Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with tr/sirefef.bv.2


  • This topic is locked This topic is locked
16 replies to this topic

#1 kowalos123

kowalos123

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 29 March 2012 - 09:59 AM

My comupter has been infected with tr/sirefef.bv.2. I did scan s with OTL and aswMBR. This are logs. What should i do?

OTL logfile created on: 2012-03-28 11:52:11 - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = D:\Moje dokumenty\Pobrane
Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,19 Gb Available Physical Memory | 59,39% Memory free
4,00 Gb Paging File | 2,84 Gb Available in Paging File | 70,92% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 24,32 Gb Total Space | 6,14 Gb Free Space | 25,23% Space Free | Partition Type: NTFS
Drive D: | 34,18 Gb Total Space | 6,60 Gb Free Space | 19,31% Space Free | Partition Type: NTFS
Drive E: | 90,45 Gb Total Space | 9,26 Gb Free Space | 10,24% Space Free | Partition Type: NTFS

Computer Name: PIOTREK-PC | User Name: Piotrek | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012-03-28 11:51:46 | 000,593,920 | ---- | M] (OldTimer Tools) -- D:\Moje dokumenty\Pobrane\OTL.exe
PRC - [2012-02-24 10:18:02 | 010,441,728 | ---- | M] (Creative Team S.A.) -- D:\Programy\WapSter AQQ\AQQ.exe
PRC - [2012-01-31 08:57:32 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- D:\Programy\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012-01-31 08:57:06 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- D:\Programy\Avira\AntiVir Desktop\sched.exe
PRC - [2012-01-31 08:56:50 | 000,258,512 | ---- | M] (Avira Operations GmbH & Co. KG) -- D:\Programy\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012-01-31 08:56:50 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- D:\Programy\Avira\AntiVir Desktop\avguard.exe
PRC - [2012-01-31 08:56:49 | 000,306,128 | ---- | M] (Avira Operations GmbH & Co. KG) -- D:\Programy\Avira\AntiVir Desktop\avcenter.exe
PRC - [2012-01-03 15:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011-06-24 06:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011-02-25 07:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010-11-20 14:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010-11-20 14:16:54 | 000,100,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\audiodg.exe


========== Modules (No Company Name) ==========

MOD - [2012-03-21 14:21:12 | 000,429,040 | ---- | M] () -- C:\Users\Piotrek\AppData\Local\Google\Chrome\Application\17.0.963.83\ppgooglenaclpluginchrome.dll
MOD - [2012-03-21 14:21:11 | 003,772,912 | ---- | M] () -- C:\Users\Piotrek\AppData\Local\Google\Chrome\Application\17.0.963.83\pdf.dll
MOD - [2012-03-21 14:19:37 | 000,122,880 | ---- | M] () -- C:\Users\Piotrek\AppData\Local\Google\Chrome\Application\17.0.963.83\avutil-51.dll
MOD - [2012-03-21 14:19:35 | 000,220,672 | ---- | M] () -- C:\Users\Piotrek\AppData\Local\Google\Chrome\Application\17.0.963.83\avformat-53.dll
MOD - [2012-03-21 14:19:34 | 001,747,456 | ---- | M] () -- C:\Users\Piotrek\AppData\Local\Google\Chrome\Application\17.0.963.83\avcodec-53.dll
MOD - [2012-03-21 09:44:18 | 008,593,056 | ---- | M] () -- C:\Users\Piotrek\AppData\Local\Google\Chrome\Application\17.0.963.83\gcswf32.dll
MOD - [2012-02-24 22:54:58 | 001,186,304 | ---- | M] () -- D:\Programy\WapSter AQQ\System\Shared\Plugins\GGNet.dll
MOD - [2012-02-16 22:14:14 | 000,972,288 | ---- | M] () -- D:\Programy\WapSter AQQ\System\Shared\Plugins\SMS.dll
MOD - [2011-03-17 01:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010-11-20 14:19:56 | 000,232,448 | ---- | M] () -- \\.\globalroot\systemroot\system32\mswsock.dll
MOD - [2010-08-25 11:41:20 | 000,304,640 | ---- | M] () -- D:\Programy\WapSter AQQ\System\Shared\Plugins\Contact.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\adfs.dll -- (vulfnths)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\nocashio.dll -- (usbser)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\swenum.dll -- (upnp)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\adiusbaw.dll -- (uleadburninghelper)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\slip.dll -- (tosrfec)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\idsvc.dll -- (kpf4)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\pctfw1.dll -- (ELacpi)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\RDID1027.dll -- (DCFS2K)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ntsyslog.dll -- (basic2)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\wudfpf.dll -- (backupexecdevicemediaservice)
SRV - [2012-01-31 08:57:06 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- D:\Programy\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012-01-31 08:56:50 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- D:\Programy\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012-01-24 19:37:47 | 001,045,256 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2012-01-15 02:33:04 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2012-01-03 15:10:42 | 000,063,928 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2010-12-28 00:50:30 | 031,124,344 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- D:\Programy\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2009-07-14 03:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009-07-14 03:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009-07-14 03:14:41 | 000,005,632 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\pfc.dll -- (USBDongle)
SRV - [2009-07-14 03:14:41 | 000,005,632 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\ntmssvc.dll -- (tapeware)
SRV - [2009-07-14 03:14:41 | 000,005,632 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\ACDaemon.dll -- (prodrv06)
SRV - [2009-07-14 03:14:41 | 000,005,632 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\vaiomediaplatform-integratedserver-http.dll -- (eSettingsService)
SRV - [2009-07-14 03:14:41 | 000,005,632 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\areschatserver.dll -- (bthidmgr)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\rdvgkmd.sys -- (VGPU)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\drivers\tsusbhub.sys -- (tsusbhub)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\drivers\synth3dvsc.sys -- (Synth3dVsc)
DRV - [2012-01-31 08:57:31 | 000,137,416 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012-01-31 08:57:31 | 000,074,640 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012-01-15 16:26:10 | 000,239,168 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\dtsoftbus01.sys -- (dtsoftbus01)
DRV - [2011-09-16 16:09:17 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2010-11-20 14:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010-11-20 14:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010-11-20 14:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010-11-20 12:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010-11-20 12:21:14 | 000,015,872 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rdpvideominiport.sys -- (RdpVideoMiniport)
DRV - [2010-11-20 11:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010-11-20 11:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010-06-17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010-01-05 13:00:00 | 000,095,484 | ---- | M] (DATOM Dariusz Cielebąk) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\KMM4XNT.SYS -- (Kmm4xNT)
DRV - [2009-07-14 01:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)
DRV - [2009-07-14 00:13:45 | 001,068,032 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\smserial.sys -- (smserial)
DRV - [2009-07-14 00:02:51 | 004,231,168 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\netw5v32.sys -- (netw5v32) Intel®
DRV - [2009-07-02 01:59:00 | 009,786,752 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007-07-31 03:39:00 | 000,007,680 | ---- | M] (ATK0100) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\ATKACPI.sys -- (MTsensor)
DRV - [2006-11-14 18:35:20 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC

IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: D:\Programy\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: D:\Programy\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@wolfram.com/Mathematica: C:\Program Files\Common Files\Wolfram Research\Browser\8.0.0.1802959\npmathplugin.dll (Wolfram Research, Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: D:\Programy\Adobe Reader X\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\Piotrek\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\Piotrek\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\virtualKeyboard@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\virtualKeyboard@kaspersky.ru
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\linkfilter@kaspersky.ru: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2011\FFExt\linkfilter@kaspersky.ru
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: E:\Programy\Firefox\components [2012-03-26 18:30:54 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: E:\Programy\Firefox\plugins

[2012-03-26 18:31:12 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Piotrek\AppData\Roaming\Mozilla\Extensions

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\Piotrek\AppData\Local\Google\Chrome\User Data\PepperFlash\11.1.31.203\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\Piotrek\AppData\Local\Google\Chrome\Application\17.0.963.83\gcswf32.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\Piotrek\AppData\Local\Google\Chrome\Application\17.0.963.83\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\Piotrek\AppData\Local\Google\Chrome\Application\17.0.963.83\pdf.dll
CHR - plugin: Adobe Acrobat (Enabled) = D:\Programy\Adobe Reader X\Reader\Browser\nppdf32.dll
CHR - plugin: Wolfram Mathematica (Enabled) = C:\Program Files\Common Files\Wolfram Research\Browser\8.0.0.1802959\npmathplugin.dll
CHR - plugin: Java™ Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - plugin: Google Update (Enabled) = C:\Users\Piotrek\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Microsoft Office 2010 (Enabled) = D:\Programy\MICROS~1\Office14\NPAUTHZ.DLL
CHR - plugin: Microsoft Office 2010 (Enabled) = D:\Programy\MICROS~1\Office14\NPSPWRAP.DLL
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: YouTube = C:\Users\Piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Black Hole Sun = C:\Users\Piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjflaldchiphekckakjglcfjiomhjobc\1_0\
CHR - Extension: AdBlock = C:\Users\Piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\2.5.22_0\
CHR - Extension: Smooth Gestures = C:\Users\Piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfkgmnnajiljnolcgolmmgnecgldgeld\0.15.4.13_0\
CHR - Extension: Sprawdzanie poczty Google = C:\Users\Piotrek\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff\3.2_0\

Hosts file not found
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Programy\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - D:\Programy\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O4 - HKLM..\Run: [avgnt] D:\Programy\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [BCSSync] D:\Programy\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.dll (NVIDIA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - D:\Programy\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000025 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000026 - %SystemRoot%\System32\winrnr.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000027 - %SystemRoot%\System32\winrnr.dll File not found
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 95.160.170.92 88.156.222.92
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BB028C4B-3F27-47E0-9279-C6DF78C55D50}: DhcpNameServer = 95.160.170.92 88.156.222.92
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - D:\Programy\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-06-10 23:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{6339f1b6-3f73-11e1-8ebf-001bfc1262fd}\Shell - "" = AutoRun
O33 - MountPoints2\{6339f1b6-3f73-11e1-8ebf-001bfc1262fd}\Shell\AutoRun\command - "" = G:\SETUP.EXE
O33 - MountPoints2\{6339f1b6-3f73-11e1-8ebf-001bfc1262fd}\Shell\configure\command - "" = G:\SETUP.EXE
O33 - MountPoints2\{6339f1b6-3f73-11e1-8ebf-001bfc1262fd}\Shell\install\command - "" = G:\SETUP.EXE
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - C:\Windows\System32\ntmssvc.dll ()
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: usbser - %systemroot%\system32\nocashio.dll File not found
NetSvcs: ELacpi - %systemroot%\system32\pctfw1.dll File not found
NetSvcs: tosrfec - %systemroot%\system32\slip.dll File not found
NetSvcs: DCFS2K - %systemroot%\system32\RDID1027.dll File not found
NetSvcs: basic2 - %systemroot%\system32\ntsyslog.dll File not found
NetSvcs: USBDongle - C:\Windows\System32\pfc.dll ()
NetSvcs: tapeware - C:\Windows\System32\ntmssvc.dll ()
NetSvcs: eSettingsService - C:\Windows\System32\vaiomediaplatform-integratedserver-http.dll ()
NetSvcs: bthidmgr - C:\Windows\System32\areschatserver.dll ()
NetSvcs: prodrv06 - C:\Windows\System32\ACDaemon.dll ()
NetSvcs: vulfnths - %systemroot%\system32\adfs.dll File not found
NetSvcs: uleadburninghelper - %systemroot%\system32\adiusbaw.dll File not found
NetSvcs: upnp - %systemroot%\system32\swenum.dll File not found
NetSvcs: kpf4 - %systemroot%\system32\idsvc.dll File not found
NetSvcs: backupexecdevicemediaservice - %systemroot%\system32\wudfpf.dll File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

