.0732 3004 WPDBusEnum - ok
14:08:40.0748 3004 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
14:08:40.0748 3004 ws2ifsl - ok
14:08:40.0764 3004 wscsvc (e8b1fe6669397d1772d8196df0e57a9e) C:\Windows\system32\wscsvc.dll
14:08:40.0764 3004 wscsvc - ok
14:08:40.0779 3004 WSearch - ok
14:08:40.0810 3004 wuauserv (9df12edbc698b0bc353b3ef84861e430) C:\Windows\system32\wuaueng.dll
14:08:40.0826 3004 wuauserv - ok
14:08:40.0842 3004 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
14:08:40.0842 3004 WudfPf - ok
14:08:40.0857 3004 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
14:08:40.0857 3004 WUDFRd - ok
14:08:40.0873 3004 wudfsvc (7a95c95b6c4cf292d689106bcae49543) C:\Windows\System32\WUDFSvc.dll
14:08:40.0873 3004 wudfsvc - ok
14:08:40.0888 3004 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
14:08:40.0888 3004 WwanSvc - ok
14:08:40.0904 3004 xnacc (4a5ce13408945e525503b5f73d29b9c5) C:\Windows\system32\DRIVERS\xnacc.sys
14:08:40.0920 3004 xnacc - ok
14:08:40.0920 3004 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
14:08:40.0920 3004 \Device\Harddisk0\DR0 - ok
14:08:40.0920 3004 Boot (0x1200) (fb7d8a863c7b84a62a822a36ae564213) \Device\Harddisk0\DR0\Partition0
14:08:40.0920 3004 \Device\Harddisk0\DR0\Partition0 - ok
14:08:40.0920 3004 Boot (0x1200) (0924e8022ba6c3c739ce05644206d522) \Device\Harddisk0\DR0\Partition1
14:08:40.0935 3004 \Device\Harddisk0\DR0\Partition1 - ok
14:08:40.0935 3004 ============================================================
14:08:40.0935 3004 Scan finished
14:08:40.0935 3004 ============================================================
14:08:40.0935 2372 Detected object count: 1
14:08:40.0935 2372 Actual detected object count: 1
14:08:52.0604 2372 C:\Windows\system32\db2das00.dll - copied to quarantine
14:08:52.0604 2372 HKLM\SYSTEM\ControlSet001\services\mindretrieve - will be deleted on reboot
14:08:52.0604 2372 HKLM\SYSTEM\ControlSet002\services\mindretrieve - will be deleted on reboot
14:08:52.0620 2372 C:\Windows\system32\db2das00.dll - will be deleted on reboot
14:08:52.0620 2372 mindretrieve ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
14:08:56.0145 3420 Deinitialize success

#6 Skipper240

Skipper240
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 24 March 2012 - 04:15 PM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-24 14:11:17
-----------------------------
14:11:17.534 OS Version: Windows x64 6.1.7601 Service Pack 1
14:11:17.534 Number of processors: 8 586 0x2A07
14:11:17.534 ComputerName: LAPTOP UserName: Lap
14:11:17.768 Initialize success
14:12:07.360 AVAST engine defs: 12032401
14:12:24.598 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:12:24.598 Disk 0 Vendor: C400-MTFDDAC256MAM 0002 Size: 244198MB BusType: 11
14:12:24.598 Disk 0 MBR read successfully
14:12:24.598 Disk 0 MBR scan
14:12:24.614 Disk 0 Windows 7 default MBR code
14:12:24.614 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
14:12:24.614 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 244096 MB offset 206848
14:12:24.614 Disk 0 scanning C:\Windows\system32\drivers
14:12:26.985 Service scanning
14:12:32.195 Modules scanning
14:12:32.195 Disk 0 trace - called modules:
14:12:32.195 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
14:12:32.195 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007268790]
14:12:32.195 3 CLASSPNP.SYS[fffff8800165143f] -> nt!IofCallDriver -> [0xfffffa8007053520]
14:12:32.211 5 ACPI.sys[fffff88000f967a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8006cf7680]
14:12:32.429 AVAST engine scan C:\Windows
14:12:33.631 AVAST engine scan C:\Windows\system32
14:12:36.579 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
14:13:03.208 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
14:13:03.583 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
14:13:21.663 File: C:\Windows\assembly\temp\U\80000004.@ **INFECTED** Win64:ZAccess-A [Trj]
14:13:21.694 File: C:\Windows\assembly\temp\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
14:13:21.944 AVAST engine scan C:\Windows\system32\drivers
14:13:24.627 AVAST engine scan C:\Users\Lap
14:13:49.494 AVAST engine scan C:\ProgramData
14:13:59.041 Scan finished successfully
14:14:32.830 Disk 0 MBR has been saved successfully to "C:\Users\Lap\Desktop\MBR.dat"
14:14:32.830 The log file has been saved successfully to "C:\Users\Lap\Desktop\aswMBR.txt"

#7 Skipper240

Skipper240
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 24 March 2012 - 04:20 PM

When I tried to turn on my computer this morning, the first time I did this after running Combofix, I got a BSOD that said, "STOP: C0000135 The program can't start because %hs is missing. Try resintalling the program."

I looked around on my other computer and I was able to fix it by using recovery console to run a program called FRST64.exe. The good part is I can use my computer again - the bad part is now I'm getting redirected again!

Thanks again.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:29 PM

Posted 24 March 2012 - 10:53 PM

For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Skipper240

Skipper240
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 26 March 2012 - 04:56 PM

Hi, sorry about the delay. I'm still getting a fair bit of redirects from google links.

Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 26-03-2012 14:49:14
Running from F:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [13307496 2011-10-17] (Realtek Semiconductor)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2328360 2010-09-17] (Synaptics Incorporated)
HKLM-x32\...\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun [343168 2011-10-25] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [DeathAdder] C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe [248320 2011-03-21] ()
HKLM-x32\...\Run: [NUSB3MON] "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [113288 2010-11-18] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [460872 2012-01-13] (Malwarebytes Corporation)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
SubSystems: [Windows] ==> ZeroAccess

==================== Services (Whitelisted) ======

2 Bigfoot Networks Killer Service; "C:\Program Files\Bigfoot Networks\Killer Network Manager\BFNService.exe" [467456 2011-11-07] ()
4 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] (Apple Inc.)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [652360 2012-01-13] (Malwarebytes Corporation)
2 SQLWriter; C:\Windows\System32\cwafeventrouter.dll [6656 2009-07-13] (Oak Technology Inc.)