========== Files/Folders - Created Within 30 Days ==========

[2012-03-27 21:31:39 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2012-03-27 21:31:01 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2012-03-26 21:33:34 | 000,000,000 | ---D | C] -- C:\Users\Piotrek\AppData\Roaming\Avira
[2012-03-26 21:29:32 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avira
[2012-03-26 21:29:09 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\ssmdrv.sys
[2012-03-26 21:29:08 | 000,137,416 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avipbb.sys
[2012-03-26 21:29:08 | 000,074,640 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avgntflt.sys
[2012-03-26 21:29:08 | 000,036,000 | ---- | C] (Avira GmbH) -- C:\Windows\System32\drivers\avkmgr.sys
[2012-03-26 21:29:07 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2012-03-26 19:37:52 | 000,000,000 | ---D | C] -- C:\Users\Piotrek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome
[2012-03-26 18:35:19 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012-03-26 18:31:00 | 000,000,000 | ---D | C] -- C:\Users\Piotrek\AppData\Roaming\Mozilla
[2012-03-26 18:31:00 | 000,000,000 | ---D | C] -- C:\Users\Piotrek\AppData\Local\Mozilla
[2012-03-24 17:35:01 | 000,000,000 | ---D | C] -- C:\Program Files\Wolfram Research
[2012-03-24 17:34:55 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2012-03-24 17:34:50 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wolfram Mathematica
[2012-03-24 17:14:35 | 000,000,000 | -H-D | C] -- C:\Users\Piotrek\AppData\Local\MicrosoftNT
[2012-03-24 17:06:51 | 000,000,000 | ---D | C] -- C:\Users\Piotrek\AppData\Roaming\Mathematica
[2012-03-24 17:06:51 | 000,000,000 | ---D | C] -- C:\Users\Piotrek\AppData\Local\Mathematica
[2012-03-24 17:06:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wolfram Research
[2012-03-24 17:06:12 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\ResearchSoft
[2012-03-24 17:06:12 | 000,000,000 | ---D | C] -- C:\ProgramData\Mathematica
[2012-03-24 17:01:38 | 000,369,680 | ---- | C] (Wolfram Research, Inc.) -- C:\Windows\System32\ml32i3.dll
[2012-03-24 17:01:38 | 000,333,840 | ---- | C] (Wolfram Research, Inc.) -- C:\Windows\System32\mltcpip32.mlp
[2012-03-24 17:01:38 | 000,260,112 | ---- | C] (Wolfram Research, Inc.) -- C:\Windows\System32\ml32i2.dll
[2012-03-24 17:01:38 | 000,253,968 | ---- | C] (Wolfram Research, Inc.) -- C:\Windows\System32\ml32i1.dll
[2012-03-24 17:01:38 | 000,167,952 | ---- | C] (Wolfram Research, Inc.) -- C:\Windows\System32\mlmodule32.dll
[2012-03-24 17:01:38 | 000,093,712 | ---- | C] (Wolfram Research, Inc.) -- C:\Windows\System32\mltcp32.mlp
[2012-03-24 17:01:38 | 000,088,080 | ---- | C] (Wolfram Research, Inc.) -- C:\Windows\System32\mlshm32.mlp
[2012-03-24 17:01:38 | 000,079,376 | ---- | C] (Wolfram Research, Inc.) -- C:\Windows\System32\mlmap32.mlp
[2012-03-22 23:26:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Deluxe Ski Jump 4
[2012-03-22 23:17:49 | 000,000,000 | ---D | C] -- D:\Moje dokumenty\Dokumenty\Deluxe Ski Jump 4
[2012-03-20 12:05:52 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2012-03-08 22:54:48 | 000,000,000 | ---D | C] -- C:\Users\Piotrek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Haali Media Splitter
[2012-03-08 22:54:48 | 000,000,000 | ---D | C] -- C:\Program Files\Haali
[2012-03-08 22:54:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CoreCodec
[2012-03-08 22:54:38 | 000,000,000 | ---D | C] -- C:\Program Files\CoreCodec
[2012-03-03 15:55:47 | 000,000,000 | ---D | C] -- D:\Moje dokumenty\Dokumenty\Autodesk
[2012-03-03 15:55:39 | 000,000,000 | ---D | C] -- C:\Users\Piotrek\AppData\Roaming\Macrovision
[2012-03-03 15:52:55 | 000,000,000 | ---D | C] -- C:\Program Files\Autodesk
[2012-03-03 15:52:50 | 000,000,000 | R--D | C] -- C:\Users\Piotrek\Downloads
[2012-03-03 15:52:50 | 000,000,000 | R--D | C] -- C:\Users\Piotrek\Documents
[2012-03-03 15:52:49 | 000,000,000 | R--D | C] -- C:\Users\Piotrek\Pictures
[2012-03-03 15:52:49 | 000,000,000 | ---D | C] -- C:\Users\Piotrek\AppData\Local\Programs
[2012-03-03 15:52:29 | 000,000,000 | ---D | C] -- C:\ProgramData\Macrovision
[2012-03-03 15:52:20 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\Autodesk
[2012-03-03 13:36:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012-03-03 13:34:27 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012-03-03 13:34:27 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012-03-03 13:34:27 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012-03-03 13:34:08 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012-02-27 20:54:39 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pakiet SPECBUD
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012-03-28 11:42:00 | 000,001,066 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001UA.job
[2012-03-28 11:29:00 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At24.job
[2012-03-28 11:29:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At23.job
[2012-03-28 10:40:11 | 000,616,008 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2012-03-28 10:40:11 | 000,106,388 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2012-03-28 10:35:58 | 000,000,000 | -HS- | M] () -- C:\Windows\System32\dds_trash_log.cmd
[2012-03-28 10:35:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012-03-28 10:35:49 | 1609,965,568 | -HS- | M] () -- C:\hiberfil.sys
[2012-03-28 01:06:54 | 000,010,400 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012-03-28 01:06:54 | 000,010,400 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012-03-28 00:29:00 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At2.job
[2012-03-28 00:29:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At1.job
[2012-03-27 23:29:01 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At48.job
[2012-03-27 23:29:01 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At47.job
[2012-03-27 22:29:00 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At46.job
[2012-03-27 22:29:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At45.job
[2012-03-27 21:29:06 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At44.job
[2012-03-27 21:29:06 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At43.job
[2012-03-27 20:29:06 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At42.job
[2012-03-27 20:29:06 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At41.job
[2012-03-27 19:42:01 | 000,001,014 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001Core.job
[2012-03-27 19:29:06 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At40.job
[2012-03-27 19:29:06 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At39.job
[2012-03-27 18:29:08 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At38.job
[2012-03-27 18:29:08 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At37.job
[2012-03-27 17:30:16 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At35.job
[2012-03-27 17:30:11 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At36.job
[2012-03-27 16:30:37 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At34.job
[2012-03-27 16:29:10 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At33.job
[2012-03-27 15:29:10 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At32.job
[2012-03-27 15:29:10 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At31.job
[2012-03-27 14:40:26 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At30.job
[2012-03-27 14:29:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At29.job
[2012-03-27 13:29:06 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At28.job
[2012-03-27 13:29:06 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At27.job
[2012-03-27 12:32:38 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At26.job
[2012-03-27 12:29:00 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At25.job
[2012-03-27 11:29:34 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At8.job
[2012-03-27 11:29:34 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At6.job
[2012-03-27 11:29:34 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At9.job
[2012-03-27 11:29:34 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At7.job
[2012-03-27 11:29:34 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At5.job
[2012-03-27 11:29:33 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At4.job
[2012-03-27 11:29:33 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At22.job
[2012-03-27 11:29:33 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At20.job
[2012-03-27 11:29:33 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At18.job
[2012-03-27 11:29:33 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At16.job
[2012-03-27 11:29:33 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At14.job
[2012-03-27 11:29:33 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At12.job
[2012-03-27 11:29:33 | 000,000,354 | ---- | M] () -- C:\Windows\tasks\At10.job
[2012-03-27 11:29:33 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At3.job
[2012-03-27 11:29:33 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At21.job
[2012-03-27 11:29:33 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At19.job
[2012-03-27 11:29:33 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At17.job
[2012-03-27 11:29:33 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At15.job
[2012-03-27 11:29:33 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At13.job
[2012-03-27 11:29:33 | 000,000,352 | ---- | M] () -- C:\Windows\tasks\At11.job
[2012-03-27 11:27:48 | 000,000,112 | ---- | M] () -- C:\ProgramData\iGW8bw.dat
[2012-03-26 22:13:54 | 001,079,296 | ---- | M] () -- D:\Moje dokumenty\Pulpit\Konstrukcja.rtd
[2012-03-26 22:09:16 | 000,964,608 | ---- | M] () -- D:\Moje dokumenty\Pulpit\Konstrukcja.bak
[2012-03-26 21:49:08 | 003,015,557 | ---- | M] () -- D:\Moje dokumenty\Pulpit\SB.jpg
[2012-03-26 18:30:55 | 000,000,702 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012-03-26 18:27:25 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2012-03-26 09:40:46 | 000,422,856 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012-03-17 12:56:49 | 000,549,800 | ---- | M] () -- D:\Moje dokumenty\Pulpit\PIT-36(17)_v1-0E K.Pytel 2011.pdf
[2012-03-17 12:15:39 | 000,011,761 | ---- | M] () -- C:\Users\Piotrek\AppData\Local\unins000.msg
[2012-03-17 12:15:39 | 000,002,139 | ---- | M] () -- C:\Users\Piotrek\AppData\Local\unins000.dat
[2012-03-17 12:15:22 | 000,707,504 | ---- | M] () -- C:\Users\Piotrek\AppData\Local\unins000.exe
[2012-03-10 11:58:40 | 000,314,151 | ---- | M] () -- D:\Moje dokumenty\Pulpit\Untitled.jpg
[2012-03-03 15:54:57 | 000,000,923 | ---- | M] () -- C:\Users\Public\Desktop\Autodesk Robot Structural Analysis 2010.lnk
[2012-03-03 15:54:55 | 000,000,069 | ---- | M] () -- C:\Windows\RUNTEST.INI
[2012-03-03 13:34:09 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2012-03-03 13:34:09 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012-03-03 13:34:09 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012-03-03 13:34:09 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012-02-27 20:54:39 | 000,000,727 | ---- | M] () -- D:\Moje dokumenty\Pulpit\Kalkulator parametrów geotechnicznych gruntów metodą B.lnk
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012-03-27 11:10:06 | 000,000,112 | ---- | C] () -- C:\ProgramData\iGW8bw.dat
[2012-03-27 11:10:05 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At48.job
[2012-03-27 11:10:05 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At46.job
[2012-03-27 11:10:05 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At47.job
[2012-03-27 11:10:04 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At44.job
[2012-03-27 11:10:04 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At42.job
[2012-03-27 11:10:04 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At45.job
[2012-03-27 11:10:04 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At43.job
[2012-03-27 11:10:03 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At40.job
[2012-03-27 11:10:03 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At38.job
[2012-03-27 11:10:03 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At41.job
[2012-03-27 11:10:03 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At39.job
[2012-03-27 11:10:02 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At36.job
[2012-03-27 11:10:02 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At37.job
[2012-03-27 11:10:02 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At35.job
[2012-03-27 11:10:01 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At34.job
[2012-03-27 11:10:01 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At32.job
[2012-03-27 11:10:01 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At33.job
[2012-03-27 11:10:00 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At30.job
[2012-03-27 11:10:00 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At31.job
[2012-03-27 11:10:00 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At29.job
[2012-03-27 11:09:59 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At28.job
[2012-03-27 11:09:59 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At26.job
[2012-03-27 11:09:59 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At27.job
[2012-03-27 11:09:58 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At24.job
[2012-03-27 11:09:58 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At25.job
[2012-03-27 11:09:58 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At23.job
[2012-03-27 11:09:57 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At22.job
[2012-03-27 11:09:57 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At21.job
[2012-03-27 11:09:56 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At20.job
[2012-03-27 11:09:56 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At18.job
[2012-03-27 11:09:56 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At19.job
[2012-03-27 11:09:55 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At16.job
[2012-03-27 11:09:55 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At14.job
[2012-03-27 11:09:55 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At17.job
[2012-03-27 11:09:55 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At15.job
[2012-03-27 11:09:54 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At12.job
[2012-03-27 11:09:54 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At13.job
[2012-03-27 11:09:54 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At11.job
[2012-03-27 11:09:53 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At8.job
[2012-03-27 11:09:53 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At10.job
[2012-03-27 11:09:53 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At9.job
[2012-03-27 11:09:52 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At6.job
[2012-03-27 11:09:52 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At7.job
[2012-03-27 11:09:52 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At5.job
[2012-03-27 11:09:51 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At4.job
[2012-03-27 11:09:51 | 000,000,354 | ---- | C] () -- C:\Windows\tasks\At2.job
[2012-03-27 11:09:51 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At3.job
[2012-03-27 11:09:50 | 000,000,352 | ---- | C] () -- C:\Windows\tasks\At1.job
[2012-03-26 22:03:35 | 000,964,608 | ---- | C] () -- D:\Moje dokumenty\Pulpit\Konstrukcja.bak
[2012-03-26 22:01:26 | 001,079,296 | ---- | C] () -- D:\Moje dokumenty\Pulpit\Konstrukcja.rtd
[2012-03-26 21:49:12 | 003,015,557 | ---- | C] () -- D:\Moje dokumenty\Pulpit\SB.jpg
[2012-03-26 19:37:10 | 000,001,066 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001UA.job
[2012-03-26 19:37:10 | 000,001,014 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001Core.job
[2012-03-26 18:30:55 | 000,000,702 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2012-03-26 18:30:55 | 000,000,702 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
[2012-03-24 17:10:28 | 000,000,000 | -HS- | C] () -- C:\Windows\System32\dds_trash_log.cmd
[2012-03-17 12:56:49 | 000,549,800 | ---- | C] () -- D:\Moje dokumenty\Pulpit\PIT-36(17)_v1-0E K.Pytel 2011.pdf
[2012-03-17 12:15:39 | 000,707,504 | ---- | C] () -- C:\Users\Piotrek\AppData\Local\unins000.exe
[2012-03-17 12:15:39 | 000,011,761 | ---- | C] () -- C:\Users\Piotrek\AppData\Local\unins000.msg
[2012-03-17 12:15:39 | 000,002,139 | ---- | C] () -- C:\Users\Piotrek\AppData\Local\unins000.dat
[2012-03-10 11:58:40 | 000,314,151 | ---- | C] () -- D:\Moje dokumenty\Pulpit\Untitled.jpg
[2012-03-03 15:54:57 | 000,000,923 | ---- | C] () -- C:\Users\Public\Desktop\Autodesk Robot Structural Analysis 2010.lnk
[2012-03-03 15:54:55 | 000,000,069 | ---- | C] () -- C:\Windows\RUNTEST.INI
[2012-02-27 20:54:39 | 000,000,727 | ---- | C] () -- D:\Moje dokumenty\Pulpit\Kalkulator parametrów geotechnicznych gruntów metodą B.lnk
[2012-02-14 22:35:37 | 000,354,304 | ---- | C] () -- C:\Users\Piotrek\AppData\Roaming\chrtmp
[2012-01-17 18:45:49 | 000,116,224 | ---- | C] () -- C:\Windows\System32\pdfcmnnt.dll
[2012-01-15 17:12:31 | 000,080,896 | ---- | C] () -- C:\Windows\System32\RDVGHelper.exe
[2012-01-15 17:11:13 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2012-01-15 16:26:10 | 000,239,168 | ---- | C] () -- C:\Windows\System32\drivers\dtsoftbus01.sys
[2011-06-10 07:34:52 | 000,080,416 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll

========== Custom Scans ==========

< %systemroot%\*. /rp /s >

========== Hard Links - Junction Points - Mount Points - Symbolic Links ==========
[C:\Windows\$NtUninstallKB26722$\systemprofile\AppData\Local\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\$NtUninstallKB26722$\systemprofile\AppData\Local\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\$NtUninstallKB26722$\systemprofile\AppData\Local\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\$NtUninstallKB26722$\systemprofile\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Roaming -> Junction
[C:\Windows\$NtUninstallKB26722$\systemprofile\Cookies] -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies -> Junction
[C:\Windows\$NtUninstallKB26722$\systemprofile\Local Settings] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\$NtUninstallKB26722$] -> Error: Cannot create file handle -> Unknown point type
[C:\Windows\System32\config\systemprofile\AppData\Local\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\History] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History -> Junction
[C:\Windows\System32\config\systemprofile\AppData\Local\Temporary Internet Files] -> C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files -> Junction
[C:\Windows\System32\config\systemprofile\Application Data] -> C:\Windows\system32\config\systemprofile\AppData\Roaming -> Junction
[C:\Windows\System32\config\systemprofile\Cookies] -> C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies -> Junction
[C:\Windows\System32\config\systemprofile\Local Settings] -> C:\Windows\system32\config\systemprofile\AppData\Local -> Junction

< End of report >


OTL Extras logfile created on: 2012-03-28 11:52:11 - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = D:\Moje dokumenty\Pobrane
Enterprise Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7601.17514)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,19 Gb Available Physical Memory | 59,39% Memory free
4,00 Gb Paging File | 2,84 Gb Available in Paging File | 70,92% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 24,32 Gb Total Space | 6,14 Gb Free Space | 25,23% Space Free | Partition Type: NTFS
Drive D: | 34,18 Gb Total Space | 6,60 Gb Free Space | 19,31% Space Free | Partition Type: NTFS
Drive E: | 90,45 Gb Total Space | 9,26 Gb Free Space | 10,24% Space Free | Partition Type: NTFS

Computer Name: PIOTREK-PC | User Name: Piotrek | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- "%1" %*
htmlfile [edit] -- "D:\Programy\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "D:\Programy\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [napiprojekt] -- "D:\Programy\NapiProjekt\napisy.exe" "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{0F0BA4C5-67CA-415C-8E6D-75FA745275E2}" = Autodesk Robot Structural Analysis
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{3AB08816-1827-487F-B384-005604BFE6B5}" = Autodesk Robot Structural Analysis
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5783F2D7-9001-0415-0002-0060B0CE6BBA}" = AutoCAD 2011 - Polski
"{5783F2D7-9001-0415-1002-0060B0CE6BBA}" = AutoCAD 2011 Language Pack - Polski
"{670D6292-74C1-4BFD-A0E1-38E9D58AC644}" = Norma Pro - wersja edukacyjna
"{6FCEBA1E-B484-4972-883F-E2B99A12758E}" = Norma Pro
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{71162F99-2344-4B82-B8D9-545D1A0C25F7}" = Autodesk Robot Structural Analysis
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75D44701-B7C6-4C36-B506-F7A7C77A1100}" = Autodesk Robot Structural Analysis
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B72EC26-C48C-4D23-B332-50292294901F}" = Autodesk Robot Structural Analysis 2010
"{81BF6353-3C5B-4E6E-A566-7E162A00BF72}_is1" = Wtyczka e-Deklaracje
"{878E659F-028B-4090-9CD3-5290E9B05FA5}" = Autodesk Robot Structural Analysis
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0015-0415-0000-0000000FF1CE}" = Microsoft Office Access MUI (Polish) 2010
"{90140000-0015-0415-0000-0000000FF1CE}_Office14.PROPLUS_{39EFF327-D2C4-4C4B-B8EE-37325DECE1A4}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0415-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Polish) 2010
"{90140000-0016-0415-0000-0000000FF1CE}_Office14.PROPLUS_{39EFF327-D2C4-4C4B-B8EE-37325DECE1A4}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0415-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Polish) 2010
"{90140000-0018-0415-0000-0000000FF1CE}_Office14.PROPLUS_{39EFF327-D2C4-4C4B-B8EE-37325DECE1A4}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0415-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Polish) 2010
"{90140000-0019-0415-0000-0000000FF1CE}_Office14.PROPLUS_{39EFF327-D2C4-4C4B-B8EE-37325DECE1A4}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0415-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Polish) 2010
"{90140000-001A-0415-0000-0000000FF1CE}_Office14.PROPLUS_{39EFF327-D2C4-4C4B-B8EE-37325DECE1A4}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0415-0000-0000000FF1CE}" = Microsoft Office Word MUI (Polish) 2010
"{90140000-001B-0415-0000-0000000FF1CE}_Office14.PROPLUS_{39EFF327-D2C4-4C4B-B8EE-37325DECE1A4}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2010
"{90140000-001F-0407-0000-0000000FF1CE}_Office14.PROPLUS_{65A2328E-FDFB-4CA3-8582-357EA6825FEA}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0415-0000-0000000FF1CE}" = Microsoft Office Proof (Polish) 2010
"{90140000-001F-0415-0000-0000000FF1CE}_Office14.PROPLUS_{1D751709-BA6C-49E2-844B-4F4F20F410C9}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0415-0000-0000000FF1CE}" = Microsoft Office Proofing (Polish) 2010
"{90140000-002C-0415-0000-0000000FF1CE}_Office14.PROPLUS_{6606F321-8216-466E-981E-B75A14C46894}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0415-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Polish) 2010
"{90140000-0044-0415-0000-0000000FF1CE}_Office14.PROPLUS_{39EFF327-D2C4-4C4B-B8EE-37325DECE1A4}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0415-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Polish) 2010
"{90140000-006E-0415-0000-0000000FF1CE}_Office14.PROPLUS_{6AF8887A-72F7-4FA0-ABE4-396172B64550}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0415-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Polish) 2010
"{90140000-00A1-0415-0000-0000000FF1CE}_Office14.PROPLUS_{39EFF327-D2C4-4C4B-B8EE-37325DECE1A4}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0415-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Polish) 2010
"{90140000-00BA-0415-0000-0000000FF1CE}_Office14.PROPLUS_{39EFF327-D2C4-4C4B-B8EE-37325DECE1A4}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9DEABCB6-B759-4D52-92F8-51B34A2B4D40}" = Autodesk Material Library 2011
"{AC76BA86-7AD7-1045-7B44-AA1000000001}" = Adobe Reader X (10.1.2) - Polish
"{C260343B-6282-42A2-939F-1FF7E503F608}" = Wolfram Notebook Indexer 2.0
"{CD1E078C-A6B9-47DA-B035-6365C85C7832}" = Autodesk Material Library 2011 Base Image library
"{EED4D62D-3650-41E6-8DAC-742EB48E458F}" = Autodesk Robot Structural Analysis
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{FBFDCCE0-3E83-4EF5-8DF9-84F231B4B085}" = Autodesk Robot Structural Analysis
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"AQQ" = WapSter AQQ
"AutoCAD 2011 - Polski" = AutoCAD 2011 - Polski
"AutoCAD 2011 - Polski Version 2.1" = AutoCAD 2011 - Polski Version 2.1
"Avira AntiVir Desktop" = Avira Free Antivirus
"A-WIN-Extras 8.0.0 1802959_is1" = Mathematica Extras 8.0 (1802959)
"Bullzip PDF Printer_is1" = Bullzip PDF Printer 7.1.0.1195
"CCleaner" = CCleaner
"CoreAVC Professional Edition" = CoreAVC Professional Edition (remove only)
"DAEMON Tools Lite" = DAEMON Tools Lite
"Deluxe Ski Jump 4_is1" = Deluxe Ski Jump 4
"Foxit PDF Editor" = Foxit PDF Editor
"GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 9.04
"HaaliMkx" = Haali Media Splitter
"Kalkulator parametrów geotechnicznych gruntów metodą B_is1" = Kalkulator parametrów geotechnicznych gruntów metodą B - v. 1.1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox 11.0 (x86 pl)" = Mozilla Firefox 11.0 (x86 pl)
"M-WIN-G 7.0.0 1148361_is1" = Wolfram Mathematica 7 for Students (M-WIN-G 7.0.0 1148361)
"NapiProjekt_is1" = NapiProjekt 2.0.0 (build 2151)
"NVIDIA Drivers" = NVIDIA Drivers
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"The KMPlayer" = The KMPlayer (remove only)
"uTorrent" = µTorrent
"Winamp" = Winamp
"WinRAR archiver" = WinRAR 4.01 (32-bitowy)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2012-03-25 10:39:19 | Computer Name = Piotrek-PC | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "d:\Programy\wapster aqq\System\DelZip179.dll".Error
in manifest or policy file "d:\Programy\wapster aqq\System\DelZip179.dll" on line
8. The value "*" of attribute "language" in element "assemblyIdentity" is invalid.