========================== Drivers (Whitelisted) =============

3 Ak27x64; C:\Windows\System32\Drivers\Ak27x64.sys [2740328 2011-11-07] (Bigfoot Networks, Inc.)
1 BfLwf; C:\Windows\System32\DRIVERS\bflwfx64.sys [69224 2011-11-07] (Bigfoot Networks, Inc.)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
2 cpuz135; \??\C:\Windows\system32\drivers\cpuz135_x64.sys [21992 2010-11-09] (CPUID)
3 dmvsc; C:\Windows\System32\Drivers\dmvsc.sys [71168 2010-11-20] (Microsoft Corporation)
1 dtsoftbus01; C:\Windows\System32\Drivers\dtsoftbus01.sys [279616 2012-01-07] (DT Soft Ltd)
3 JME; C:\Windows\System32\Drivers\JME.sys [132624 2011-01-15] (JMicron Technology Corp.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [23152 2011-12-10] (Malwarebytes Corporation)
3 Synth3dVsc; C:\Windows\System32\Drivers\Synth3dVsc.sys [88960 2010-11-20] (Microsoft Corporation)
3 terminpt; C:\Windows\System32\Drivers\terminpt.sys [34816 2010-11-20] (Microsoft Corporation)
3 TsUsbGD; C:\Windows\System32\Drivers\TsUsbGD.sys [31232 2010-11-20] (Microsoft Corporation)
3 tsusbhub; C:\Windows\System32\Drivers\tsusbhub.sys [117248 2010-11-20] (Microsoft Corporation)
3 VKbms; C:\Windows\System32\Drivers\VKbms.sys [13312 2010-10-01] (Windows ® Win 7 DDK provider)
3 ALSysIO; \??\C:\Users\Lap\AppData\Local\Temp\ALSysIO64.sys [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 RTCore64; \??\C:\Users\Lap\Desktop\rmclock_235_bin\RTCore64.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========
NETSVC: houdiniserver
NETSVC: mindretrieve
NETSVC: SQLWriter
NETSVC: bc_filter

============ One Month Created Files and Folders ==============

2012-03-25 14:16 - 2012-03-25 14:16 - 0000468 ____A C:\Users\Lap\Desktop\defogger_disable.log
2012-03-24 22:02 - 2012-03-24 22:02 - 1385843 ____A C:\Users\Lap\Desktop\FRST64.exe
2012-03-24 13:16 - 2012-03-24 13:16 - 4443082 ____A (Swearware) C:\Users\Lap\Desktop\ComboFix.exe
2012-03-24 13:14 - 2012-03-24 13:14 - 0002415 ____A C:\Users\Lap\Desktop\aswMBR.txt
2012-03-24 13:14 - 2012-03-24 13:14 - 0000512 ____A C:\Users\Lap\Desktop\MBR.dat
2012-03-24 13:08 - 2012-03-24 13:08 - 4731392 ____A (AVAST Software) C:\Users\Lap\Desktop\aswMBR.exe
2012-03-24 13:08 - 2012-03-24 13:08 - 0125290 ____A C:\TDSSKiller.2.7.22.0_24.03.2012_14.08.17_log.txt
2012-03-24 13:07 - 2012-03-26 13:46 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-03-24 04:03 - 2012-03-24 04:03 - 0014754 ____A C:\ComboFix.txt
2012-03-24 04:02 - 2012-03-24 04:02 - 0000000 ____D C:\$RECYCLE.BIN
2012-03-24 03:59 - 2012-03-24 04:03 - 0000000 ____D C:\Qoobox
2012-03-24 03:59 - 2011-06-25 22:45 - 0256000 ____A C:\Windows\PEV.exe
2012-03-24 03:59 - 2010-11-07 09:20 - 0208896 ____A C:\Windows\MBR.exe
2012-03-24 03:59 - 2000-08-30 16:00 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-03-24 03:59 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-03-24 03:59 - 2000-08-30 16:00 - 0098816 ____A C:\Windows\sed.exe
2012-03-24 03:59 - 2000-08-30 16:00 - 0080412 ____A C:\Windows\grep.exe
2012-03-24 03:59 - 2000-08-30 16:00 - 0068096 ____A C:\Windows\zip.exe
2012-03-23 19:14 - 2012-03-23 19:15 - 0164756 ____A C:\TDSSKiller.2.7.22.0_23.03.2012_20.14.56_log.txt
2012-03-23 19:07 - 2012-03-23 19:07 - 0125166 ____A C:\TDSSKiller.2.7.22.0_23.03.2012_20.07.07_log.txt
2012-03-23 19:06 - 2012-03-21 16:42 - 2066480 ____A (Kaspersky Lab ZAO) C:\Users\Lap\Desktop\TDSSKiller.exe
2012-03-23 05:43 - 2012-03-26 14:49 - 0000000 ____D C:\FRST
2012-03-23 04:58 - 2012-03-23 04:58 - 0050477 ____A C:\Users\Lap\Desktop\Defogger.exe
2012-03-23 04:58 - 2012-03-23 04:58 - 0000168 ____A C:\Users\Lap\defogger_reenable
2012-03-23 00:46 - 2009-04-19 20:56 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-03-23 00:30 - 2012-03-23 00:30 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-03-23 00:30 - 2012-03-23 00:30 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-03-23 00:30 - 2012-03-23 00:30 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-03-23 00:30 - 2012-03-23 00:30 - 0000000 ____D C:\Users\All Users\Sun
2012-03-23 00:30 - 2012-03-23 00:30 - 0000000 ____D C:\ProgramData\Sun
2012-03-23 00:30 - 2012-03-23 00:30 - 0000000 ____D C:\Program Files (x86)\Java
2012-03-23 00:26 - 2012-03-23 00:26 - 0000000 ____D C:\Program Files (x86)\VS Revo Group
2012-03-22 22:12 - 2012-03-22 22:12 - 0124126 ____A C:\TDSSKiller.2.7.22.0_22.03.2012_23.12.27_log.txt
2012-03-22 22:08 - 2012-03-22 22:08 - 0125766 ____A C:\TDSSKiller.2.7.22.0_22.03.2012_23.08.35_log.txt
2012-03-22 18:53 - 2012-03-24 13:08 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-03-22 18:53 - 2012-03-22 18:53 - 0125542 ____A C:\TDSSKiller.2.7.22.0_22.03.2012_19.53.32_log.txt
2012-03-22 16:59 - 2012-03-23 04:14 - 6534144 ____A C:\Windows\ntbtlog.txt
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-03-22 16:17 - 2012-03-24 04:01 - 0000000 ____D C:\Windows\ERDNT
2012-03-21 21:43 - 2012-03-21 21:47 - 0000000 ____D C:\Users\Lap\Downloads\SoAL Undub by Netqork
2012-03-04 04:08 - 2012-03-04 04:08 - 0012007 ____A C:\Users\Lap\Desktop\YourHandInMine.txt
2012-03-01 18:05 - 2012-03-06 22:29 - 0007414 ____A C:\Users\Lap\Desktop\Kaiser.txt
2012-02-27 12:25 - 2012-02-27 12:56 - 0000000 ____D C:\Users\Lap\Downloads\[110422][??????] ?????????????+????+Install Patch
2012-02-26 01:39 - 2012-02-26 01:39 - 0000131 ____A C:\Windows\SysWOW64\skypeptt.ini