Error - 2012-03-25 10:39:31 | Computer Name = Piotrek-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "D:\Programy\AutoCAD 2011\FaroImporter.exe".
Dependent
Assembly FARO.LS,processorArchitecture="x86",publicKeyToken="1d23f5635ba800ab",type="win32",version="1.1.406.58"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 2012-03-26 13:34:58 | Computer Name = Piotrek-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time
stamp: 0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x00055e7e Faulting process
id: 0x3d4 Faulting application start time: 0x01cd0b7640edd966 Faulting application
path: C:\Windows\System32\svchost.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: 0154b99f-776a-11e1-9dc1-001bfc1262fd

Error - 2012-03-26 13:35:04 | Computer Name = Piotrek-PC | Source = Desktop Window Manager | ID = 9020
Description = The Desktop Window Manager has encountered a fatal error (0x88980406)

Error - 2012-03-26 13:48:54 | Computer Name = Piotrek-PC | Source = Application Error | ID = 1000
Description = Faulting application name: svchost.exe, version: 6.1.7600.16385, time
stamp: 0x4a5bc100 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time
stamp: 0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x000299f4 Faulting process
id: 0x3a4 Faulting application start time: 0x01cd0b76fe7ff087 Faulting application
path: C:\Windows\System32\svchost.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: f3c61671-776b-11e1-b6db-001bfc1262fd

Error - 2012-03-26 13:54:05 | Computer Name = Piotrek-PC | Source = Application Error | ID = 1000
Description = Faulting application name: WSCommCntr2.exe, version: 3.0.269.0, time
stamp: 0x4c0c87d1 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time
stamp: 0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x0003224d Faulting process
id: 0xcec Faulting application start time: 0x01cd0b796c7ad7c2 Faulting application
path: C:\Program Files\Common Files\Autodesk Shared\WSCommCntr\lib\WSCommCntr2.exe
Faulting
module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: ad74862f-776c-11e1-b6db-001bfc1262fd

Error - 2012-03-26 14:00:32 | Computer Name = Piotrek-PC | Source = Application Error | ID = 1000
Description = Faulting application name: spoolsv.exe, version: 6.1.7601.17514, time
stamp: 0x4ce7aa85 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time
stamp: 0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x00055dc1 Faulting process
id: 0x5f4 Faulting application start time: 0x01cd0b7701e44cff Faulting application
path: C:\Windows\System32\spoolsv.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: 93f07917-776d-11e1-b6db-001bfc1262fd

Error - 2012-03-26 14:15:36 | Computer Name = Piotrek-PC | Source = Application Error | ID = 1000
Description = Faulting application name: spoolsv.exe, version: 6.1.7601.17514, time
stamp: 0x4ce7aa85 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time
stamp: 0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x00055dc1 Faulting process
id: 0x13b8 Faulting application start time: 0x01cd0b7a7d28a36d Faulting application
path: C:\Windows\System32\spoolsv.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: aeaf4392-776f-11e1-b6db-001bfc1262fd

Error - 2012-03-26 15:18:03 | Computer Name = Piotrek-PC | Source = Application Error | ID = 1000
Description = Faulting application name: spoolsv.exe, version: 6.1.7601.17514, time
stamp: 0x4ce7aa85 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time
stamp: 0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x00055dc1 Faulting process
id: 0x1d68 Faulting application start time: 0x01cd0b7c94e25956 Faulting application
path: C:\Windows\System32\spoolsv.exe Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: 68366d97-7778-11e1-b6db-001bfc1262fd

Error - 2012-03-26 15:47:15 | Computer Name = Piotrek-PC | Source = Application Error | ID = 1000
Description = Faulting application name: WSCommCntr2.exe, version: 3.0.269.0, time
stamp: 0x4c0c87d1 Faulting module name: ntdll.dll, version: 6.1.7601.17725, time
stamp: 0x4ec49b60 Exception code: 0xc0000005 Fault offset: 0x0003224d Faulting process
id: 0xf78 Faulting application start time: 0x01cd0b893de46c7a Faulting application
path: C:\Program Files\Common Files\Autodesk Shared\WSCommCntr\lib\WSCommCntr2.exe
Faulting
module path: C:\Windows\SYSTEM32\ntdll.dll Report Id: 7c58c6c0-777c-11e1-a699-001bfc1262fd

[ System Events ]
Error - 2012-03-28 04:36:01 | Computer Name = Piotrek-PC | Source = Service Control Manager | ID = 7023
Description = The Elbycdfl service terminated with the following error: %%2

Error - 2012-03-28 04:36:01 | Computer Name = Piotrek-PC | Source = Service Control Manager | ID = 7023
Description = The NVR0FLASHDev service terminated with the following error: %%2

Error - 2012-03-28 04:36:16 | Computer Name = Piotrek-PC | Source = Microsoft-Windows-DNS-Client | ID = 1012
Description = There was an error while attempting to read the local hosts file.

Error - 2012-03-28 04:36:59 | Computer Name = Piotrek-PC | Source = Service Control Manager | ID = 7023
Description = The SE26mgmt service terminated with the following error: %%5

Error - 2012-03-28 04:38:00 | Computer Name = Piotrek-PC | Source = Service Control Manager | ID = 7023
Description = The CA561 service terminated with the following error: %%5

Error - 2012-03-28 04:52:58 | Computer Name = Piotrek-PC | Source = Service Control Manager | ID = 7023
Description = The Winmtsrv service terminated with the following error: %%5

Error - 2012-03-28 05:07:58 | Computer Name = Piotrek-PC | Source = Service Control Manager | ID = 7023
Description = The Wanusb service terminated with the following error: %%5

Error - 2012-03-28 05:22:58 | Computer Name = Piotrek-PC | Source = Service Control Manager | ID = 7023
Description = The Tvicport service terminated with the following error: %%5

Error - 2012-03-28 05:37:58 | Computer Name = Piotrek-PC | Source = Service Control Manager | ID = 7023
Description = The Lxcc_device service terminated with the following error: %%5

Error - 2012-03-28 05:52:58 | Computer Name = Piotrek-PC | Source = Service Control Manager | ID = 7023
Description = The CAMFLT service terminated with the following error: %%5


< End of report >


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-28 12:21:59
-----------------------------
12:21:59.671 OS Version: Windows 6.1.7601 Service Pack 1
12:21:59.671 Number of processors: 2 586 0xF0A
12:21:59.671 ComputerName: PIOTREK-PC UserName: Piotrek
12:22:01.311 Initialize success
12:22:12.970 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1
12:22:12.970 Disk 0 Vendor: ST9160821AS 3.ALC Size: 152627MB BusType: 3
12:22:12.980 Disk 0 MBR read successfully
12:22:12.990 Disk 0 MBR scan
12:22:12.990 Disk 0 Windows 7 default MBR code
12:22:13.000 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
12:22:13.010 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 24900 MB offset 206848
12:22:13.030 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 35000 MB offset 51202048
12:22:13.050 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 92625 MB offset 122882048
12:22:13.060 Disk 0 scanning sectors +312578048
12:22:13.120 Disk 0 scanning C:\Windows\system32\drivers
12:22:19.121 Service scanning
12:22:33.878 Modules scanning
12:22:35.578 Module: C:\Windows\system32\DRIVERS\dtsoftbus01.sys **SUSPICIOUS**
12:22:43.217 Module: C:\Windows\System32\kernel32.dll **SUSPICIOUS**
12:22:44.397 Disk 0 trace - called modules:
12:22:44.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85829fd0]<<
12:22:44.428 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x856545e0]
12:22:44.434 3 CLASSPNP.SYS[88bb959e] -> nt!IofCallDriver -> [0x85908028]
12:22:44.440 \Driver\00000468[0x85838158] -> IRP_MJ_CREATE -> 0x85829fd0
12:22:44.447 Scan finished successfully
12:24:17.864 Disk 0 MBR has been saved successfully to "D:\Moje dokumenty\Pulpit\MBR.dat"
12:24:17.864 The log file has been saved successfully to "D:\Moje dokumenty\Pulpit\aswMBR.txt"

BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:52 PM

Posted 29 March 2012 - 08:16 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.7.1.0_19.01.2012_17.24.26_log.txt
  • Post that log, please.
Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Note: If after running ComboFix you receive a message stating, "Illegal Operation Attempted on a registery key that has been marked for deletion" rebooting your computer will resolve the problem.

Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 kowalos123

kowalos123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 30 March 2012 - 12:10 PM

Hello
I did scans, this are logs. After ComboFix scan my WiFi card was unable to conect to internet, it conect to router but has'nt internet access.

ComboFix 12-03-30.06 - Piotrek 2012-03-30 17:36:49.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.48.1033.18.2047.1465 [GMT 2:00]
Uruchomiony z: d:\moje dokumenty\Pobrane\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Utworzono nowy punkt przywracania
.
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\data
c:\users\Piotrek\AppData\Local\unins000.exe
c:\users\Piotrek\AppData\Roaming\chrtmp
c:\windows\$NtUninstallKB26722$\1755775173\@
c:\windows\$NtUninstallKB26722$\1755775173\cfg.ini
c:\windows\$NtUninstallKB26722$\1755775173\Desktop.ini
c:\windows\$NtUninstallKB26722$\1755775173\L\xadqgnnk
c:\windows\$NtUninstallKB26722$\1755775173\twl.dll
c:\windows\$NtUninstallKB26722$\1755775173\U\00000001.@
c:\windows\$NtUninstallKB26722$\1755775173\U\00000002.@
c:\windows\$NtUninstallKB26722$\1755775173\U\00000004.@
c:\windows\$NtUninstallKB26722$\1755775173\U\80000000.@
c:\windows\$NtUninstallKB26722$\1755775173\U\80000004.@
c:\windows\$NtUninstallKB26722$\1755775173\U\80000032.@
c:\windows\$NtUninstallKB26722$\1755775173\version
c:\windows\$NtUninstallKB26722$\3504414155
c:\windows\system32\dds_trash_log.cmd
.
Zainfekowana kopia c:\windows\system32\drivers\dtsoftbus01.sys została znaleziona. Problem naprawiono
Plik odzyskano z - The cat found it :)
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_SPService
.
.
((((((((((((((((((((((((( Pliki utworzone od 2012-02-28 do 2012-03-30 )))))))))))))))))))))))))))))))
.
.
2012-03-30 15:43 . 2012-03-30 15:57 -------- d-----w- c:\users\Piotrek\AppData\Local\temp
2012-03-30 15:43 . 2012-03-30 15:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-30 15:34 . 2012-03-30 15:34 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07D59B9F-E9D7-4789-8B5C-323015FEEA43}\offreg.dll
2012-03-30 15:22 . 2012-03-30 14:36 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-03-30 14:36 . 2012-03-30 14:36 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-27 19:31 . 2012-03-27 19:31 -------- d-----w- c:\program files\Enigma Software Group
2012-03-27 19:31 . 2012-03-27 19:49 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-27 19:31 . 2012-03-27 19:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-03-26 19:33 . 2012-03-26 19:33 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Avira
2012-03-26 19:29 . 2012-01-31 06:57 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-03-26 19:29 . 2012-01-31 06:57 137416 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-03-26 19:29 . 2011-09-16 14:09 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-03-26 19:29 . 2012-03-26 19:29 -------- d-----w- c:\programdata\Avira
2012-03-26 16:31 . 2012-03-26 16:31 -------- d-----w- c:\users\Piotrek\AppData\Local\Mozilla
2012-03-24 15:35 . 2012-03-24 15:35 -------- d-----w- c:\program files\Wolfram Research
2012-03-24 15:34 . 2012-03-24 15:34 -------- d-----w- c:\windows\Downloaded Installations
2012-03-24 15:14 . 2012-03-26 07:41 -------- d--h--w- c:\users\Piotrek\AppData\Local\MicrosoftNT
2012-03-24 15:06 . 2012-03-24 15:37 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Mathematica
2012-03-24 15:06 . 2012-03-24 15:20 -------- d-----w- c:\users\Piotrek\AppData\Local\Mathematica
2012-03-24 15:06 . 2012-03-24 15:37 -------- d-----w- c:\programdata\Mathematica
2012-03-24 15:06 . 2012-03-24 15:06 -------- d-----w- c:\program files\Common Files\Wolfram Research
2012-03-24 15:06 . 2012-03-24 15:06 -------- d-----w- c:\program files\Common Files\ResearchSoft
2012-03-24 15:01 . 2010-11-07 19:17 333840 ----a-w- c:\windows\system32\mltcpip32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 93712 ----a-w- c:\windows\system32\mltcp32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 88080 ----a-w- c:\windows\system32\mlshm32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 167952 ----a-w- c:\windows\system32\mlmodule32.dll
2012-03-24 15:01 . 2010-11-07 19:17 79376 ----a-w- c:\windows\system32\mlmap32.mlp
2012-03-24 15:01 . 2010-11-07 19:16 369680 ----a-w- c:\windows\system32\ml32i3.dll
2012-03-24 15:01 . 2010-11-07 19:16 260112 ----a-w- c:\windows\system32\ml32i2.dll
2012-03-24 15:01 . 2010-11-07 19:16 253968 ----a-w- c:\windows\system32\ml32i1.dll
2012-03-22 02:42 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07D59B9F-E9D7-4789-8B5C-323015FEEA43}\mpengine.dll
2012-03-08 20:54 . 2012-03-08 20:54 -------- d-----w- c:\program files\Haali
2012-03-08 20:54 . 2012-03-08 20:54 -------- d-----w- c:\program files\CoreCodec
2012-03-03 13:55 . 2012-03-03 13:55 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Macrovision
2012-03-03 11:36 . 2012-03-03 11:36 -------- d-----w- c:\program files\Common Files\Java
2012-03-03 11:34 . 2012-03-03 11:34 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-26 16:27 . 2012-01-30 09:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-03 11:34 . 2012-01-16 17:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-23 08:18 . 2012-01-15 00:10 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-15 16:00 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-11-20 08:39 . !HASH: COULD NOT OPEN FILE !!!!! . 74752 . . [------] . . c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
[7] 2009-07-13 . CB39E896A2A83702D1737BFD402B3542 . 74240 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
.
[7] 2011-07-16 . 921F8B3FF01501C9934CCB3C270833D7 . 868352 . . [6.1.7601.21772] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.21772_none_960c0dc1cdddb3a2\kernel32.dll
[7] 2011-07-16 . 7E99A20C758ABB5AE89C7AEEA3A9AEB2 . 868352 . . [6.1.7600.16850] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16850_none_93afb334b78b3d5c\kernel32.dll
[7] 2011-07-16 . E570CBD732848438EAC574EB3442A2A8 . 868352 . . [6.1.7601.17651] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17651_none_95971084b4b0c29f\kernel32.dll
[7] 2011-07-16 . 12DD18C6ECADEDB922E40B494D315206 . 868352 . . [6.1.7600.21010] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.21010_none_946467d1d088a0a4\kernel32.dll
[-] 2010-11-20 . 3C9AB2C90201380E1034D71AD5670E01 . 868352 . . [6.1.7600.16385] . . c:\windows\System32\kernel32.dll
[7] 2010-11-20 . 5553784D774CA845380650E010BBDA2C . 857600 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17514_none_95c54f2cb48da1b9\kernel32.dll
[7] 2009-12-08 . EB7B2309A2B16EEB73C2C13477FEF8FB . 857088 . . [6.1.7600.20591] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.20591_none_940f0901d0c871a5\kernel32.dll
[7] 2009-12-08 . 0369BA73CE6D918745579B24339765E8 . 857088 . . [6.1.7600.16481] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16481_none_93903c22b7a2b5ea\kernel32.dll
[7] 2009-07-14 . 4605F7EE9805F7E1C98D6C959DD2949C . 857088 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16385_none_93943b64b79f1e1f\kernel32.dll
.
c:\windows\System32\drivers\tdx.sys ... - brak elementu !!
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"31908D594CED5854D19D92F49DDC940669DDCEEB._service_run"="c:\users\Piotrek\AppData\Local\Google\Chrome\Application\chrome.exe" [2012-03-21 1049072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-02 13789728]
"BCSSync"="d:\programy\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avgnt"="d:\programy\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 258512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [2011-09-16 36000]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-03-30 239168]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AntiVirSchedulerService;Avira Scheduler;d:\programy\Avira\AntiVir Desktop\sched.exe [2012-01-31 86224]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
Tapisrv
Wmi
WmdmPmSp
svcwrsssdk
clisvc
usbser
ELacpi
Intel_MIPMNMP
tosrfec
usbsermpt
hprfdev
DCFS2K
nmsaccess
oracleformsserver-forms60server-oraform
xpagentserver
ADIDTSFiltService
RR2Ctrl
SE2Dmdfl
mctaskmanager
basic2
USBDongle
tapeware
eSettingsService
ptserial
w200mdm
AtlsAud
evteng
sysmonlog
usbvm321
maya70docserver
SE2Cmdm
lexbces
nvcap
olregcap
advservice
caili
AFGMp50
itmrtsvc
pdlndint
RR2Vbi
usbio
DeviceScanner
EMATCORE
rimusb
roammgr
SrvcEPECioctl
lvsrvlauncher
bthidmgr
prodrv06
vulfnths
TPPWRIF
roxmediadb9
mwagent
MREMP50
SE2Eobex
softfax
ProcObsrv
adiloader
mapserver6.3
uleadburninghelper
cbidf2k
DXEC02
upnp
kpf4
backupexecdevicemediaservice
axsaki
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
ProfSvc
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
BDESVC
AppMgmt
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Zawartość folderu 'Zaplanowane zadania'
.
2012-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001Core.job
- c:\users\Piotrek\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-26 17:37]
.
2012-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001UA.job
- c:\users\Piotrek\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-26 17:37]
.
.
------- Skan uzupełniający -------
.
IE: E&ksportuj do programu Microsoft Excel - d:\programy\MICROS~1\Office14\EXCEL.EXE/3000
LSP: mswsock.dll
TCP: DhcpNameServer = 95.160.170.92 88.156.222.92
FF - ProfilePath - c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\3i2tgao4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
------- Skojarzenia plików -------
.
.scr=AutoCADScriptFile
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
SafeBoot-26950431.sys
AddRemove-CCleaner - c:\program files\CCleaner\uninst.exe
AddRemove-{81BF6353-3C5B-4E6E-A566-7E162A00BF72}_is1 - c:\users\Piotrek\AppData\Local\unins000.exe
.
.
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,3e,8f,a6,d8,92,f3,4c,8e,22,ca,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,3e,8f,a6,d8,92,f3,4c,8e,22,ca,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
d:\programy\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\sppsvc.exe
d:\programy\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\AUDIODG.EXE
.
**************************************************************************
.
Czas ukończenia: 2012-03-30 18:00:19 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2012-03-30 16:00
.
Przed: 5 921 714 176 bytes free
Po: 5 816 471 552 bytes free
.
- - End Of File - - 49F26C7E4D49CCE0FAFE5B8FB7C7A346

16:34:36.0661 4068 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
16:34:36.0893 4068 ============================================================
16:34:36.0893 4068 Current date / time: 2012/03/30 16:34:36.0893
16:34:36.0893 4068 SystemInfo:
16:34:36.0893 4068
16:34:36.0893 4068 OS Version: 6.1.7601 ServicePack: 1.0
16:34:36.0893 4068 Product type: Workstation
16:34:36.0893 4068 ComputerName: PIOTREK-PC
16:34:36.0894 4068 UserName: Piotrek
16:34:36.0894 4068 Windows directory: C:\Windows
16:34:36.0894 4068 System windows directory: C:\Windows
16:34:36.0894 4068 Processor architecture: Intel x86
16:34:36.0894 4068 Number of processors: 2
16:34:36.0894 4068 Page size: 0x1000
16:34:36.0894 4068 Boot type: Normal boot
16:34:36.0894 4068 ============================================================
16:34:39.0222 4068 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x11EE4, SectorsPerTrack: 0x13, TracksPerCylinder: 0xE0, Type 'K0', Flags 0x00000050
16:34:39.0222 4068 \Device\Harddisk0\DR0:
16:34:39.0222 4068 MBR used
16:34:39.0222 4068 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
16:34:39.0222 4068 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x30A2000
16:34:39.0222 4068 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x30D4800, BlocksNum 0x445C000
16:34:39.0222 4068 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x7530800, BlocksNum 0xB4E8800
16:34:39.0425 4068 Initialize success
16:34:39.0425 4068 ============================================================
16:34:50.0111 1252 ============================================================
16:34:50.0111 1252 Scan started
16:34:50.0111 1252 Mode: Manual; TDLFS;
16:34:50.0111 1252 ============================================================
16:34:51.0999 1252 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
16:34:51.0999 1252 1394ohci - ok
16:34:52.0030 1252 ACDaemon (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\aawservice.dll
16:34:52.0030 1252 ACDaemon ( Backdoor.Multi.ZAccess.gen ) - infected
16:34:52.0030 1252 ACDaemon - detected Backdoor.Multi.ZAccess.gen (0)
16:34:52.0092 1252 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
16:34:52.0092 1252 ACPI - ok
16:34:52.0139 1252 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
16:34:52.0139 1252 AcpiPmi - ok
16:34:52.0233 1252 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
16:34:52.0233 1252 AdobeARMservice - ok
16:34:52.0358 1252 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
16:34:52.0373 1252 adp94xx - ok
16:34:52.0404 1252 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
16:34:52.0404 1252 adpahci - ok
16:34:52.0436 1252 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
16:34:52.0436 1252 adpu320 - ok
16:34:52.0514 1252 advservice (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\mctskshd.exe.dll
16:34:52.0529 1252 advservice ( Backdoor.Multi.ZAccess.gen ) - infected
16:34:52.0529 1252 advservice - detected Backdoor.Multi.ZAccess.gen (0)
16:34:52.0560 1252 AeLookupSvc (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
16:34:52.0560 1252 AeLookupSvc - ok
16:34:52.0607 1252 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
16:34:52.0638 1252 AFD - ok
16:34:52.0670 1252 AFGMp50 - ok
16:34:52.0716 1252 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
16:34:52.0716 1252 agp440 - ok
16:34:52.0779 1252 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
16:34:52.0794 1252 aic78xx - ok
16:34:52.0841 1252 ALG (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
16:34:52.0841 1252 ALG - ok
16:34:52.0888 1252 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
16:34:52.0888 1252 aliide - ok
16:34:52.0950 1252 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
16:34:52.0950 1252 amdagp - ok
16:34:52.0997 1252 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
16:34:53.0013 1252 amdide - ok
16:34:53.0060 1252 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
16:34:53.0075 1252 AmdK8 - ok
16:34:53.0075 1252 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
16:34:53.0091 1252 AmdPPM - ok
16:34:53.0122 1252 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
16:34:53.0122 1252 amdsata - ok
16:34:53.0138 1252 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
16:34:53.0153 1252 amdsbs - ok
16:34:53.0184 1252 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
16:34:53.0184 1252 amdxata - ok
16:34:53.0262 1252 AntiVirSchedulerService (72709089a54bdc1c5b16bc4a4b926567) D:\Programy\Avira\AntiVir Desktop\sched.exe
16:34:53.0262 1252 AntiVirSchedulerService - ok
16:34:53.0325 1252 AntiVirService (42f88bfbb76f7a63e381829479b18518) D:\Programy\Avira\AntiVir Desktop\avguard.exe
16:34:53.0325 1252 AntiVirService - ok
16:34:53.0418 1252 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
16:34:53.0418 1252 AppID - ok
16:34:53.0512 1252 AppIDSvc (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
16:34:53.0512 1252 AppIDSvc - ok
16:34:53.0590 1252 Appinfo (fb1959012294d6ad43e5304df65e3c26) C:\Windows\System32\appinfo.dll
16:34:53.0590 1252 Appinfo - ok
16:34:53.0637 1252 AppMgmt (a45d184df6a8803da13a0b329517a64a) C:\Windows\System32\appmgmts.dll
16:34:53.0652 1252 AppMgmt - ok
16:34:53.0715 1252 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
16:34:53.0730 1252 arc - ok
16:34:53.0746 1252 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
16:34:53.0746 1252 arcsas - ok
16:34:53.0777 1252 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
16:34:53.0777 1252 AsyncMac - ok
16:34:53.0824 1252 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
16:34:53.0824 1252 atapi - ok
16:34:53.0855 1252 AtlsAud - ok
16:34:53.0918 1252 AudioEndpointBuilder (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
16:34:53.0980 1252 AudioEndpointBuilder - ok
16:34:53.0996 1252 Audiosrv (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
16:34:54.0011 1252 Audiosrv - ok
16:34:54.0105 1252 avgntflt (7713e4eb0276702faa08e52a6e23f2a6) C:\Windows\system32\DRIVERS\avgntflt.sys
16:34:54.0107 1252 avgntflt - ok
16:34:54.0152 1252 avipbb (13b02b9b969dde270cd7c351203dad3c) C:\Windows\system32\DRIVERS\avipbb.sys
16:34:54.0154 1252 avipbb - ok
16:34:54.0186 1252 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\Windows\system32\DRIVERS\avkmgr.sys
16:34:54.0187 1252 avkmgr - ok
16:34:54.0236 1252 AxInstSV (6e30d02aac9cac84f421622e3a2f6178) C:\Windows\System32\AxInstSV.dll
16:34:54.0238 1252 AxInstSV - ok
16:34:54.0330 1252 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
16:34:54.0340 1252 b06bdrv - ok
16:34:54.0420 1252 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
16:34:54.0426 1252 b57nd60x - ok
16:34:54.0455 1252 backupexecdevicemediaservice - ok
16:34:54.0521 1252 basic2 - ok
16:34:54.0565 1252 BDESVC (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
16:34:54.0568 1252 BDESVC - ok
16:34:54.0629 1252 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
16:34:54.0630 1252 Beep - ok
16:34:54.0687 1252 BITS (e585445d5021971fae10393f0f1c3961) C:\Windows\System32\qmgr.dll
16:34:54.0700 1252 BITS - ok
16:34:54.0737 1252 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
16:34:54.0738 1252 blbdrive - ok
16:34:54.0797 1252 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
16:34:54.0799 1252 bowser - ok
16:34:54.0830 1252 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
16:34:54.0831 1252 BrFiltLo - ok
16:34:54.0841 1252 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
16:34:54.0842 1252 BrFiltUp - ok
16:34:54.0883 1252 Browser (6e11f33d14d020f58d5e02e4d67dfa19) C:\Windows\System32\browser.dll
16:34:54.0885 1252 Browser - ok
16:34:54.0925 1252 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
16:34:54.0937 1252 Brserid - ok
16:34:54.0972 1252 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
16:34:54.0974 1252 BrSerWdm - ok
16:34:55.0004 1252 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
16:34:55.0006 1252 BrUsbMdm - ok
16:34:55.0017 1252 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
16:34:55.0018 1252 BrUsbSer - ok
16:34:55.0097 1252 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\drivers\BthEnum.sys
16:34:55.0098 1252 BthEnum - ok
16:34:55.0148 1252 bthidmgr - ok
16:34:55.0197 1252 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
16:34:55.0199 1252 BTHMODEM - ok
16:34:55.0249 1252 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
16:34:55.0251 1252 BthPan - ok
16:34:55.0298 1252 BTHPORT (c2fbf6d271d9a94d839c416bf186ead9) C:\Windows\System32\Drivers\BTHport.sys
16:34:55.0313 1252 BTHPORT - ok
16:34:55.0360 1252 bthserv (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
16:34:55.0360 1252 bthserv - ok
16:34:55.0383 1252 BTHUSB (c81e9413a25a439f436b1d4b6a0cf9e9) C:\Windows\System32\Drivers\BTHUSB.sys
16:34:55.0385 1252 BTHUSB - ok
16:34:55.0445 1252 caili (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\nbf.dll
16:34:55.0447 1252 caili ( Backdoor.Multi.ZAccess.gen ) - infected
16:34:55.0447 1252 caili - detected Backdoor.Multi.ZAccess.gen (0)
16:34:55.0536 1252 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
16:34:55.0539 1252 cdfs - ok
16:34:55.0604 1252 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
16:34:55.0607 1252 cdrom - ok
16:34:55.0679 1252 CertPropSvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
16:34:55.0682 1252 CertPropSvc - ok
16:34:55.0725 1252 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
16:34:55.0726 1252 circlass - ok
16:34:55.0790 1252 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
16:34:55.0794 1252 CLFS - ok
16:34:55.0883 1252 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
16:34:55.0888 1252 clr_optimization_v2.0.50727_32 - ok
16:34:55.0955 1252 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
16:34:56.0015 1252 clr_optimization_v4.0.30319_32 - ok
16:34:56.0095 1252 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
16:34:56.0096 1252 CmBatt - ok
16:34:56.0151 1252 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
16:34:56.0153 1252 cmdide - ok
16:34:56.0216 1252 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
16:34:56.0223 1252 CNG - ok
16:34:56.0291 1252 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
16:34:56.0292 1252 Compbatt - ok
16:34:56.0356 1252 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
16:34:56.0357 1252 CompositeBus - ok
16:34:56.0375 1252 COMSysApp - ok
16:34:56.0412 1252 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
16:34:56.0412 1252 crcdisk - ok
16:34:56.0459 1252 CryptSvc (a585bebf7d054bd9618eda0922d5484a) C:\Windows\system32\cryptsvc.dll
16:34:56.0459 1252 CryptSvc - ok
16:34:56.0506 1252 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
16:34:56.0522 1252 CSC - ok
16:34:56.0553 1252 CscService (15f93b37f6801943360d9eb42485d5d3) C:\Windows\System32\cscsvc.dll
16:34:56.0568 1252 CscService - ok
16:34:56.0600 1252 DCFS2K - ok
16:34:56.0662 1252 DcomLaunch (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
16:34:56.0678 1252 DcomLaunch - ok
16:34:56.0740 1252 defragsvc (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
16:34:56.0740 1252 defragsvc - ok
16:34:56.0896 1252 DeviceScanner (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\messenger.dll
16:34:56.0896 1252 DeviceScanner ( Backdoor.Multi.ZAccess.gen ) - infected
16:34:56.0896 1252 DeviceScanner - detected Backdoor.Multi.ZAccess.gen (0)
16:34:56.0943 1252 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
16:34:56.0974 1252 DfsC - ok
16:34:57.0036 1252 Dhcp (e9e01eb683c132f7fa27cd607b8a2b63) C:\Windows\system32\dhcpcore.dll
16:34:57.0052 1252 Dhcp - ok
16:34:57.0083 1252 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
16:34:57.0083 1252 discache - ok
16:34:57.0130 1252 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
16:34:57.0146 1252 Disk - ok
16:34:57.0177 1252 Dnscache (33ef4861f19a0736b11314aad9ae28d0) C:\Windows\System32\dnsrslvr.dll
16:34:57.0177 1252 Dnscache - ok
16:34:57.0224 1252 dot3svc (366ba8fb4b7bb7435e3b9eacb3843f67) C:\Windows\System32\dot3svc.dll
16:34:57.0224 1252 dot3svc - ok
16:34:57.0270 1252 DPS (8ec04ca86f1d68da9e11952eb85973d6) C:\Windows\system32\dps.dll
16:34:57.0270 1252 DPS - ok
16:34:57.0333 1252 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
16:34:57.0333 1252 drmkaud - ok
16:34:57.0411 1252 dtsoftbus01 (5dcd1b3e76a91dbe480a310138c45663) C:\Windows\system32\DRIVERS\dtsoftbus01.sys
16:34:57.0411 1252 Suspicious file (Forged): C:\Windows\system32\DRIVERS\dtsoftbus01.sys. Real md5: 5dcd1b3e76a91dbe480a310138c45663, Fake md5: fb38473835476a6fb272215a1d972af9
16:34:57.0411 1252 dtsoftbus01 ( Virus.Win32.ZAccess.k ) - infected
16:34:57.0411 1252 dtsoftbus01 - detected Virus.Win32.ZAccess.k (0)
16:34:57.0504 1252 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
16:34:57.0520 1252 DXGKrnl - ok
16:34:57.0551 1252 EapHost (8600142fa91c1b96367d3300ad0f3f3a) C:\Windows\System32\eapsvc.dll
16:34:57.0551 1252 EapHost - ok
16:34:57.0692 1252 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
16:34:57.0802 1252 ebdrv - ok
16:34:57.0855 1252 EFS (81951f51e318aecc2d68559e47485cc4) C:\Windows\System32\lsass.exe
16:34:57.0858 1252 EFS - ok
16:34:57.0875 1252 ELacpi - ok
16:34:57.0910 1252 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
16:34:57.0918 1252 elxstor - ok
16:34:57.0986 1252 EMATCORE (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\nvidesm.dll
16:34:57.0989 1252 EMATCORE ( Backdoor.Multi.ZAccess.gen ) - infected
16:34:57.0989 1252 EMATCORE - detected Backdoor.Multi.ZAccess.gen (0)
16:34:58.0036 1252 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
16:34:58.0038 1252 ErrDev - ok
16:34:58.0065 1252 eSettingsService - ok
16:34:58.0108 1252 EventSystem (f6916efc29d9953d5d0df06882ae8e16) C:\Windows\system32\es.dll
16:34:58.0114 1252 EventSystem - ok
16:34:58.0245 1252 evteng (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\sfloppy.dll
16:34:58.0254 1252 evteng ( Backdoor.Multi.ZAccess.gen ) - infected
16:34:58.0254 1252 evteng - detected Backdoor.Multi.ZAccess.gen (0)