============ 3 Months Modified Files and Folders =============

2012-03-26 14:49 - 2012-03-23 05:43 - 0000000 ____D C:\FRST
2012-03-26 13:46 - 2012-03-24 13:07 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd
2012-03-26 13:46 - 2012-01-17 12:48 - 0006664 ____A C:\Windows\setupact.log
2012-03-26 13:46 - 2011-11-28 20:56 - 2129866752 __ASH C:\hiberfil.sys
2012-03-26 13:46 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-03-26 03:48 - 2011-12-04 16:54 - 0000000 ____D C:\Users\Lap\AppData\Roaming\Skype
2012-03-26 03:48 - 2011-11-28 20:59 - 1367356 ____A C:\Windows\WindowsUpdate.log
2012-03-26 03:47 - 2011-11-28 23:02 - 0000000 ____D C:\Users\Lap\AppData\Roaming\uTorrent
2012-03-26 02:24 - 2009-07-13 21:13 - 0779266 ____A C:\Windows\System32\PerfStringBackup.INI
2012-03-26 00:51 - 2011-11-28 22:18 - 0000000 ____D C:\Users\Lap\AppData\Roaming\Mumble
2012-03-26 00:36 - 2011-12-04 08:05 - 0000000 ____D C:\Program Files (x86)\World of Warcraft
2012-03-25 23:09 - 2011-12-27 22:19 - 0000000 ____D C:\Users\Lap\AppData\Roaming\skypePM
2012-03-25 23:05 - 2012-02-23 22:34 - 0000000 ____D C:\Users\Lap\AppData\Roaming\mIRC
2012-03-25 23:05 - 2012-02-23 22:34 - 0000000 ____D C:\Program Files (x86)\mIRC
2012-03-25 17:19 - 2011-12-01 15:02 - 0000000 ____D C:\Users\Lap\AppData\Roaming\Audacity
2012-03-25 14:16 - 2012-03-25 14:16 - 0000468 ____A C:\Users\Lap\Desktop\defogger_disable.log
2012-03-25 03:02 - 2010-11-20 19:24 - 1008640 ____A (Microsoft Corporation) C:\Windows\System32\user32.dll
2012-03-25 03:02 - 2010-11-20 19:24 - 0833024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\user32.dll
2012-03-25 03:02 - 2010-11-20 19:24 - 0419840 ____A (Microsoft Corporation) C:\Windows\System32\systemcpl.dll
2012-03-25 03:02 - 2010-11-20 19:24 - 0014848 ____A (Microsoft Corporation) C:\Windows\System32\slwga.dll
2012-03-25 03:02 - 2010-11-20 19:23 - 0013824 ____A (Microsoft Corporation) C:\Windows\SysWOW64\slwga.dll
2012-03-25 03:02 - 2009-07-13 20:45 - 0021472 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-03-25 03:02 - 2009-07-13 20:45 - 0021472 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-03-24 22:02 - 2012-03-24 22:02 - 1385843 ____A C:\Users\Lap\Desktop\FRST64.exe
2012-03-24 17:32 - 2011-11-28 22:05 - 0000000 ____D C:\Users\Lap\AppData\Local\PMB Files
2012-03-24 17:32 - 2011-11-28 22:05 - 0000000 ____D C:\Users\All Users\PMB Files
2012-03-24 17:32 - 2011-11-28 22:05 - 0000000 ____D C:\ProgramData\PMB Files
2012-03-24 13:16 - 2012-03-24 13:16 - 4443082 ____A (Swearware) C:\Users\Lap\Desktop\ComboFix.exe
2012-03-24 13:14 - 2012-03-24 13:14 - 0002415 ____A C:\Users\Lap\Desktop\aswMBR.txt
2012-03-24 13:14 - 2012-03-24 13:14 - 0000512 ____A C:\Users\Lap\Desktop\MBR.dat
2012-03-24 13:08 - 2012-03-24 13:08 - 4731392 ____A (AVAST Software) C:\Users\Lap\Desktop\aswMBR.exe
2012-03-24 13:08 - 2012-03-24 13:08 - 0125290 ____A C:\TDSSKiller.2.7.22.0_24.03.2012_14.08.17_log.txt
2012-03-24 13:08 - 2012-03-22 18:53 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-03-24 04:03 - 2012-03-24 04:03 - 0014754 ____A C:\ComboFix.txt
2012-03-24 04:03 - 2012-03-24 03:59 - 0000000 ____D C:\Qoobox
2012-03-24 04:02 - 2012-03-24 04:02 - 0000000 ____D C:\$RECYCLE.BIN
2012-03-24 04:02 - 2012-02-15 13:02 - 0003462 ____A C:\Windows\PFRO.log
2012-03-24 04:02 - 2009-07-13 18:34 - 0000215 ____A C:\Windows\system.ini
2012-03-24 04:01 - 2012-03-22 16:17 - 0000000 ____D C:\Windows\ERDNT
2012-03-24 04:01 - 2009-07-13 18:34 - 50335744 ____A C:\Windows\System32\config\software.bak
2012-03-24 04:01 - 2009-07-13 18:34 - 15990784 ____A C:\Windows\System32\config\system.bak
2012-03-24 04:01 - 2009-07-13 18:34 - 0479232 ____A C:\Windows\System32\config\default.bak
2012-03-24 04:01 - 2009-07-13 18:34 - 0024576 ____A C:\Windows\System32\config\security.bak
2012-03-24 04:01 - 2009-07-13 18:34 - 0024576 ____A C:\Windows\System32\config\sam.bak
2012-03-24 01:42 - 2011-11-28 23:29 - 0000000 ____D C:\Users\Lap\riotsGamesLogs
2012-03-23 19:15 - 2012-03-23 19:14 - 0164756 ____A C:\TDSSKiller.2.7.22.0_23.03.2012_20.14.56_log.txt
2012-03-23 19:07 - 2012-03-23 19:07 - 0125166 ____A C:\TDSSKiller.2.7.22.0_23.03.2012_20.07.07_log.txt
2012-03-23 05:05 - 2011-11-28 21:50 - 0058336 ____A C:\Users\Lap\AppData\Local\GDIPFONTCACHEV1.DAT
2012-03-23 05:04 - 2009-07-13 20:45 - 0276744 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-23 04:58 - 2012-03-23 04:58 - 0050477 ____A C:\Users\Lap\Desktop\Defogger.exe
2012-03-23 04:58 - 2012-03-23 04:58 - 0000168 ____A C:\Users\Lap\defogger_reenable
2012-03-23 04:58 - 2011-11-28 21:21 - 0000000 ____D C:\users\Lap
2012-03-23 04:40 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-03-23 04:14 - 2012-03-22 16:59 - 6534144 ____A C:\Windows\ntbtlog.txt
2012-03-23 03:41 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-03-23 00:30 - 2012-03-23 00:30 - 0157472 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaws.exe
2012-03-23 00:30 - 2012-03-23 00:30 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\javaw.exe
2012-03-23 00:30 - 2012-03-23 00:30 - 0149280 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\java.exe
2012-03-23 00:30 - 2012-03-23 00:30 - 0000000 ____D C:\Users\All Users\Sun
2012-03-23 00:30 - 2012-03-23 00:30 - 0000000 ____D C:\ProgramData\Sun
2012-03-23 00:30 - 2012-03-23 00:30 - 0000000 ____D C:\Program Files (x86)\Java
2012-03-23 00:30 - 2011-11-28 21:02 - 0472808 ____A (Sun Microsystems, Inc.) C:\Windows\SysWOW64\deployJava1.dll
2012-03-23 00:26 - 2012-03-23 00:26 - 0000000 ____D C:\Program Files (x86)\VS Revo Group
2012-03-23 00:11 - 2012-02-16 01:58 - 0000000 ____D C:\Program Files (x86)\The Guild 2
2012-03-23 00:11 - 2012-02-16 01:40 - 0000000 ____D C:\Program Files\The Guild 2
2012-03-23 00:11 - 2011-11-28 21:09 - 0000000 ____D C:\Users\All Users\Binarysense
2012-03-23 00:11 - 2011-11-28 21:09 - 0000000 ____D C:\ProgramData\Binarysense
2012-03-22 22:12 - 2012-03-22 22:12 - 0124126 ____A C:\TDSSKiller.2.7.22.0_22.03.2012_23.12.27_log.txt
2012-03-22 22:08 - 2012-03-22 22:08 - 0125766 ____A C:\TDSSKiller.2.7.22.0_22.03.2012_23.08.35_log.txt
2012-03-22 18:53 - 2012-03-22 18:53 - 0125542 ____A C:\TDSSKiller.2.7.22.0_22.03.2012_19.53.32_log.txt
2012-03-22 17:09 - 2012-01-16 17:30 - 0130909 ____A C:\Users\Lap\AppData\Local\census.cache
2012-03-22 17:09 - 2012-01-16 17:30 - 0092276 ____A C:\Users\Lap\AppData\Local\ars.cache
2012-03-22 17:02 - 2011-12-04 22:11 - 0000000 ____D C:\Users\Lap\AppData\Local\Apps\2.0
2012-03-22 16:54 - 2011-12-27 02:45 - 0000000 ____D C:\Program Files (x86)\Smoothping Elite
2012-03-22 16:54 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-03-22 16:46 - 2009-07-13 19:20 - 0000000 __RHD C:\users\Default
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG2
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SYSTEM.tmp.LOG1
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG2
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SOFTWARE.tmp.LOG1
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG2
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SECURITY.tmp.LOG1
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG2
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\SAM.tmp.LOG1