16:34:58.0468 1252 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
16:34:58.0491 1252 exfat - ok
16:34:58.0731 1252 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
16:34:58.0747 1252 fastfat - ok
16:34:59.0094 1252 Fax (967ea5b213e9984cbe270205df37755b) C:\Windows\system32\fxssvc.exe
16:34:59.0137 1252 Fax - ok
16:34:59.0520 1252 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
16:34:59.0550 1252 fdc - ok
16:34:59.0975 1252 fdPHost (f3222c893bd2f5821a0179e5c71e88fb) C:\Windows\system32\fdPHost.dll
16:34:59.0996 1252 fdPHost - ok
16:35:00.0334 1252 FDResPub (7dbe8cbfe79efbdeb98c9fb08d3a9a5b) C:\Windows\system32\fdrespub.dll
16:35:00.0363 1252 FDResPub - ok
16:35:00.0868 1252 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
16:35:00.0868 1252 FileInfo - ok
16:35:00.0980 1252 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
16:35:00.0982 1252 Filetrace - ok
16:35:01.0144 1252 FLEXnet Licensing Service (d60ef46dc0e757fe5eb579db95b88954) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
16:35:01.0178 1252 FLEXnet Licensing Service - ok
16:35:01.0289 1252 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
16:35:01.0290 1252 flpydisk - ok
16:35:01.0361 1252 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
16:35:01.0364 1252 FltMgr - ok
16:35:01.0416 1252 FontCache (b3a5ec6b6b6673db7e87c2bcdbddc074) C:\Windows\system32\FntCache.dll
16:35:01.0450 1252 FontCache - ok
16:35:01.0562 1252 FontCache3.0.0.0 (e56f39f6b7fda0ac77a79b0fd3de1a2f) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
16:35:01.0565 1252 FontCache3.0.0.0 - ok
16:35:01.0641 1252 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
16:35:01.0643 1252 FsDepends - ok
16:35:01.0664 1252 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
16:35:01.0665 1252 Fs_Rec - ok
16:35:01.0738 1252 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
16:35:01.0741 1252 fvevol - ok
16:35:01.0804 1252 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
16:35:01.0806 1252 gagp30kx - ok
16:35:01.0875 1252 gpsvc (e897eaf5ed6ba41e081060c9b447a673) C:\Windows\System32\gpsvc.dll
16:35:01.0939 1252 gpsvc - ok
16:35:01.0986 1252 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
16:35:01.0986 1252 hcw85cir - ok
16:35:02.0048 1252 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
16:35:02.0048 1252 HdAudAddService - ok
16:35:02.0095 1252 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
16:35:02.0095 1252 HDAudBus - ok
16:35:02.0189 1252 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
16:35:02.0204 1252 HidBatt - ok
16:35:02.0251 1252 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
16:35:02.0267 1252 HidBth - ok
16:35:02.0314 1252 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
16:35:02.0314 1252 HidIr - ok
16:35:02.0345 1252 hidserv (2bc6f6a1992b3a77f5f41432ca6b3b6b) C:\Windows\system32\hidserv.dll
16:35:02.0360 1252 hidserv - ok
16:35:02.0423 1252 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
16:35:02.0423 1252 HidUsb - ok
16:35:02.0454 1252 hkmsvc (196b4e3f4cccc24af836ce58facbb699) C:\Windows\system32\kmsvc.dll
16:35:02.0454 1252 hkmsvc - ok
16:35:02.0501 1252 HomeGroupListener (6658f4404de03d75fe3ba09f7aba6a30) C:\Windows\system32\ListSvc.dll
16:35:02.0501 1252 HomeGroupListener - ok
16:35:02.0548 1252 HomeGroupProvider (dbc02d918fff1cad628acbe0c0eaa8e8) C:\Windows\system32\provsvc.dll
16:35:02.0548 1252 HomeGroupProvider - ok
16:35:02.0626 1252 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
16:35:02.0641 1252 HpSAMD - ok
16:35:02.0704 1252 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
16:35:02.0704 1252 HTTP - ok
16:35:02.0750 1252 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
16:35:02.0750 1252 hwpolicy - ok
16:35:02.0828 1252 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
16:35:02.0844 1252 i8042prt - ok
16:35:02.0891 1252 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
16:35:02.0891 1252 iaStorV - ok
16:35:03.0031 1252 idsvc (c521d7eb6497bb1af6afa89e322fb43c) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
16:35:03.0094 1252 idsvc - ok
16:35:03.0203 1252 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
16:35:03.0203 1252 iirsp - ok
16:35:03.0265 1252 IKEEXT (f95622f161474511b8d80d6b093aa610) C:\Windows\System32\ikeext.dll
16:35:03.0296 1252 IKEEXT - ok
16:35:03.0343 1252 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
16:35:03.0343 1252 intelide - ok
16:35:03.0390 1252 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
16:35:03.0390 1252 intelppm - ok
16:35:03.0421 1252 IPBusEnum (acb364b9075a45c0736e5c47be5cae19) C:\Windows\system32\ipbusenum.dll
16:35:03.0421 1252 IPBusEnum - ok
16:35:03.0452 1252 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
16:35:03.0468 1252 IpFilterDriver - ok
16:35:03.0515 1252 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
16:35:03.0515 1252 IPMIDRV - ok
16:35:03.0546 1252 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
16:35:03.0546 1252 IPNAT - ok
16:35:03.0593 1252 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
16:35:03.0593 1252 IRENUM - ok
16:35:03.0624 1252 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
16:35:03.0640 1252 isapnp - ok
16:35:03.0671 1252 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
16:35:03.0686 1252 iScsiPrt - ok
16:35:03.0733 1252 itmrtsvc - ok
16:35:03.0811 1252 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
16:35:03.0827 1252 kbdclass - ok
16:35:03.0842 1252 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
16:35:03.0842 1252 kbdhid - ok
16:35:03.0889 1252 KeyIso (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:35:03.0889 1252 KeyIso - ok
16:35:03.0936 1252 Kmm4xNT (db8023811fdecad413cf775eff576357) C:\Windows\system32\drivers\Kmm4xNT.sys
16:35:03.0936 1252 Kmm4xNT - ok
16:35:03.0952 1252 kpf4 - ok
16:35:03.0983 1252 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
16:35:03.0983 1252 KSecDD - ok
16:35:04.0014 1252 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
16:35:04.0014 1252 KSecPkg - ok
16:35:04.0061 1252 KtmRm (89a7b9cc98d0d80c6f31b91c0a310fcd) C:\Windows\system32\msdtckrm.dll
16:35:04.0076 1252 KtmRm - ok
16:35:04.0217 1252 LanmanServer (d64af876d53eca3668bb97b51b4e70ab) C:\Windows\system32\srvsvc.dll
16:35:04.0217 1252 LanmanServer - ok
16:35:04.0264 1252 LanmanWorkstation (58405e4f68ba8e4057c6e914f326aba2) C:\Windows\System32\wkssvc.dll
16:35:04.0264 1252 LanmanWorkstation - ok
16:35:04.0279 1252 lexbces - ok
16:35:04.0357 1252 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
16:35:04.0373 1252 lltdio - ok
16:35:04.0404 1252 lltdsvc (5700673e13a2117fa3b9020c852c01e2) C:\Windows\System32\lltdsvc.dll
16:35:04.0420 1252 lltdsvc - ok
16:35:04.0451 1252 lmhosts (55ca01ba19d0006c8f2639b6c045e08b) C:\Windows\System32\lmhsvc.dll
16:35:04.0451 1252 lmhosts - ok
16:35:04.0513 1252 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
16:35:04.0529 1252 LSI_FC - ok
16:35:04.0560 1252 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
16:35:04.0560 1252 LSI_SAS - ok
16:35:04.0591 1252 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
16:35:04.0591 1252 LSI_SAS2 - ok
16:35:04.0622 1252 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
16:35:04.0638 1252 LSI_SCSI - ok
16:35:04.0685 1252 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
16:35:04.0685 1252 luafv - ok
16:35:04.0732 1252 lvsrvlauncher - ok
16:35:04.0810 1252 maya70docserver - ok
16:35:04.0872 1252 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
16:35:04.0872 1252 megasas - ok
16:35:04.0919 1252 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
16:35:04.0934 1252 MegaSR - ok
16:35:05.0012 1252 Microsoft SharePoint Workspace Audit Service - ok
16:35:05.0090 1252 MMCSS (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
16:35:05.0090 1252 MMCSS - ok
16:35:05.0137 1252 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
16:35:05.0137 1252 Modem - ok
16:35:05.0200 1252 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
16:35:05.0200 1252 monitor - ok
16:35:05.0262 1252 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
16:35:05.0262 1252 mouclass - ok
16:35:05.0293 1252 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
16:35:05.0293 1252 mouhid - ok
16:35:05.0340 1252 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
16:35:05.0340 1252 mountmgr - ok
16:35:05.0402 1252 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
16:35:05.0402 1252 mpio - ok
16:35:05.0434 1252 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
16:35:05.0434 1252 mpsdrv - ok
16:35:05.0496 1252 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
16:35:05.0512 1252 MRxDAV - ok
16:35:05.0574 1252 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
16:35:05.0590 1252 mrxsmb - ok
16:35:05.0605 1252 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
16:35:05.0605 1252 mrxsmb10 - ok
16:35:05.0652 1252 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
16:35:05.0668 1252 mrxsmb20 - ok
16:35:05.0699 1252 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
16:35:05.0699 1252 msahci - ok
16:35:05.0746 1252 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
16:35:05.0746 1252 msdsm - ok
16:35:05.0792 1252 MSDTC (e1bce74a3bd9902b72599c0192a07e27) C:\Windows\System32\msdtc.exe
16:35:05.0792 1252 MSDTC - ok
16:35:05.0855 1252 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
16:35:05.0855 1252 Msfs - ok
16:35:05.0902 1252 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
16:35:05.0902 1252 mshidkmdf - ok
16:35:05.0964 1252 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
16:35:05.0964 1252 msisadrv - ok
16:35:06.0011 1252 MSiSCSI (90f7d9e6b6f27e1a707d4a297f077828) C:\Windows\system32\iscsiexe.dll
16:35:06.0026 1252 MSiSCSI - ok
16:35:06.0026 1252 msiserver - ok
16:35:06.0089 1252 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
16:35:06.0089 1252 MSKSSRV - ok
16:35:06.0104 1252 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
16:35:06.0104 1252 MSPCLOCK - ok
16:35:06.0136 1252 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
16:35:06.0136 1252 MSPQM - ok
16:35:06.0182 1252 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
16:35:06.0182 1252 MsRPC - ok
16:35:06.0214 1252 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
16:35:06.0214 1252 mssmbios - ok
16:35:06.0229 1252 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
16:35:06.0229 1252 MSTEE - ok
16:35:06.0245 1252 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
16:35:06.0260 1252 MTConfig - ok
16:35:06.0307 1252 MTsensor (97affa9d95ffe20eee6229bc6be166cf) C:\Windows\system32\DRIVERS\ATKACPI.sys
16:35:06.0307 1252 MTsensor - ok
16:35:06.0338 1252 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
16:35:06.0338 1252 Mup - ok
16:35:06.0401 1252 napagent (61d57a5d7c6d9afe10e77dae6e1b445e) C:\Windows\system32\qagentRT.dll
16:35:06.0416 1252 napagent - ok
16:35:06.0463 1252 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
16:35:06.0463 1252 NativeWifiP - ok
16:35:06.0557 1252 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
16:35:06.0604 1252 NDIS - ok
16:35:06.0650 1252 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
16:35:06.0650 1252 NdisCap - ok
16:35:06.0682 1252 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
16:35:06.0682 1252 NdisTapi - ok
16:35:06.0728 1252 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
16:35:06.0728 1252 Ndisuio - ok
16:35:06.0775 1252 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
16:35:06.0775 1252 NdisWan - ok
16:35:06.0822 1252 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
16:35:06.0822 1252 NDProxy - ok
16:35:06.0869 1252 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
16:35:06.0869 1252 NetBIOS - ok
16:35:06.0916 1252 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
16:35:06.0916 1252 NetBT - ok
16:35:06.0947 1252 Netlogon (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:35:06.0962 1252 Netlogon - ok
16:35:07.0040 1252 Netman (7cccfca7510684768da22092d1fa4db2) C:\Windows\System32\netman.dll
16:35:07.0040 1252 Netman - ok
16:35:07.0103 1252 netprofm (8c338238c16777a802d6a9211eb2ba50) C:\Windows\System32\netprofm.dll
16:35:07.0103 1252 netprofm - ok
16:35:07.0228 1252 NetTcpPortSharing (f476ec40033cdb91efbe73eb99b8362d) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
16:35:07.0228 1252 NetTcpPortSharing - ok
16:35:07.0446 1252 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
16:35:07.0571 1252 netw5v32 - ok
16:35:07.0633 1252 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
16:35:07.0649 1252 nfrd960 - ok
16:35:07.0680 1252 NlaSvc (912084381d30d8b89ec4e293053f4710) C:\Windows\System32\nlasvc.dll
16:35:07.0696 1252 NlaSvc - ok
16:35:07.0727 1252 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
16:35:07.0727 1252 Npfs - ok
16:35:07.0789 1252 nsi (ba387e955e890c8a88306d9b8d06bf17) C:\Windows\system32\nsisvc.dll
16:35:07.0789 1252 nsi - ok
16:35:07.0852 1252 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
16:35:07.0852 1252 nsiproxy - ok
16:35:07.0930 1252 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
16:35:07.0976 1252 Ntfs - ok
16:35:07.0992 1252 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
16:35:07.0992 1252 Null - ok
16:35:08.0023 1252 nvcap - ok
16:35:08.0366 1252 nvlddmkm (5ce5b23855262acabaecce156f48dd88) C:\Windows\system32\DRIVERS\nvlddmkm.sys
16:35:08.0710 1252 nvlddmkm - ok
16:35:08.0834 1252 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
16:35:08.0834 1252 nvraid - ok
16:35:08.0866 1252 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
16:35:08.0866 1252 nvstor - ok
16:35:08.0912 1252 nvsvc (6df4cc671cd9704840c5522627f3ed43) C:\Windows\system32\nvvsvc.exe
16:35:08.0928 1252 nvsvc - ok
16:35:08.0944 1252 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
16:35:08.0944 1252 nv_agp - ok
16:35:09.0006 1252 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
16:35:09.0006 1252 ohci1394 - ok
16:35:09.0068 1252 olregcap (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\wg5n.dll
16:35:09.0068 1252 olregcap ( Backdoor.Multi.ZAccess.gen ) - infected
16:35:09.0068 1252 olregcap - detected Backdoor.Multi.ZAccess.gen (0)
16:35:09.0146 1252 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
16:35:09.0146 1252 ose - ok
16:35:09.0334 1252 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
16:35:09.0490 1252 osppsvc - ok
16:35:09.0583 1252 p2pimsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
16:35:09.0599 1252 p2pimsvc - ok
16:35:09.0724 1252 p2psvc (59c3ddd501e39e006dac31bf55150d91) C:\Windows\system32\p2psvc.dll
16:35:09.0739 1252 p2psvc - ok
16:35:09.0833 1252 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
16:35:09.0833 1252 Parport - ok
16:35:09.0880 1252 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys
16:35:09.0880 1252 partmgr - ok
16:35:09.0895 1252 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
16:35:09.0895 1252 Parvdm - ok
16:35:09.0958 1252 PcaSvc (358ab7956d3160000726574083dfc8a6) C:\Windows\System32\pcasvc.dll
16:35:09.0958 1252 PcaSvc - ok
16:35:10.0004 1252 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
16:35:10.0004 1252 pci - ok
16:35:10.0036 1252 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
16:35:10.0036 1252 pciide - ok
16:35:10.0067 1252 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
16:35:10.0082 1252 pcmcia - ok
16:35:10.0098 1252 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
16:35:10.0098 1252 pcw - ok
16:35:10.0316 1252 pdlndint (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\dsncservice.dll
16:35:10.0348 1252 pdlndint ( Backdoor.Multi.ZAccess.gen ) - infected
16:35:10.0348 1252 pdlndint - detected Backdoor.Multi.ZAccess.gen (0)
16:35:10.0987 1252 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
16:35:11.0034 1252 PEAUTH - ok
16:35:11.0284 1252 PeerDistSvc (af4d64d2a57b9772cf3801950b8058a6) C:\Windows\system32\peerdistsvc.dll
16:35:11.0315 1252 PeerDistSvc - ok
16:35:11.0424 1252 pla (414bba67a3ded1d28437eb66aeb8a720) C:\Windows\system32\pla.dll
16:35:11.0502 1252 pla - ok
16:35:11.0549 1252 PlugPlay (ec7bc28d207da09e79b3e9faf8b232ca) C:\Windows\system32\umpnpmgr.dll
16:35:11.0565 1252 PlugPlay - ok
16:35:11.0611 1252 PNRPAutoReg (63ff8572611249931eb16bb8eed6afc8) C:\Windows\system32\pnrpauto.dll
16:35:11.0611 1252 PNRPAutoReg - ok
16:35:11.0643 1252 PNRPsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
16:35:11.0658 1252 PNRPsvc - ok
16:35:11.0689 1252 PolicyAgent (53946b69ba0836bd95b03759530c81ec) C:\Windows\System32\ipsecsvc.dll
16:35:11.0705 1252 PolicyAgent - ok
16:35:11.0752 1252 Power (f87d30e72e03d579a5199ccb3831d6ea) C:\Windows\system32\umpo.dll
16:35:11.0752 1252 Power - ok
16:35:11.0799 1252 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
16:35:11.0799 1252 PptpMiniport - ok
16:35:11.0830 1252 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
16:35:11.0830 1252 Processor - ok
16:35:11.0861 1252 prodrv06 - ok
16:35:11.0986 1252 ProfSvc (43ca4ccc22d52fb58e8988f0198851d0) C:\Windows\system32\profsvc.dll
16:35:12.0001 1252 ProfSvc - ok
16:35:12.0033 1252 ProtectedStorage (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:35:12.0033 1252 ProtectedStorage - ok
16:35:12.0095 1252 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
16:35:12.0095 1252 Psched - ok
16:35:12.0111 1252 ptserial - ok
16:35:12.0220 1252 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
16:35:12.0313 1252 ql2300 - ok
16:35:12.0345 1252 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
16:35:12.0345 1252 ql40xx - ok
16:35:12.0391 1252 QWAVE (31ac809e7707eb580b2bdb760390765a) C:\Windows\system32\qwave.dll
16:35:12.0407 1252 QWAVE - ok
16:35:12.0438 1252 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
16:35:12.0454 1252 QWAVEdrv - ok
16:35:12.0469 1252 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
16:35:12.0469 1252 RasAcd - ok
16:35:12.0532 1252 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
16:35:12.0532 1252 RasAgileVpn - ok
16:35:12.0594 1252 RasAuto (a60f1839849c0c00739787fd5ec03f13) C:\Windows\System32\rasauto.dll
16:35:12.0594 1252 RasAuto - ok
16:35:12.0610 1252 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
16:35:12.0625 1252 Rasl2tp - ok
16:35:12.0672 1252 RasMan (cb9e04dc05eacf5b9a36ca276d475006) C:\Windows\System32\rasmans.dll
16:35:12.0688 1252 RasMan - ok
16:35:12.0750 1252 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
16:35:12.0750 1252 RasPppoe - ok
16:35:12.0781 1252 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
16:35:12.0781 1252 RasSstp - ok
16:35:12.0844 1252 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
16:35:12.0844 1252 rdbss - ok
16:35:12.0859 1252 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
16:35:12.0875 1252 rdpbus - ok
16:35:12.0906 1252 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
16:35:12.0906 1252 RDPCDD - ok
16:35:12.0953 1252 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
16:35:12.0953 1252 RDPDR - ok
16:35:13.0015 1252 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
16:35:13.0015 1252 RDPENCDD - ok
16:35:13.0047 1252 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
16:35:13.0047 1252 RDPREFMP - ok
16:35:13.0125 1252 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
16:35:13.0125 1252 RdpVideoMiniport - ok
16:35:13.0281 1252 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys
16:35:13.0281 1252 RDPWD - ok
16:35:13.0359 1252 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
16:35:13.0359 1252 rdyboost - ok
16:35:13.0405 1252 RemoteAccess (7b5e1419717fac363a31cc302895217a) C:\Windows\System32\mprdim.dll
16:35:13.0405 1252 RemoteAccess - ok
16:35:13.0468 1252 RemoteRegistry (cb9a8683f4ef2bf99e123d79950d7935) C:\Windows\system32\regsvc.dll
16:35:13.0483 1252 RemoteRegistry - ok
16:35:13.0530 1252 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
16:35:13.0530 1252 RFCOMM - ok
16:35:13.0561 1252 rimusb (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\ASInsHelp.dll
16:35:13.0561 1252 rimusb ( Backdoor.Multi.ZAccess.gen ) - infected
16:35:13.0561 1252 rimusb - detected Backdoor.Multi.ZAccess.gen (0)
16:35:13.0624 1252 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
16:35:13.0639 1252 rismxdp - ok
16:35:13.0671 1252 roammgr - ok
16:35:13.0749 1252 RpcEptMapper (78d072f35bc45d9e4e1b61895c152234) C:\Windows\System32\RpcEpMap.dll
16:35:13.0764 1252 RpcEptMapper - ok
16:35:13.0811 1252 RpcLocator (94d36c0e44677dd26981d2bfeef2a29d) C:\Windows\system32\locator.exe
16:35:13.0811 1252 RpcLocator - ok
16:35:13.0873 1252 RpcSs (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
16:35:13.0889 1252 RpcSs - ok
16:35:13.0983 1252 RR2Vbi (11028c6a84a967070cb1286550f2058f) C:\Windows\system32\se58nd5.dll
16:35:13.0983 1252 RR2Vbi ( Backdoor.Multi.ZAccess.gen ) - infected
16:35:13.0983 1252 RR2Vbi - detected Backdoor.Multi.ZAccess.gen (0)
16:35:14.0045 1252 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
16:35:14.0045 1252 rspndr - ok
16:35:14.0107 1252 RTL8167 (5283b9a27ff230f2ff70d92451ff409a) C:\Windows\system32\DRIVERS\Rt86win7.sys
16:35:14.0107 1252 RTL8167 - ok
16:35:14.0154 1252 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
16:35:14.0154 1252 s3cap - ok
16:35:14.0185 1252 SamSs (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:35:14.0185 1252 SamSs - ok
16:35:14.0232 1252 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
16:35:14.0232 1252 sbp2port - ok
16:35:14.0310 1252 SCardSvr (8fc518ffe9519c2631d37515a68009c4) C:\Windows\System32\SCardSvr.dll
16:35:14.0310 1252 SCardSvr - ok
16:35:14.0373 1252 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
16:35:14.0373 1252 scfilter - ok
16:35:14.0419 1252 Schedule (a04bb13f8a72f8b6e8b4071723e4e336) C:\Windows\system32\schedsvc.dll
16:35:14.0435 1252 Schedule - ok
16:35:14.0482 1252 SCPolicySvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
16:35:14.0482 1252 SCPolicySvc - ok
16:35:14.0544 1252 sdbus (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\drivers\sdbus.sys
16:35:14.0544 1252 sdbus - ok
16:35:14.0575 1252 SDRSVC (08236c4bce5edd0a0318a438af28e0f7) C:\Windows\System32\SDRSVC.dll
16:35:14.0575 1252 SDRSVC - ok
16:35:14.0607 1252 SE2Cmdm - ok
16:35:14.0731 1252 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
16:35:14.0731 1252 secdrv - ok
16:35:14.0763 1252 seclogon (a59b3a4442c52060cc7a85293aa3546f) C:\Windows\system32\seclogon.dll
16:35:14.0778 1252 seclogon - ok
16:35:14.0809 1252 SENS (dcb7fcdcc97f87360f75d77425b81737) C:\Windows\System32\sens.dll
16:35:14.0809 1252 SENS - ok
16:35:14.0841 1252 SensrSvc (50087fe1ee447009c9cc2997b90de53f) C:\Windows\system32\sensrsvc.dll
16:35:14.0856 1252 SensrSvc - ok
16:35:14.0887 1252 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
16:35:14.0887 1252 Serenum - ok
16:35:14.0934 1252 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
16:35:14.0934 1252 Serial - ok
16:35:14.0981 1252 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
16:35:14.0981 1252 sermouse - ok
16:35:15.0090 1252 SessionEnv (4ae380f39a0032eab7dd953030b26d28) C:\Windows\system32\sessenv.dll
16:35:15.0106 1252 SessionEnv - ok
16:35:15.0121 1252 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
16:35:15.0121 1252 sffdisk - ok
16:35:15.0153 1252 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
16:35:15.0153 1252 sffp_mmc - ok
16:35:15.0199 1252 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\DRIVERS\sffp_sd.sys
16:35:15.0199 1252 sffp_sd - ok
16:35:15.0246 1252 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
16:35:15.0262 1252 sfloppy - ok
16:35:15.0309 1252 SharedAccess (d1a079a0de2ea524513b6930c24527a2) C:\Windows\System32\ipnathlp.dll
16:35:15.0340 1252 SharedAccess - ok
16:35:15.0371 1252 ShellHWDetection (414da952a35bf5d50192e28263b40577) C:\Windows\System32\shsvcs.dll
16:35:15.0387 1252 ShellHWDetection - ok
16:35:15.0433 1252 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
16:35:15.0449 1252 sisagp - ok
16:35:15.0511 1252 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
16:35:15.0511 1252 SiSRaid2 - ok
16:35:15.0558 1252 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
16:35:15.0558 1252 SiSRaid4 - ok
16:35:15.0589 1252 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
16:35:15.0605 1252 Smb - ok
16:35:15.0683 1252 smserial (19301c27f3425dc39f6c599f527e507d) C:\Windows\system32\DRIVERS\smserial.sys
16:35:15.0730 1252 smserial - ok
16:35:15.0823 1252 SNMPTRAP (6a984831644eca1a33ffeae4126f4f37) C:\Windows\System32\snmptrap.exe
16:35:15.0823 1252 SNMPTRAP - ok
16:35:15.0870 1252 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
16:35:15.0886 1252 spldr - ok
16:35:15.0933 1252 Spooler (866a43013535dc8587c258e43579c764) C:\Windows\System32\spoolsv.exe
16:35:15.0948 1252 Spooler - ok
16:35:16.0104 1252 sppsvc (cf87a1de791347e75b98885214ced2b8) C:\Windows\system32\sppsvc.exe
16:35:16.0182 1252 sppsvc - ok
16:35:16.0260 1252 sppuinotify (b0180b20b065d89232a78a40fe56eaa6) C:\Windows\system32\sppuinotify.dll
16:35:16.0260 1252 sppuinotify - ok
16:35:16.0323 1252 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
16:35:16.0323 1252 srv - ok
16:35:16.0369 1252 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
16:35:16.0369 1252 srv2 - ok
16:35:16.0401 1252 SrvcEPECioctl - ok
16:35:16.0432 1252 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
16:35:16.0432 1252 srvnet - ok
16:35:16.0479 1252 SSDPSRV (d887c9fd02ac9fa880f6e5027a43e118) C:\Windows\System32\ssdpsrv.dll
16:35:16.0479 1252 SSDPSRV - ok
16:35:16.0525 1252 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
16:35:16.0525 1252 ssmdrv - ok
16:35:16.0557 1252 SstpSvc (d318f23be45d5e3a107469eb64815b50) C:\Windows\system32\sstpsvc.dll
16:35:16.0572 1252 SstpSvc - ok
16:35:16.0603 1252 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
16:35:16.0603 1252 stexstor - ok
16:35:16.0650 1252 StiSvc (e1fb3706030fb4578a0d72c2fc3689e4) C:\Windows\System32\wiaservc.dll
16:35:16.0681 1252 StiSvc - ok
16:35:16.0744 1252 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
16:35:16.0744 1252 storflt - ok
16:35:16.0759 1252 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
16:35:16.0759 1252 storvsc - ok
16:35:16.0791 1252 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
16:35:16.0791 1252 swenum - ok
16:35:16.0837 1252 swprv (a28bd92df340e57b024ba433165d34d7) C:\Windows\System32\swprv.dll
16:35:16.0837 1252 swprv - ok
16:35:16.0900 1252 Synth3dVsc - ok
16:35:16.0962 1252 SysMain (36650d618ca34c9d357dfd3d89b2c56f) C:\Windows\system32\sysmain.dll
16:35:17.0009 1252 SysMain - ok
16:35:17.0025 1252 sysmonlog - ok
16:35:17.0056 1252 TabletInputService (763fecdc3d30c815fe72dd57936c6cd1) C:\Windows\System32\TabSvc.dll
16:35:17.0071 1252 TabletInputService - ok
16:35:17.0071 1252 tapeware - ok
16:35:17.0149 1252 TapiSrv (613bf4820361543956909043a265c6ac) C:\Windows\System32\tapisrv.dll
16:35:17.0149 1252 TapiSrv - ok
16:35:17.0181 1252 TBS (b799d9fdb26111737f58288d8dc172d9) C:\Windows\System32\tbssvc.dll
16:35:17.0181 1252 TBS - ok
16:35:17.0274 1252 Tcpip (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\drivers\tcpip.sys
16:35:17.0321 1252 Tcpip - ok
16:35:17.0415 1252 TCPIP6 (65d10b191c59c5501a1263fc33f6894b) C:\Windows\system32\DRIVERS\tcpip.sys
16:35:17.0430 1252 TCPIP6 - ok
16:35:17.0461 1252 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
16:35:17.0461 1252 tcpipreg - ok
16:35:17.0493 1252 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
16:35:17.0493 1252 TDPIPE - ok
16:35:17.0508 1252 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys
16:35:17.0508 1252 TDTCP - ok
16:35:17.0571 1252 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
16:35:17.0571 1252 tdx - ok
16:35:17.0617 1252 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
16:35:17.0617 1252 TermDD - ok
16:35:17.0680 1252 TermService (382c804c92811be57829d8e550a900e2) C:\Windows\System32\termsrv.dll
16:35:17.0680 1252 TermService - ok