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG2
2012-03-22 16:20 - 2012-03-22 16:20 - 0000000 __ASH C:\Windows\System32\config\DEFAULT.tmp.LOG1
2012-03-22 15:39 - 2011-12-06 12:17 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-21 21:47 - 2012-03-21 21:43 - 0000000 ____D C:\Users\Lap\Downloads\SoAL Undub by Netqork
2012-03-21 16:42 - 2012-03-23 19:06 - 2066480 ____A (Kaspersky Lab ZAO) C:\Users\Lap\Desktop\TDSSKiller.exe
2012-03-20 18:42 - 2012-03-20 02:20 - 0000000 ___AD C:\Users\Lap\Desktop\dolphin-3.0-win64
2012-03-20 02:31 - 2011-12-27 22:19 - 0000000 ____D C:\Users\Lap\Desktop\Skype PTT 1.01 Beta
2012-03-17 16:38 - 2011-11-28 21:12 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-03-17 14:41 - 2011-11-28 22:26 - 0000000 ____D C:\Program Files (x86)\Steam
2012-03-14 16:31 - 2011-12-04 22:11 - 0000000 ____D C:\Users\Lap\AppData\Local\Deployment
2012-03-06 22:29 - 2012-03-01 18:05 - 0007414 ____A C:\Users\Lap\Desktop\Kaiser.txt
2012-03-04 04:08 - 2012-03-04 04:08 - 0012007 ____A C:\Users\Lap\Desktop\YourHandInMine.txt
2012-03-03 02:13 - 2012-01-22 04:57 - 0177670 ____A C:\Windows\DirectX.log
2012-02-27 12:56 - 2012-02-27 12:25 - 0000000 ____D C:\Users\Lap\Downloads\[110422][??????] ?????????????+????+Install Patch
2012-02-26 01:39 - 2012-02-26 01:39 - 0000131 ____A C:\Windows\SysWOW64\skypeptt.ini
2012-02-24 17:02 - 2011-11-28 21:12 - 0000000 ____D C:\Program Files (x86)\uTorrent
2012-02-18 00:14 - 2012-02-18 00:14 - 0000000 ____D C:\Users\Lap\AppData\Local\David_Rudie
2012-02-17 18:11 - 2012-02-17 18:11 - 0000000 ____D C:\Program Files\Black_Box
2012-02-17 01:39 - 2011-12-27 22:18 - 0000000 ___RD C:\Program Files (x86)\Skype
2012-02-17 01:37 - 2012-02-17 01:37 - 0000000 ____D C:\Users\Lap\AppData\Local\BigHugeEngine
2012-02-17 00:56 - 2012-02-17 00:56 - 0000000 ____D C:\Program Files (x86)\EA Games
2012-02-16 02:06 - 2012-02-16 02:06 - 0178800 ____A (Sony DADC Austria AG.) C:\Windows\SysWOW64\CmdLineExt_x64.dll
2012-02-16 01:40 - 2012-01-07 02:02 - 0000000 ____D C:\Users\Lap\AppData\Roaming\DAEMON Tools Lite
2012-02-15 01:14 - 2011-12-12 16:10 - 0000000 ____D C:\Users\Lap\Downloads\SSDlife.Pro.v2.2.39
2012-02-12 20:42 - 2009-07-13 21:08 - 0032614 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-02-11 15:20 - 2011-11-28 22:53 - 0000000 ____D C:\Riot Games
2012-02-08 05:24 - 2011-12-07 13:14 - 0000000 ____D C:\Users\Lap\Calibre Library
2012-02-03 18:32 - 2012-02-02 15:04 - 0000000 ____D C:\Program Files (x86)\Diablo III Beta
2012-02-02 07:50 - 2012-02-02 07:37 - 0000000 ____D C:\Users\All Users\Battle.net
2012-02-02 07:50 - 2012-02-02 07:37 - 0000000 ____D C:\ProgramData\Battle.net
2012-01-22 04:58 - 2012-01-22 04:58 - 0000000 ____D C:\Users\Lap\AppData\Roaming\BigHugeEngine
2012-01-22 04:58 - 2011-11-28 23:05 - 0000000 ____D C:\Users\Lap\Documents\My Games
2012-01-17 17:03 - 2012-01-16 10:21 - 0000000 ____D C:\Users\Lap\Downloads\Standup Comedy - Louis CK - Live In Houston (2001)
2012-01-17 13:01 - 2011-11-29 03:44 - 0000000 ____D C:\Users\Lap\AppData\Roaming\Media Player Classic
2012-01-17 12:48 - 2012-01-17 12:48 - 0000000 ____A C:\Windows\setuperr.log
2012-01-16 17:22 - 2012-01-16 17:22 - 0000036 ____A C:\Users\Lap\AppData\Local\housecall.guid.cache
2012-01-16 17:15 - 2012-01-16 17:15 - 0029372 ____A C:\Users\Lap\Documents\cc_20120116_171501.reg
2012-01-16 17:14 - 2011-12-01 17:50 - 0000000 ____D C:\Users\Lap\AppData\Roaming\Ventrilo
2012-01-16 17:14 - 2011-11-28 20:56 - 0000000 ____D C:\Windows\Panther
2012-01-16 17:09 - 2012-01-16 17:09 - 0000000 ____D C:\Program Files\CCleaner
2012-01-16 17:06 - 2012-01-16 16:43 - 0003706 ____A C:\Users\All Users\90b8ffcf
2012-01-16 17:06 - 2012-01-16 16:43 - 0003706 ____A C:\ProgramData\90b8ffcf
2012-01-16 17:06 - 2012-01-16 16:43 - 0003700 ____A C:\Users\Lap\AppData\Local\e1648326
2012-01-16 17:06 - 2012-01-16 16:43 - 0003655 ____A C:\Users\Lap\AppData\Roaming\17853f05
2012-01-16 16:45 - 2012-01-16 16:45 - 0709968 ____A C:\Windows\is-9F0CI.exe
2012-01-16 16:45 - 2012-01-16 16:45 - 0010498 ____A C:\Windows\is-9F0CI.msg
2012-01-16 16:45 - 2012-01-16 16:45 - 0000459 ____A C:\Windows\is-9F0CI.lst
2012-01-16 16:43 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\Resources
2012-01-16 10:52 - 2012-01-16 10:41 - 0000000 ____D C:\Users\Lap\Downloads\The Get Up Kids
2012-01-16 10:50 - 2012-01-16 10:44 - 0000000 ____D C:\Users\Lap\Downloads\Galileo Galilei - Aoi Shiori [2011.06.15]
2012-01-16 10:48 - 2012-01-16 10:48 - 0000000 ____D C:\Users\Lap\Downloads\Taking Back Sunday
2012-01-16 10:48 - 2012-01-16 10:45 - 0000000 ____D C:\Users\Lap\Downloads\[2011.01.19] Galileo Galilei - ?????
2012-01-16 10:47 - 2012-01-16 10:47 - 0000000 ____D C:\Users\Lap\Downloads\Sherwood
2012-01-16 10:44 - 2012-01-16 10:43 - 0000000 ____D C:\Users\Lap\Downloads\A Rocket To The Moon
2012-01-16 10:42 - 2012-01-16 10:42 - 0000000 ____D C:\Users\Lap\Downloads\Thrice
2012-01-16 10:32 - 2012-01-16 10:21 - 0000000 ____D C:\Users\Lap\Downloads\Chewed Up
2012-01-13 16:56 - 2012-01-13 16:56 - 2598053 ____A C:\Users\Lap\Documents\Mumble-2012-01-13-16-56-09-68.199.173.15-Mixdown.wav
2012-01-13 00:28 - 2012-01-13 00:28 - 0000000 ____D C:\Users\Lap\AppData\Local\My Games
2012-01-09 03:07 - 2012-01-09 03:05 - 0000000 ____D C:\Users\Lap\Downloads\Galaxy Angel
2012-01-09 03:04 - 2012-01-09 03:04 - 36855231 ____A C:\Users\Lap\Desktop\GAPatchv98.rar
2012-01-07 02:37 - 2011-12-16 16:16 - 0000000 ____D C:\Users\Lap\Downloads\Kingdom Under Fire GOLD
2012-01-07 02:11 - 2011-11-28 21:39 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-01-07 02:08 - 2012-01-07 02:08 - 0279616 ____A (DT Soft Ltd) C:\Windows\System32\Drivers\dtsoftbus01.sys
2012-01-06 22:15 - 2012-01-06 22:06 - 0000000 ____D C:\Users\Lap\AppData\Roaming\Apple Computer
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\Users\Lap\AppData\Local\Apple Computer
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\Users\Lap\AppData\Local\Apple
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\Users\All Users\Apple Computer
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\ProgramData\Apple Computer
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\Program Files\iTunes
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\Program Files\iPod
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\Program Files\Common Files\Apple
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-01-06 22:06 - 2012-01-06 22:06 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
2012-01-06 22:06 - 2012-01-06 22:05 - 0000000 ____D C:\Users\All Users\Apple
2012-01-06 22:06 - 2012-01-06 22:05 - 0000000 ____D C:\ProgramData\Apple
2012-01-06 22:05 - 2012-01-06 22:05 - 0000000 ____D C:\Program Files\Bonjour
2012-01-06 22:05 - 2012-01-06 22:05 - 0000000 ____D C:\Program Files (x86)\Bonjour
2012-01-02 11:48 - 2011-11-28 22:18 - 0000000 ____D C:\Users\Lap\AppData\Local\ElevatedDiagnostics
2012-01-02 00:50 - 2012-01-02 00:50 - 0000000 ____D C:\Program Files (x86)\Microsoft XNA
2011-12-29 17:19 - 2011-12-29 16:50 - 0000579 ____A C:\Users\Lap\Desktop\CSU.txt
2011-12-28 17:37 - 2011-12-27 02:46 - 0000000 __SHD C:\Users\Lap\wc

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll
[2010-11-20 19:24] - [2012-03-25 03:02] - 1008640 ____A (Microsoft Corporation) 2C353B6CE0C8D03225CAA2AF33B68D79

C:\Windows\SysWOW64\User32.dll
[2010-11-20 19:24] - [2012-03-25 03:02] - 0833024 ____A (Microsoft Corporation) 861C4346F9281DC0380DE72C8D55D6BE

C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 9%
Total physical RAM: 8169.6 MB
Available physical RAM: 7385.79 MB
Total Pagefile: 8167.75 MB
Available Pagefile: 7367.52 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:238.37 GB) (Free:100.61 GB) NTFS
3 Drive f: () (Removable) (Total:29.93 GB) (Free:24.35 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
5 Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 238 GB 0 B
Disk 1 Online 29 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 238 GB 101 MB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y System Rese NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 238 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 29 GB 4096 KB

======================================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F NTFS Removable 29 GB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-03-21 08:21

======================= End Of Log ==========================

Edited by Skipper240, 26 March 2012 - 04:59 PM.


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:29 PM

Posted 26 March 2012 - 07:41 PM

Hello

I would like you to run the fix below and when it is complete I need you to rerun combofix and send me the report.

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

SubSystems: [Windows] ==> ZeroAccess
2 SQLWriter; C:\Windows\System32\cwafeventrouter.dll [6656 2009-07-13] (Oak Technology Inc.)
C:\Windows\System32\cwafeventrouter.dll
NETSVC: SQLWriter
2012-03-26 13:46 - 2012-03-24 13:07 - 0000000 __ASH C:\Windows\System32\dds_trash_log.cmd

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Skipper240

Skipper240
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 26 March 2012 - 08:08 PM

Fix result of Farbar Recovery Scan Tool (FRST written by farbar) Version: 15-03-2012
Ran by SYSTEM at 2012-03-26 18:06:17 R:3
Running from F:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows Value was restored.
SQLWriter service deleted successfully.
C:\Windows\System32\cwafeventrouter.dll moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs SQLWriter Deleted successfully.
C:\Windows\System32\dds_trash_log.cmd moved successfully.