16:35:17.0742 1252 Themes (42fb6afd6b79d9fe07381609172e7ca4) C:\Windows\system32\themeservice.dll
16:35:17.0742 1252 Themes - ok
16:35:17.0773 1252 THREADORDER (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
16:35:17.0773 1252 THREADORDER - ok
16:35:17.0820 1252 tosrfec - ok
16:35:17.0867 1252 TPM (5ad05191dc8b444a7ba4d79b76c42a30) C:\Windows\system32\drivers\tpm.sys
16:35:17.0867 1252 TPM - ok
16:35:17.0945 1252 TrkWks (4792c0378db99a9bc2ae2de6cfff0c3a) C:\Windows\System32\trkwks.dll
16:35:17.0945 1252 TrkWks - ok
16:35:17.0992 1252 TrustedInstaller (2c49b175aee1d4364b91b531417fe583) C:\Windows\servicing\TrustedInstaller.exe
16:35:17.0992 1252 TrustedInstaller - ok
16:35:18.0039 1252 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
16:35:18.0054 1252 tssecsrv - ok
16:35:18.0101 1252 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
16:35:18.0101 1252 TsUsbFlt - ok
16:35:18.0132 1252 tsusbhub - ok
16:35:18.0226 1252 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
16:35:18.0226 1252 tunnel - ok
16:35:18.0273 1252 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
16:35:18.0273 1252 uagp35 - ok
16:35:18.0319 1252 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
16:35:18.0335 1252 udfs - ok
16:35:18.0397 1252 UI0Detect (8344fd4fce927880aa1aa7681d4927e5) C:\Windows\system32\UI0Detect.exe
16:35:18.0397 1252 UI0Detect - ok
16:35:18.0444 1252 uleadburninghelper - ok
16:35:18.0507 1252 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
16:35:18.0507 1252 uliagpkx - ok
16:35:18.0569 1252 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
16:35:18.0569 1252 umbus - ok
16:35:18.0616 1252 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
16:35:18.0616 1252 UmPass - ok
16:35:18.0694 1252 UmRdpService (409994a8eaceee4e328749c0353527a0) C:\Windows\System32\umrdp.dll
16:35:18.0709 1252 UmRdpService - ok
16:35:18.0756 1252 upnp - ok
16:35:18.0803 1252 upnphost (833fbb672460efce8011d262175fad33) C:\Windows\System32\upnphost.dll
16:35:18.0803 1252 upnphost - ok
16:35:18.0881 1252 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
16:35:18.0881 1252 usbccgp - ok
16:35:18.0959 1252 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
16:35:18.0959 1252 usbcir - ok
16:35:18.0990 1252 USBDongle - ok
16:35:19.0021 1252 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
16:35:19.0021 1252 usbehci - ok
16:35:19.0084 1252 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
16:35:19.0099 1252 usbhub - ok
16:35:19.0131 1252 usbio - ok
16:35:19.0193 1252 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
16:35:19.0193 1252 usbohci - ok
16:35:19.0255 1252 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
16:35:19.0255 1252 usbprint - ok
16:35:19.0287 1252 usbser - ok
16:35:19.0333 1252 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
16:35:19.0333 1252 USBSTOR - ok
16:35:19.0380 1252 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\DRIVERS\usbuhci.sys
16:35:19.0380 1252 usbuhci - ok
16:35:19.0396 1252 usbvm321 - ok
16:35:19.0443 1252 UxSms (081e6e1c91aec36758902a9f727cd23c) C:\Windows\System32\uxsms.dll
16:35:19.0458 1252 UxSms - ok
16:35:19.0489 1252 VaultSvc (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:35:19.0489 1252 VaultSvc - ok
16:35:19.0536 1252 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
16:35:19.0536 1252 vdrvroot - ok
16:35:19.0583 1252 vds (c3cd30495687c2a2f66a65ca6fd89be9) C:\Windows\System32\vds.exe
16:35:19.0599 1252 vds - ok
16:35:19.0661 1252 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
16:35:19.0661 1252 vga - ok
16:35:19.0677 1252 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
16:35:19.0677 1252 VgaSave - ok
16:35:19.0723 1252 VGPU - ok
16:35:19.0801 1252 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
16:35:19.0801 1252 vhdmp - ok
16:35:19.0833 1252 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
16:35:19.0848 1252 viaagp - ok
16:35:19.0879 1252 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
16:35:19.0879 1252 ViaC7 - ok
16:35:19.0911 1252 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
16:35:19.0911 1252 viaide - ok
16:35:19.0973 1252 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
16:35:19.0973 1252 vmbus - ok
16:35:20.0020 1252 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
16:35:20.0035 1252 VMBusHID - ok
16:35:20.0051 1252 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
16:35:20.0051 1252 volmgr - ok
16:35:20.0098 1252 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
16:35:20.0098 1252 volmgrx - ok
16:35:20.0160 1252 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
16:35:20.0160 1252 volsnap - ok
16:35:20.0223 1252 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
16:35:20.0223 1252 vsmraid - ok
16:35:20.0301 1252 VSS (209a3b1901b83aeb8527ed211cce9e4c) C:\Windows\system32\vssvc.exe
16:35:20.0347 1252 VSS - ok
16:35:20.0410 1252 vulfnths - ok
16:35:20.0441 1252 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
16:35:20.0441 1252 vwifibus - ok
16:35:20.0472 1252 w200mdm - ok
16:35:20.0550 1252 W32Time (55187fd710e27d5095d10a472c8baf1c) C:\Windows\system32\w32time.dll
16:35:20.0581 1252 W32Time - ok
16:35:20.0613 1252 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
16:35:20.0613 1252 WacomPen - ok
16:35:20.0659 1252 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
16:35:20.0659 1252 WANARP - ok
16:35:20.0675 1252 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
16:35:20.0675 1252 Wanarpv6 - ok
16:35:20.0815 1252 WatAdminSvc (353a04c273ec58475d8633e75ccd5604) C:\Windows\system32\Wat\WatAdminSvc.exe
16:35:20.0862 1252 WatAdminSvc - ok
16:35:20.0940 1252 wbengine (691e3285e53dca558e1a84667f13e15a) C:\Windows\system32\wbengine.exe
16:35:20.0987 1252 wbengine - ok
16:35:21.0034 1252 WbioSrvc (9614b5d29dc76ac3c29f6d2d3aa70e67) C:\Windows\System32\wbiosrvc.dll
16:35:21.0034 1252 WbioSrvc - ok
16:35:21.0081 1252 wcncsvc (34eee0dfaadb4f691d6d5308a51315dc) C:\Windows\System32\wcncsvc.dll
16:35:21.0112 1252 wcncsvc - ok
16:35:21.0143 1252 WcsPlugInService (5d930b6357a6d2af4d7653bdabbf352f) C:\Windows\System32\WcsPlugInService.dll
16:35:21.0143 1252 WcsPlugInService - ok
16:35:21.0190 1252 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
16:35:21.0205 1252 Wd - ok
16:35:21.0252 1252 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
16:35:21.0268 1252 Wdf01000 - ok
16:35:21.0299 1252 WdiServiceHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
16:35:21.0299 1252 WdiServiceHost - ok
16:35:21.0315 1252 WdiSystemHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
16:35:21.0315 1252 WdiSystemHost - ok
16:35:21.0361 1252 WebClient (a9d880f97530d5b8fee278923349929d) C:\Windows\System32\webclnt.dll
16:35:21.0361 1252 WebClient - ok
16:35:21.0408 1252 Wecsvc (760f0afe937a77cff27153206534f275) C:\Windows\system32\wecsvc.dll
16:35:21.0408 1252 Wecsvc - ok
16:35:21.0439 1252 wercplsupport (ac804569bb2364fb6017370258a4091b) C:\Windows\System32\wercplsupport.dll
16:35:21.0455 1252 wercplsupport - ok
16:35:21.0486 1252 WerSvc (08e420d873e4fd85241ee2421b02c4a4) C:\Windows\System32\WerSvc.dll
16:35:21.0502 1252 WerSvc - ok
16:35:21.0564 1252 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
16:35:21.0564 1252 WfpLwf - ok
16:35:21.0611 1252 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
16:35:21.0611 1252 WIMMount - ok
16:35:21.0611 1252 WinHttpAutoProxySvc - ok
16:35:21.0673 1252 Winmgmt (f62e510b6ad4c21eb9fe8668ed251826) C:\Windows\system32\wbem\WMIsvc.dll
16:35:21.0689 1252 Winmgmt - ok
16:35:21.0814 1252 WinRM (1b91cd34ea3a90ab6a4ef0550174f4cc) C:\Windows\system32\WsmSvc.dll
16:35:21.0876 1252 WinRM - ok
16:35:21.0939 1252 Wlansvc (16935c98ff639d185086a3529b1f2067) C:\Windows\System32\wlansvc.dll
16:35:21.0985 1252 Wlansvc - ok
16:35:22.0032 1252 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
16:35:22.0032 1252 WmiAcpi - ok
16:35:22.0095 1252 wmiApSrv (6eb6b66517b048d87dc1856ddf1f4c3f) C:\Windows\system32\wbem\WmiApSrv.exe
16:35:22.0095 1252 wmiApSrv - ok
16:35:22.0157 1252 WPCSvc (a2f0ec770a92f2b3f9de6d518e11409c) C:\Windows\System32\wpcsvc.dll
16:35:22.0173 1252 WPCSvc - ok
16:35:22.0235 1252 WPDBusEnum (aa53356d60af47eacc85bc617a4f3f66) C:\Windows\system32\wpdbusenum.dll
16:35:22.0235 1252 WPDBusEnum - ok
16:35:22.0282 1252 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
16:35:22.0282 1252 ws2ifsl - ok
16:35:22.0297 1252 WSearch - ok
16:35:22.0407 1252 wuauserv (3026418a50c5b4761befa632cedb7406) C:\Windows\system32\wuaueng.dll
16:35:22.0469 1252 wuauserv - ok
16:35:22.0531 1252 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
16:35:22.0531 1252 WudfPf - ok
16:35:22.0578 1252 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
16:35:22.0578 1252 WUDFRd - ok
16:35:22.0625 1252 wudfsvc (8d1e1e529a2c9e9b6a85b55a345f7629) C:\Windows\System32\WUDFSvc.dll
16:35:22.0625 1252 wudfsvc - ok
16:35:22.0656 1252 WwanSvc (ff2d745b560f7c71b31f30f4d49f73d2) C:\Windows\System32\wwansvc.dll
16:35:22.0672 1252 WwanSvc - ok
16:35:22.0719 1252 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
16:35:22.0812 1252 \Device\Harddisk0\DR0 - ok
16:35:22.0812 1252 Boot (0x1200) (75f48e52ce21b0271f6c9e4bfdf8e6e9) \Device\Harddisk0\DR0\Partition0
16:35:22.0812 1252 \Device\Harddisk0\DR0\Partition0 - ok
16:35:22.0843 1252 Boot (0x1200) (11232797359ff66c8e700f4fa1289780) \Device\Harddisk0\DR0\Partition1
16:35:22.0843 1252 \Device\Harddisk0\DR0\Partition1 - ok
16:35:22.0859 1252 Boot (0x1200) (ab016024d6f4a2251471d368da84c6bb) \Device\Harddisk0\DR0\Partition2
16:35:22.0859 1252 \Device\Harddisk0\DR0\Partition2 - ok
16:35:22.0890 1252 Boot (0x1200) (0130761e481e298ca69ca105b73bfa86) \Device\Harddisk0\DR0\Partition3
16:35:22.0890 1252 \Device\Harddisk0\DR0\Partition3 - ok
16:35:22.0890 1252 ============================================================
16:35:22.0890 1252 Scan finished
16:35:22.0890 1252 ============================================================
16:35:22.0906 2280 Detected object count: 11
16:35:22.0906 2280 Actual detected object count: 11
16:36:07.0691 2280 ACDaemon ( Backdoor.Multi.ZAccess.gen ) - skipped by user
16:36:07.0691 2280 ACDaemon ( Backdoor.Multi.ZAccess.gen ) - User select action: Skip
16:36:07.0707 2280 advservice ( Backdoor.Multi.ZAccess.gen ) - skipped by user
16:36:07.0707 2280 advservice ( Backdoor.Multi.ZAccess.gen ) - User select action: Skip
16:36:07.0707 2280 caili ( Backdoor.Multi.ZAccess.gen ) - skipped by user
16:36:07.0707 2280 caili ( Backdoor.Multi.ZAccess.gen ) - User select action: Skip
16:36:07.0707 2280 DeviceScanner ( Backdoor.Multi.ZAccess.gen ) - skipped by user
16:36:07.0707 2280 DeviceScanner ( Backdoor.Multi.ZAccess.gen ) - User select action: Skip
16:36:07.0910 2280 C:\Windows\system32\DRIVERS\dtsoftbus01.sys - copied to quarantine
16:36:07.0941 2280 C:\Windows\$NtUninstallKB26722$\1755775173\@ - copied to quarantine
16:36:07.0941 2280 C:\Windows\$NtUninstallKB26722$\1755775173\cfg.ini - copied to quarantine
16:36:07.0941 2280 C:\Windows\$NtUninstallKB26722$\1755775173\Desktop.ini - copied to quarantine
16:36:07.0972 2280 C:\Windows\$NtUninstallKB26722$\1755775173\L\xadqgnnk - copied to quarantine
16:36:08.0003 2280 C:\Windows\$NtUninstallKB26722$\1755775173\twl.dll - copied to quarantine
16:36:08.0019 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\00000001.@ - copied to quarantine
16:36:08.0081 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\00000002.@ - copied to quarantine
16:36:08.0113 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\00000004.@ - copied to quarantine
16:36:08.0128 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\80000000.@ - copied to quarantine
16:36:08.0144 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\80000004.@ - copied to quarantine
16:36:08.0159 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\80000032.@ - copied to quarantine
16:36:08.0159 2280 C:\Windows\$NtUninstallKB26722$\1755775173\version - copied to quarantine
16:36:08.0300 2280 Backup copy found, using it..
16:36:08.0315 2280 C:\Windows\system32\DRIVERS\dtsoftbus01.sys - will be cured on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1288869564 - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\@ - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\cfg.ini - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\Desktop.ini - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\twl.dll - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\00000001.@ - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\00000002.@ - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\00000004.@ - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\80000000.@ - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\80000004.@ - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\U\80000032.@ - will be deleted on reboot
16:36:11.0170 2280 C:\Windows\$NtUninstallKB26722$\1755775173\version - will be deleted on reboot
16:36:11.0170 2280 dtsoftbus01 ( Virus.Win32.ZAccess.k ) - User select action: Cure
16:36:11.0170 2280 EMATCORE ( Backdoor.Multi.ZAccess.gen ) - skipped by user
16:36:11.0170 2280 EMATCORE ( Backdoor.Multi.ZAccess.gen ) - User select action: Skip
16:36:11.0186 2280 evteng ( Backdoor.Multi.ZAccess.gen ) - skipped by user
16:36:11.0186 2280 evteng ( Backdoor.Multi.ZAccess.gen ) - User select action: Skip
16:36:11.0186 2280 olregcap ( Backdoor.Multi.ZAccess.gen ) - skipped by user
16:36:11.0186 2280 olregcap ( Backdoor.Multi.ZAccess.gen ) - User select action: Skip
16:36:11.0186 2280 pdlndint ( Backdoor.Multi.ZAccess.gen ) - skipped by user
16:36:11.0186 2280 pdlndint ( Backdoor.Multi.ZAccess.gen ) - User select action: Skip
16:36:11.0186 2280 rimusb ( Backdoor.Multi.ZAccess.gen ) - skipped by user
16:36:11.0186 2280 rimusb ( Backdoor.Multi.ZAccess.gen ) - User select action: Skip
16:36:11.0186 2280 RR2Vbi ( Backdoor.Multi.ZAccess.gen ) - skipped by user
16:36:11.0186 2280 RR2Vbi ( Backdoor.Multi.ZAccess.gen ) - User select action: Skip
16:36:20.0656 4060 Deinitialize success