==== End of Fixlog ====

#12 Skipper240

Skipper240
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 26 March 2012 - 08:12 PM

ComboFix 12-03-22.01 - Lap 03/26/2012 18:08:49.5.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8170.6790 [GMT -7:00]
Running from: c:\users\Lap\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-02-27 to 2012-03-27 )))))))))))))))))))))))))))))))
.
.
2012-03-27 01:10 . 2012-03-27 01:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-27 01:07 . 2012-03-27 01:07 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{95F03814-54B7-4563-AB33-4EFE0848F4A0}\offreg.dll
2012-03-25 11:02 . 2012-03-25 11:02 -------- d-----w- c:\windows\SysWow64\Wat
2012-03-25 11:02 . 2012-03-25 11:02 -------- d-----w- c:\windows\system32\Wat
2012-03-23 13:43 . 2012-03-26 22:49 -------- d-----w- C:\FRST
2012-03-23 08:30 . 2012-03-23 08:30 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-23 08:30 . 2012-03-23 08:30 -------- d-----w- c:\program files (x86)\Java
2012-03-23 08:26 . 2012-03-23 08:26 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-03-23 02:53 . 2012-03-24 21:08 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-18 00:38 . 2012-03-18 00:38 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-18 00:38 . 2012-03-18 00:38 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-25 11:02 . 2010-11-21 03:24 14848 ----a-w- c:\windows\system32\slwga.dll
2012-03-25 11:02 . 2010-11-21 03:24 833024 ----a-w- c:\windows\SysWow64\user32.dll
2012-03-25 11:02 . 2010-11-21 03:24 1008640 ----a-w- c:\windows\system32\user32.dll
2012-03-25 11:02 . 2010-11-21 03:24 419840 ----a-w- c:\windows\system32\systemcpl.dll
2012-03-25 11:02 . 2010-11-21 03:23 13824 ----a-w- c:\windows\SysWow64\slwga.dll
2012-03-23 08:30 . 2011-11-29 05:02 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-16 10:06 . 2012-02-16 10:06 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
2012-01-17 00:45 . 2012-01-17 00:45 709968 ----a-w- c:\windows\is-9F0CI.exe
2012-01-07 10:08 . 2012-01-07 10:08 279616 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\ERDNT\cache64\user32.dll
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2012-03-25 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2012-03-25 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\ERDNT\cache86\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-03-24_12.02.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-24 07:27 . 2012-03-26 08:56 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2012-03-24 07:27 . 2012-03-24 07:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-03-22 10:44 . 2012-03-27 00:52 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-11-21 03:09 . 2012-03-27 01:08 36602 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-27 01:08 31444 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-03-23 12:40 . 2012-03-24 21:03 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2012-03-23 12:40 . 2012-03-23 10:36 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2011-11-29 05:02 . 2012-03-26 21:50 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-11-29 05:02 . 2012-03-24 03:12 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-23 12:50 . 2012-03-24 03:12 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-23 12:50 . 2012-03-26 21:50 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-26 21:50 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-24 03:12 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-29 05:23 . 2012-03-27 01:08 3302 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2596830423-1849512129-4121542367-1000_UserData.bin
- 2011-11-29 05:23 . 2012-03-24 03:14 3302 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2596830423-1849512129-4121542367-1000_UserData.bin
+ 2012-03-27 01:07 . 2012-03-27 01:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-24 12:02 . 2012-03-24 12:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-27 01:07 . 2012-03-27 01:07 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-25 11:02 . 2012-03-25 11:02 128424 c:\windows\SysWOW64\Wat\WatWeb.dll
+ 2012-03-25 11:02 . 2012-03-25 11:02 114600 c:\windows\SysWOW64\Wat\npWatWeb.dll
- 2012-03-22 10:45 . 2012-03-24 11:53 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-03-22 10:45 . 2012-03-27 01:01 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 04:54 . 2012-03-27 01:01 458752 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-03-25 11:02 . 2012-03-25 11:02 152888 c:\windows\system32\Wat\WatWeb.dll
+ 2012-03-25 11:02 . 2012-03-25 11:02 249656 c:\windows\system32\Wat\WatUX.exe
+ 2012-03-25 11:02 . 2012-03-25 11:02 138664 c:\windows\system32\Wat\npWatWeb.dll
+ 2009-07-14 02:36 . 2012-03-26 21:54 660530 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-03-24 03:17 660530 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-03-24 03:17 121426 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-03-26 21:54 121426 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-03-24 12:01 234264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-27 01:04 234264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-03-27 01:01 3457024 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-25 11:02 . 2012-03-25 11:02 1255736 c:\windows\system32\Wat\WatAdminSvc.exe
+ 2011-11-29 06:00 . 2012-03-27 01:04 2063512 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-11-29 06:00 . 2012-03-24 12:01 2063512 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-07-14 04:54 . 2012-03-27 01:01 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-24 12:01 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-29 05:50 . 2012-03-27 01:04 53594772 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2596830423-1849512129-4121542367-1000-12288.dat
+ 2011-11-29 05:21 . 2012-03-27 01:04 17269424 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-26 343168]
"DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-18 113288]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-04-20 26192680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2011-9-18 102912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 ALSysIO;ALSysIO;c:\users\Lap\AppData\Local\Temp\ALSysIO64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RTCore64;RTCore64;c:\users\Lap\Desktop\rmclock_235_bin\RTCore64.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 BfLwf;Bigfoot Networks Bandwidth Control;c:\windows\system32\DRIVERS\bflwfx64.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;c:\program files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2011-11-08 467456]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S3 Ak27x64;Killer Wireless-N 1102 device driver;c:\windows\system32\DRIVERS\Ak27x64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);c:\windows\system32\DRIVERS\JME.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-10-17 13307496]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
houdiniserver
mindretrieve
bc_filter
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Lap\AppData\Roaming\Mozilla\Firefox\Profiles\y5gaxbo1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-57963886.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=hex:51,66,7a,6c,4c,1d,38,12,c2,99,1a,
36,00,8f,58,04,e1,8c,0d,76,4f,1c,0a,03
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG14.00.00.01PROFESSIONAL"="F450EB73684ED6B9D73418EB79D41F3DF33908EF744345B0AEE9ED754E414BA8851AF1A52B7507C523227703FD283A7C07ECFBD2B7B5B1ADBCD780E2865AF70E9E56021623BE9760B17788482D6073FE0AADBCFC21C51DAE3D6D13E1CB82D34EEE960A1B638C7FCAE43372E89DDE46682D864812E5EF2EDCD3E21E2C15754F37AADD1A2543F6151621C67E2726B81732A77442490166F0B72765BD8C9C1FBEECFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98085D575E7D6A3B9808A2D97226D213B555FEBC9E127BECC74C71873D0B970BB0A14BB8CA5DFCCFEC9CDF126B343933F021D2C53437895E9A07AED59C01A0307CA2E3B42424223D496E47AA0EF2322A5DFB2C192BA916CD4E418A01B4D95EA48D32B6E3B8A9A9979AA523EE92E7718E45933FF573ECE6558115D3C181C263D149C202ACFEB3E7068EDEC40E060FA9E3BE478AF7D24D307853455AC09F028556F61F08658B1BF3623686FDAD18F2D3E2C2CC15B1B32EECE9456DF41FD2EBDE0340E590DA1C4B28BA046128679E36AC76AE2966A9A48458933EF77D6F836D4EDC3788E4CB10C4A453D2049E47130E33BDC3B98AD9D5DCF48F88A650B73B05F41E4D4B556E6C1B4B215DDB40CE12422B0D28AE93B09DD308B1520ED0F32847B934594AB3E857F6444F43A5F0F3DA331F6A648A148E779C1AFBAF9664931FD9C64019F156581F9579BC8BF4181ED44F5812E6A527CA7FFCF628947E73F716F98997AA0417CCB0461CF99CB0A22B071D68F400AC6730F84F32225CD46B79A7F434451117D64922ED1DD04393FD6C9F36A3B4659D767AC702A08A467FBFE212AD3D853413F6462A8335B8B0AB2026EE47A22931CD795D7896D9B673B665733A1EDF4A5FB8DD312695DFE1F75DFE916911405F5F64187EB7243C2E6B8755DDA54F9839421777E69442DAAE92DD975BA86A9C15535C7F78D655692D18D20EC88062AA2B6F95B1BF1ABE2AB5DBB8E826E8BA9C3E5107DFD84C67C426C6CC904F97091BAD5F6DFD7FFDD29440964C76858B01E8838207EEA032AD78BB2C7E63815F893583EDAB54652DDB254EE34BC883954D6C3FF3D4E3C6C50D7147DCC48F61ED428721D7B32F9F36C82B13CDBDE91BB045D801183CFB366902E15454D0A2E57F2162AFC23A8D53CD203AF1C17CEABFA7A2200C44DCF74B2318BD25EFA7AD7B7128DC0EB6C8F096CB77A8880EB75ED5EC327C5931A91DD99C73BEACF220C700C6EF514D9C3E61F82CFA92A4E8F15DB49555E993FCEBB3A6A349611503680AC528A35EB146CB68760EED5747690182AB5981279AA83E876B2B6567B92B0391955F82E437E5769506B72298290D916D7B16BEB8001A90EAD64724D62B59C080A9D95F0C09121A7B8E0E81BE34B3A0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-26 18:11:45
ComboFix-quarantined-files.txt 2012-03-27 01:11
ComboFix2.txt 2012-03-24 12:03
ComboFix3.txt 2012-03-23 08:50
.
Pre-Run: 108,119,056,384 bytes free
Post-Run: 107,957,719,040 bytes free
.
- - End Of File - - F7B821209CC22EFE7786478C85B44C2C

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:29 PM

Posted 26 March 2012 - 08:36 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
Folder::
C:\Windows\assembly\temp\U

File::
C:\Windows\system32\consrv.dll
C:\Windows\assembly\GAC_32\Desktop.ini 
C:\Windows\assembly\GAC_64\Desktop.ini

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Skipper240

Skipper240
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:29 PM

Posted 26 March 2012 - 10:17 PM

I clicked a few google links after running Combofix and haven't been redirected yet!

ComboFix 12-03-22.01 - Lap 03/26/2012 20:11:45.6.8 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8170.6563 [GMT -7:00]
Running from: c:\users\Lap\Desktop\ComboFix.exe
Command switches used :: c:\users\Lap\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\assembly\GAC_32\Desktop.ini"
"c:\windows\assembly\GAC_64\Desktop.ini"
"c:\windows\system32\consrv.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\temp\U
c:\windows\assembly\temp\U\00000001.@
c:\windows\assembly\temp\U\00000002.@
c:\windows\assembly\temp\U\00000004.@
c:\windows\assembly\temp\U\000000c0.@
c:\windows\assembly\temp\U\000000cb.@
c:\windows\assembly\temp\U\000000cf.@
c:\windows\assembly\temp\U\80000000.@
c:\windows\assembly\temp\U\80000004.@
c:\windows\assembly\temp\U\80000032.@
c:\windows\assembly\temp\U\80000064.@
c:\windows\assembly\temp\U\800000c0.@
c:\windows\assembly\temp\U\800000cb.@
c:\windows\assembly\temp\U\800000cf.@
c:\windows\system32\consrv.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-02-27 to 2012-03-27 )))))))))))))))))))))))))))))))
.
.
2012-03-27 03:13 . 2012-03-27 03:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-25 11:02 . 2012-03-25 11:02 -------- d-----w- c:\windows\SysWow64\Wat
2012-03-25 11:02 . 2012-03-25 11:02 -------- d-----w- c:\windows\system32\Wat
2012-03-23 13:43 . 2012-03-26 22:49 -------- d-----w- C:\FRST
2012-03-23 08:30 . 2012-03-23 08:30 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-23 08:30 . 2012-03-23 08:30 -------- d-----w- c:\program files (x86)\Java
2012-03-23 08:26 . 2012-03-23 08:26 -------- d-----w- c:\program files (x86)\VS Revo Group
2012-03-23 02:53 . 2012-03-24 21:08 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-18 00:38 . 2012-03-18 00:38 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-18 00:38 . 2012-03-18 00:38 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-25 11:02 . 2010-11-21 03:24 14848 ----a-w- c:\windows\system32\slwga.dll
2012-03-25 11:02 . 2010-11-21 03:24 833024 ----a-w- c:\windows\SysWow64\user32.dll
2012-03-25 11:02 . 2010-11-21 03:24 1008640 ----a-w- c:\windows\system32\user32.dll
2012-03-25 11:02 . 2010-11-21 03:24 419840 ----a-w- c:\windows\system32\systemcpl.dll
2012-03-25 11:02 . 2010-11-21 03:23 13824 ----a-w- c:\windows\SysWow64\slwga.dll
2012-03-23 08:30 . 2011-11-29 05:02 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-02-16 10:06 . 2012-02-16 10:06 178800 ----a-w- c:\windows\SysWow64\CmdLineExt_x64.dll
2012-01-17 00:45 . 2012-01-17 00:45 709968 ----a-w- c:\windows\is-9F0CI.exe
2012-01-07 10:08 . 2012-01-07 10:08 279616 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\ERDNT\cache64\user32.dll
[7] 2010-11-21 . FE70103391A64039A921DBFFF9C7AB1B . 1008128 . . [6.1.7601.17514] .. c:\windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll
[-] 2012-03-25 . 2C353B6CE0C8D03225CAA2AF33B68D79 . 1008640 . . [6.1.7601.17514] .. c:\windows\system32\user32.dll
.
[-] 2012-03-25 . 861C4346F9281DC0380DE72C8D55D6BE . 833024 . . [6.1.7601.17514] .. c:\windows\SysWOW64\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\ERDNT\cache86\user32.dll
[7] 2010-11-21 . 5E0DB2D8B2750543CD2EBB9EA8E6CDD3 . 833024 . . [6.1.7601.17514] .. c:\windows\winsxs\wow64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_35b31c02b85ccb6e\user32.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-03-24_12.02.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-24 07:27 . 2012-03-26 08:56 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2012-03-24 07:27 . 2012-03-24 07:22 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-03-22 10:44 . 2012-03-27 00:52 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-11-21 03:09 . 2012-03-27 01:23 36618 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-27 01:23 31444 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2012-03-23 12:40 . 2012-03-23 10:36 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
+ 2012-03-23 12:40 . 2012-03-24 21:03 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2011-11-29 05:02 . 2012-03-24 03:12 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-11-29 05:02 . 2012-03-26 21:50 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-03-23 12:50 . 2012-03-26 21:50 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-03-23 12:50 . 2012-03-24 03:12 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-03-24 03:12 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-26 21:50 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-29 05:23 . 2012-03-27 01:23 3302 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2596830423-1849512129-4121542367-1000_UserData.bin
- 2011-11-29 05:23 . 2012-03-24 03:14 3302 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2596830423-1849512129-4121542367-1000_UserData.bin
- 2012-03-24 12:02 . 2012-03-24 12:02 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-27 03:14 . 2012-03-27 03:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-25 11:02 . 2012-03-25 11:02 128424 c:\windows\SysWOW64\Wat\WatWeb.dll
+ 2012-03-25 11:02 . 2012-03-25 11:02 114600 c:\windows\SysWOW64\Wat\npWatWeb.dll
- 2012-03-22 10:45 . 2012-03-24 11:53 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-03-22 10:45 . 2012-03-27 01:01 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 04:54 . 2012-03-27 01:01 458752 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-03-25 11:02 . 2012-03-25 11:02 152888 c:\windows\system32\Wat\WatWeb.dll
+ 2012-03-25 11:02 . 2012-03-25 11:02 249656 c:\windows\system32\Wat\WatUX.exe
+ 2012-03-25 11:02 . 2012-03-25 11:02 138664 c:\windows\system32\Wat\npWatWeb.dll
- 2009-07-14 02:36 . 2012-03-24 03:17 660530 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-27 01:25 660530 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-27 01:25 121426 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-03-24 03:17 121426 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-03-24 12:01 234264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-27 03:13 234264 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-03-27 01:01 3457024 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-25 11:02 . 2012-03-25 11:02 1255736 c:\windows\system32\Wat\WatAdminSvc.exe
- 2011-11-29 06:00 . 2012-03-24 12:01 2063512 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-11-29 06:00 . 2012-03-27 03:13 2063512 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 04:54 . 2012-03-24 12:01 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-03-27 01:01 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-29 05:50 . 2012-03-27 03:13 53594772 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2596830423-1849512129-4121542367-1000-12288.dat
+ 2011-11-29 05:21 . 2012-03-27 01:04 17269424 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-10-26 343168]
"DeathAdder"="c:\program files (x86)\Razer\DeathAdder\razerhid.exe" [2011-03-21 248320]
"NUSB3MON"="c:\program files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe" [2010-11-18 113288]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2010-04-20 26192680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2011-9-18 102912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
R3 ALSysIO;ALSysIO;c:\users\Lap\AppData\Local\Temp\ALSysIO64.sys [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 RTCore64;RTCore64;c:\users\Lap\Desktop\rmclock_235_bin\RTCore64.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 BfLwf;Bigfoot Networks Bandwidth Control;c:\windows\system32\DRIVERS\bflwfx64.sys [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 Bigfoot Networks Killer Service;Bigfoot Networks Killer Service;c:\program files\Bigfoot Networks\Killer Network Manager\BFNService.exe [2011-11-08 467456]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S3 Ak27x64;Killer Wireless-N 1102 device driver;c:\windows\system32\DRIVERS\Ak27x64.sys [x]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 danewFltr;NewDeathAdder Mouse;c:\windows\system32\drivers\danew.sys [x]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [x]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver (Amd64 Bits);c:\windows\system32\DRIVERS\JME.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [x]
S3 VKbms;Virtual HID Minidriver;c:\windows\system32\DRIVERS\VKbms.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-10-17 13307496]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
houdiniserver
mindretrieve
bc_filter
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Lap\AppData\Roaming\Mozilla\Firefox\Profiles\y5gaxbo1.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{32099AAC-C132-4136-9E9A-4E364A424E17}"=hex:51,66,7a,6c,4c,1d,38,12,c2,99,1a,
36,00,8f,58,04,e1,8c,0d,76,4f,1c,0a,03
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11c_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11c.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG14.00.00.01PROFESSIONAL"="F450EB73684ED6B9D73418EB79D41F3DF33908EF744345B0AEE9ED754E414BA8851AF1A52B7507C523227703FD283A7C07ECFBD2B7B5B1ADBCD780E2865AF70E9E56021623BE9760B17788482D6073FE0AADBCFC21C51DAE3D6D13E1CB82D34EEE960A1B638C7FCAE43372E89DDE46682D864812E5EF2EDCD3E21E2C15754F37AADD1A2543F6151621C67E2726B81732A77442490166F0B72765BD8C9C1FBEECFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98085D575E7D6A3B9808A2D97226D213B555FEBC9E127BECC74C71873D0B970BB0A14BB8CA5DFCCFEC9CDF126B343933F021D2C53437895E9A07AED59C01A0307CA2E3B42424223D496E47AA0EF2322A5DFB2C192BA916CD4E418A01B4D95EA48D32B6E3B8A9A9979AA523EE92E7718E45933FF573ECE6558115D3C181C263D149C202ACFEB3E7068EDEC40E060FA9E3BE478AF7D24D307853455AC09F028556F61F08658B1BF3623686FDAD18F2D3E2C2CC15B1B32EECE9456DF41FD2EBDE0340E590DA1C4B28BA046128679E36AC76AE2966A9A48458933EF77D6F836D4EDC3788E4CB10C4A453D2049E47130E33BDC3B98AD9D5DCF48F88A650B73B05F41E4D4B556E6C1B4B215DDB40CE12422B0D28AE93B09DD308B1520ED0F32847B934594AB3E857F6444F43A5F0F3DA331F6A648A148E779C1AFBAF9664931FD9C64019F156581F9579BC8BF4181ED44F5812E6A527CA7FFCF628947E73F716F98997AA0417CCB0461CF99CB0A22B071D68F400AC6730F84F32225CD46B79A7F434451117D64922ED1DD04393FD6C9F36A3B4659D767AC702A08A467FBFE212AD3D853413F6462A8335B8B0AB2026EE47A22931CD795D7896D9B673B665733A1EDF4A5FB8DD312695DFE1F75DFE916911405F5F64187EB7243C2E6B8755DDA54F9839421777E69442DAAE92DD975BA86A9C15535C7F78D655692D18D20EC88062AA2B6F95B1BF1ABE2AB5DBB8E826E8BA9C3E5107DFD84C67C426C6CC904F97091BAD5F6DFD7FFDD29440964C76858B01E8838207EEA032AD78BB2C7E63815F893583EDAB54652DDB254EE34BC883954D6C3FF3D4E3C6C50D7147DCC48F61ED428721D7B32F9F36C82B13CDBDE91BB045D801183CFB366902E15454D0A2E57F2162AFC23A8D53CD203AF1C17CEABFA7A2200C44DCF74B2318BD25EFA7AD7B7128DC0EB6C8F096CB77A8880EB75ED5EC327C5931A91DD99C73BEACF220C700C6EF514D9C3E61F82CFA92A4E8F15DB49555E993FCEBB3A6A349611503680AC528A35EB146CB68760EED5747690182AB5981279AA83E876B2B6567B92B0391955F82E437E5769506B72298290D916D7B16BEB8001A90EAD64724D62B59C080A9D95F0C09121A7B8E0E81BE34B3A0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe
c:\program files (x86)\Razer\DeathAdder\razertra.exe
c:\program files (x86)\Razer\DeathAdder\razerofa.exe
c:\program files (x86)\Razer\DeathAdder\vdDaemon.exe
.
**************************************************************************
.
Completion time: 2012-03-26 20:15:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-27 03:15
ComboFix2.txt 2012-03-27 01:11
ComboFix3.txt 2012-03-24 12:03
ComboFix4.txt 2012-03-23 08:50
.
Pre-Run: 108,979,564,544 bytes free
Post-Run: 108,881,973,248 bytes free
.
- - End Of File - - 078FF521DB48BAF49DE227679D86424F

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:29 PM

Posted 26 March 2012 - 10:22 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users