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:52 PM

Posted 30 March 2012 - 09:12 PM

Hi,

Please run ComboFix again and post the new log for me.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 kowalos123

kowalos123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 31 March 2012 - 04:22 AM

Hello
I run ComboFix again, it detected Rootkit, now i have interent access, this is log:


ComboFix 12-03-30.06 - Piotrek 2012-03-31 10:56:50.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.48.1033.18.2047.1539 [GMT 2:00]
Uruchomiony z: d:\moje dokumenty\Pobrane\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB26722$
c:\windows\$NtUninstallKB26722$\1755775173\L\xadqgnnk
.
c:\windows\system32\drivers\tdx.sys - brakowało pliku
Plik odzyskano z - c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7600.16385_none_ea141e6f3d693e28\tdx.sys
.
.
((((((((((((((((((((((((( Pliki utworzone od 2012-02-28 do 2012-03-31 )))))))))))))))))))))))))))))))
.
.
2012-03-31 09:04 . 2012-03-31 09:06 -------- d-----w- c:\users\Piotrek\AppData\Local\temp
2012-03-31 09:04 . 2012-03-31 09:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-31 09:03 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-03-30 19:20 . 2012-03-30 19:20 137416 ----a-w- c:\windows\system32\drivers\tsk6115.tmp
2012-03-30 15:22 . 2012-03-30 14:36 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-03-30 14:36 . 2012-03-30 19:45 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-27 19:31 . 2012-03-27 19:31 -------- d-----w- c:\program files\Enigma Software Group
2012-03-27 19:31 . 2012-03-27 19:49 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-27 19:31 . 2012-03-27 19:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-03-26 16:31 . 2012-03-26 16:31 -------- d-----w- c:\users\Piotrek\AppData\Local\Mozilla
2012-03-24 15:35 . 2012-03-24 15:35 -------- d-----w- c:\program files\Wolfram Research
2012-03-24 15:34 . 2012-03-24 15:34 -------- d-----w- c:\windows\Downloaded Installations
2012-03-24 15:14 . 2012-03-26 07:41 -------- d--h--w- c:\users\Piotrek\AppData\Local\MicrosoftNT
2012-03-24 15:06 . 2012-03-24 15:37 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Mathematica
2012-03-24 15:06 . 2012-03-24 15:20 -------- d-----w- c:\users\Piotrek\AppData\Local\Mathematica
2012-03-24 15:06 . 2012-03-24 15:37 -------- d-----w- c:\programdata\Mathematica
2012-03-24 15:06 . 2012-03-24 15:06 -------- d-----w- c:\program files\Common Files\Wolfram Research
2012-03-24 15:06 . 2012-03-24 15:06 -------- d-----w- c:\program files\Common Files\ResearchSoft
2012-03-24 15:01 . 2010-11-07 19:17 333840 ----a-w- c:\windows\system32\mltcpip32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 93712 ----a-w- c:\windows\system32\mltcp32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 88080 ----a-w- c:\windows\system32\mlshm32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 167952 ----a-w- c:\windows\system32\mlmodule32.dll
2012-03-24 15:01 . 2010-11-07 19:17 79376 ----a-w- c:\windows\system32\mlmap32.mlp
2012-03-24 15:01 . 2010-11-07 19:16 369680 ----a-w- c:\windows\system32\ml32i3.dll
2012-03-24 15:01 . 2010-11-07 19:16 260112 ----a-w- c:\windows\system32\ml32i2.dll
2012-03-24 15:01 . 2010-11-07 19:16 253968 ----a-w- c:\windows\system32\ml32i1.dll
2012-03-22 02:42 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07D59B9F-E9D7-4789-8B5C-323015FEEA43}\mpengine.dll
2012-03-08 20:54 . 2012-03-08 20:54 -------- d-----w- c:\program files\Haali
2012-03-08 20:54 . 2012-03-08 20:54 -------- d-----w- c:\program files\CoreCodec
2012-03-03 13:55 . 2012-03-03 13:55 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Macrovision
2012-03-03 11:36 . 2012-03-03 11:36 -------- d-----w- c:\program files\Common Files\Java
2012-03-03 11:34 . 2012-03-03 11:34 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-30 19:46 . 2012-01-15 00:30 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-30 18:51 . 2012-01-15 15:11 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-30 18:21 . 2012-01-15 15:11 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-26 16:27 . 2012-01-30 09:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-03 11:34 . 2012-01-16 17:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-23 08:18 . 2012-01-15 00:10 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-15 16:00 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-07-16 . 921F8B3FF01501C9934CCB3C270833D7 . 868352 . . [6.1.7601.21772] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.21772_none_960c0dc1cdddb3a2\kernel32.dll
[7] 2011-07-16 . 7E99A20C758ABB5AE89C7AEEA3A9AEB2 . 868352 . . [6.1.7600.16850] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16850_none_93afb334b78b3d5c\kernel32.dll
[7] 2011-07-16 . E570CBD732848438EAC574EB3442A2A8 . 868352 . . [6.1.7601.17651] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17651_none_95971084b4b0c29f\kernel32.dll
[7] 2011-07-16 . 12DD18C6ECADEDB922E40B494D315206 . 868352 . . [6.1.7600.21010] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.21010_none_946467d1d088a0a4\kernel32.dll
[-] 2010-11-20 . 3C9AB2C90201380E1034D71AD5670E01 . 868352 . . [6.1.7600.16385] . . c:\windows\System32\kernel32.dll
[7] 2010-11-20 . 5553784D774CA845380650E010BBDA2C . 857600 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17514_none_95c54f2cb48da1b9\kernel32.dll
[7] 2009-12-08 . EB7B2309A2B16EEB73C2C13477FEF8FB . 857088 . . [6.1.7600.20591] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.20591_none_940f0901d0c871a5\kernel32.dll
[7] 2009-12-08 . 0369BA73CE6D918745579B24339765E8 . 857088 . . [6.1.7600.16481] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16481_none_93903c22b7a2b5ea\kernel32.dll
[7] 2009-07-14 . 4605F7EE9805F7E1C98D6C959DD2949C . 857088 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16385_none_93943b64b79f1e1f\kernel32.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"31908D594CED5854D19D92F49DDC940669DDCEEB._service_run"="c:\users\Piotrek\AppData\Local\Google\Chrome\Application\chrome.exe" [2012-03-21 1049072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-02 13789728]
"BCSSync"="d:\programy\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R0 31719790;31719790;c:\windows\system32\drivers\94476259.sys [x]
R1 ynftyerq;ynftyerq;c:\windows\system32\drivers\ynftyerq.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Kmm4xNT;Kmm4xNT; [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\programy\Microsoft Office\Office14\GROOVE.EXE [2010-12-27 31124344]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-15 1343400]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-03-30 239168]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy
AeLookupSvc
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
Rasauto
Rasman
Remoteaccess
SENS
Sharedaccess
SRService
Tapisrv
Wmi
WmdmPmSp
svcwrsssdk
clisvc
usbser
ELacpi
Intel_MIPMNMP
tosrfec
usbsermpt
hprfdev
DCFS2K
nmsaccess
oracleformsserver-forms60server-oraform
xpagentserver
ADIDTSFiltService
RR2Ctrl
SE2Dmdfl
mctaskmanager
basic2
USBDongle
tapeware
eSettingsService
ptserial
w200mdm
AtlsAud
evteng
sysmonlog
usbvm321
maya70docserver
SE2Cmdm
lexbces
nvcap
olregcap
AFGMp50
itmrtsvc
pdlndint
RR2Vbi
usbio
rimusb
roammgr
SrvcEPECioctl
lvsrvlauncher
bthidmgr
prodrv06
vulfnths
TPPWRIF
roxmediadb9
mwagent
MREMP50
SE2Eobex
softfax
ProcObsrv
adiloader
mapserver6.3
uleadburninghelper
cbidf2k
DXEC02
upnp
kpf4
backupexecdevicemediaservice
axsaki
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
msiscsi
MMCSS
wercplsupport
EapHost
ProfSvc
schedule
hkmsvc
SessionEnv
winmgmt
browser
Themes
BDESVC
AppMgmt
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Zawartość folderu 'Zaplanowane zadania'
.
2012-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001Core.job
- c:\users\Piotrek\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-26 17:37]
.
2012-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001UA.job
- c:\users\Piotrek\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-26 17:37]
.
.
------- Skan uzupełniający -------
.
IE: E&ksportuj do programu Microsoft Excel - d:\programy\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 95.160.170.92 88.156.222.92
FF - ProfilePath - c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\3i2tgao4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
------- Skojarzenia plików -------
.
.scr=AutoCADScriptFile
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
SafeBoot-31719790.sys
SafeBoot-48705816.sys
SafeBoot-83839246.sys
SafeBoot-99288541.sys
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cdrom]
"ImagePath"="system32\drivers\tskF8C1.tmp"
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,3e,8f,a6,d8,92,f3,4c,8e,22,ca,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,3e,8f,a6,d8,92,f3,4c,8e,22,ca,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\nvvsvc.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
.
**************************************************************************
.
Czas ukończenia: 2012-03-31 11:09:52 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2012-03-31 09:09
ComboFix2.txt 2012-03-30 16:00
.
Przed: 6 206 562 304 bytes free
Po: 6 127 894 528 bytes free
.
- - End Of File - - A3B1CC81EEE7F2A9E019EFE95B862E8E

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:52 PM

Posted 31 March 2012 - 12:17 PM

Please do this now:

Posted Image Open notepad and copy/paste the text in the box below into it:

@echo off
swreg query hklm\system\currentcontrolset\services /s |(
SED -r "/^HK|^ +ImagePath.*-k netsvcs/I!d" |(
SED -r ":a; $!N;s/\n.*\t.*/\t/;ta;P;D" |(
SED -r "/.*\\(.*)\t/!d; s//\1/"
)))>Log.txt
Start Notepad Log.txt

  • Save this as peek.bat Choose to "Save type as - All Files"
  • It should look like this: Posted Image
  • Right click on peek.bat and select "Run as administrator". A notepad file will open. Copy that information into your next reply, please.
Please include the following in your next post:
  • Peek.bat results

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 kowalos123

kowalos123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 31 March 2012 - 12:43 PM

This is peek.bat results:


ADIDTSFiltService
adiloader
AeLookupSvc
AFGMp50
Appinfo
AppMgmt
AtlsAud
axsaki
backupexecdevicemediaservice
basic2
BDESVC
BITS
Browser
bthidmgr
cbidf2k
CertPropSvc
clisvc
DCFS2K
DXEC02
EapHost
ELacpi
eSettingsService
gpsvc
hkmsvc
hprfdev
IKEEXT
Intel_MIPMNMP
iphlpsvc
itmrtsvc
kpf4
LanmanServer
lexbces
lvsrvlauncher
mapserver6.3
maya70docserver
mctaskmanager
MMCSS
MREMP50
MSiSCSI
mwagent
nmsaccess
nvcap
oracleformsserver-forms60server-oraform
ProcObsrv
prodrv06
ProfSvc
ptserial
RasAuto
RasMan
RemoteAccess
roammgr
roxmediadb9
RR2Ctrl
Schedule
SCPolicySvc
SE2Cmdm
SE2Dmdfl
SE2Eobex
seclogon
SENS
SessionEnv
SharedAccess
ShellHWDetection
softfax
SrvcEPECioctl
svcwrsssdk
sysmonlog
tapeware
Themes
tosrfec
TPPWRIF
uleadburninghelper
upnp
USBDongle
usbio
usbser
usbsermpt
usbvm321
vulfnths
w200mdm
wercplsupport
Winmgmt
wuauserv
xpagentserver

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:52 PM

Posted 31 March 2012 - 03:42 PM

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Registry::

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"=hex(7):41,44,49,44,54,53,46,69,6c,74,53,65,72,76,69,63,65,00,61,64,69,6c,6f,\
  61,64,65,72,00,41,65,4c,6f,6f,6b,75,70,53,76,63,00,41,46,47,4d,70,35,30,00,\
  41,70,70,69,6e,66,6f,00,41,70,70,4d,67,6d,74,00,41,74,6c,73,41,75,64,00,61,\
  78,73,61,6b,69,00,62,61,63,6b,75,70,65,78,65,63,64,65,76,69,63,65,6d,65,64,\
  69,61,73,65,72,76,69,63,65,00,62,61,73,69,63,32,00,42,44,45,53,56,43,00,42,\
  49,54,53,00,42,72,6f,77,73,65,72,00,62,74,68,69,64,6d,67,72,00,63,62,69,64,\
  66,32,6b,00,43,65,72,74,50,72,6f,70,53,76,63,00,63,6c,69,73,76,63,00,44,43,\
  46,53,32,4b,00,44,58,45,43,30,32,00,45,61,70,48,6f,73,74,00,45,4c,61,63,70,\
  69,00,65,53,65,74,74,69,6e,67,73,53,65,72,76,69,63,65,00,67,70,73,76,63,00,\
  68,6b,6d,73,76,63,00,68,70,72,66,64,65,76,00,49,4b,45,45,58,54,00,49,6e,74,\
  65,6c,5f,4d,49,50,4d,4e,4d,50,00,69,70,68,6c,70,73,76,63,00,69,74,6d,72,74,\
  73,76,63,00,6b,70,66,34,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,6c,65,78,\
  62,63,65,73,00,6c,76,73,72,76,6c,61,75,6e,63,68,65,72,00,6d,61,70,73,65,72,\
  76,65,72,36,2e,33,00,6d,61,79,61,37,30,64,6f,63,73,65,72,76,65,72,00,6d,63,\
  74,61,73,6b,6d,61,6e,61,67,65,72,00,4d,4d,43,53,53,00,4d,52,45,4d,50,35,30,\
  00,4d,53,69,53,43,53,49,00,6d,77,61,67,65,6e,74,00,6e,6d,73,61,63,63,65,73,\
  73,00,6e,76,63,61,70,00,6f,72,61,63,6c,65,66,6f,72,6d,73,73,65,72,76,65,72,\
  2d,66,6f,72,6d,73,36,30,73,65,72,76,65,72,2d,6f,72,61,66,6f,72,6d,00,50,72,\
  6f,63,4f,62,73,72,76,00,70,72,6f,64,72,76,30,36,00,50,72,6f,66,53,76,63,00,\
  70,74,73,65,72,69,61,6c,00,52,61,73,41,75,74,6f,00,52,61,73,4d,61,6e,00,52,\
  65,6d,6f,74,65,41,63,63,65,73,73,00,72,6f,61,6d,6d,67,72,00,72,6f,78,6d,65,\
  64,69,61,64,62,39,00,52,52,32,43,74,72,6c,00,53,63,68,65,64,75,6c,65,00,53,\
  43,50,6f,6c,69,63,79,53,76,63,00,53,45,32,43,6d,64,6d,00,53,45,32,44,6d,64,\
  66,6c,00,53,45,32,45,6f,62,65,78,00,73,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,\
  00,53,65,73,73,69,6f,6e,45,6e,76,00,53,68,61,72,65,64,41,63,63,65,73,73,00,\
  53,68,65,6c,6c,48,57,44,65,74,65,63,74,69,6f,6e,00,73,6f,66,74,66,61,78,00,\
  53,72,76,63,45,50,45,43,69,6f,63,74,6c,00,73,76,63,77,72,73,73,73,64,6b,00,\
  73,79,73,6d,6f,6e,6c,6f,67,00,74,61,70,65,77,61,72,65,00,54,68,65,6d,65,73,\
  00,74,6f,73,72,66,65,63,00,54,50,50,57,52,49,46,00,75,6c,65,61,64,62,75,72,\
  6e,69,6e,67,68,65,6c,70,65,72,00,75,70,6e,70,00,55,53,42,44,6f,6e,67,6c,65,\
  00,75,73,62,69,6f,00,75,73,62,73,65,72,00,75,73,62,73,65,72,6d,70,74,00,75,\
  73,62,76,6d,33,32,31,00,76,75,6c,66,6e,74,68,73,00,77,32,30,30,6d,64,6d,00,\
  77,65,72,63,70,6c,73,75,70,70,6f,72,74,00,57,69,6e,6d,67,6d,74,00,77,75,61,\
  75,73,65,72,76,00,78,70,61,67,65,6e,74,73,65,72,76,65,72,20,00,41,75,64,69,\
  6f,53,72,76,00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,\
  70,61,74,69,62,69,6c,69,74,79,00,68,65,6c,70,73,76,63,00,49,61,73,00,49,72,\
  6d,6f,6e,00,4c,6f,67,6f,6e,48,6f,75,72,73,00,4e,6c,61,00,4e,74,6d,73,73,76,\
  63,00,4e,57,43,57,6f,72,6b,73,74,61,74,69,6f,6e,00,50,43,41,75,64,69,74,00,\
  53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,65,72,6d,53,65,72,\
  76,69,63,65,00,75,70,6c,6f,61,64,6d,67,72,00,57,6d,64,6d,50,6d,53,70,00,57,\
  6d,69,00,00

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 kowalos123

kowalos123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 01 April 2012 - 06:40 AM

I did what you ask me for, this are logs:


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.01.01

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 8.0.7601.17514
Piotrek :: PIOTREK-PC [administrator]

Protection: Enabled

2012-04-01 10:53:17
mbam-log-2012-04-01 (10-53-17).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 364951
Time elapsed: 2 hour(s), 38 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCR\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 18
C:\TDSSKiller_Quarantine\30.03.2012_16.34.36\rtkt0000\zafs0000\tsk0002.dta (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\30.03.2012_16.34.36\rtkt0000\zafs0000\tsk0004.dta (PUP.BitMiner) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\30.03.2012_20.14.06\rtkt0000\zafs0000\tsk0002.dta (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\30.03.2012_20.49.03\rtkt0000\zafs0000\tsk0002.dta (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\30.03.2012_20.49.03\zaea0000\svc0000\tsk0000.dta (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\30.03.2012_20.49.03\zaea0001\svc0000\tsk0000.dta (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\30.03.2012_20.49.03\zaea0002\svc0000\tsk0000.dta (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\30.03.2012_21.19.11\rtkt0000\zafs0000\tsk0002.dta (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\30.03.2012_21.44.55\rtkt0000\zafs0000\tsk0002.dta (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\30.03.2012_21.44.55\zaea0000\svc0000\tsk0000.dta (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\TDSSKiller_Quarantine\30.03.2012_21.44.55\zaea0001\svc0000\tsk0000.dta (RootKit.0Access.H) -> Quarantined and deleted successfully.
D:\Programy\Robot 2010\xf-a2010.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\Programy\RemoveWGA.exe (PUP.RemoveWGA) -> Quarantined and deleted successfully.
E:\Programy\AutoCAD 2008 PL\AutoCAD 2008 keygen.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
E:\Programy\AutoCAD.2011.PL.32bit\KeyGen-32bit.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
E:\Programy\AutoCAD.2011.PL.32bit\KeyGen-64bit.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
E:\Programy\Autodesk Robot 2010 PL\AUTODESK_KEY_2010\x64\xf-a2010.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
E:\Programy\Autodesk Robot 2010 PL\AUTODESK_KEY_2010\x86\xf-a2010.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)



ComboFix 12-03-30.06 - Piotrek 2012-04-01 10:38:35.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.48.1033.18.2047.1363 [GMT 2:00]
Uruchomiony z: d:\moje dokumenty\Pobrane\ComboFix.exe
Użyto następujących komend :: d:\moje dokumenty\Pobrane\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Utworzono nowy punkt przywracania
.
.
((((((((((((((((((((((((( Pliki utworzone od 2012-03-01 do 2012-04-01 )))))))))))))))))))))))))))))))
.
.
2012-04-01 08:45 . 2012-04-01 08:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-31 09:04 . 2012-04-01 08:45 -------- d-----w- c:\users\Piotrek\AppData\Local\temp
2012-03-31 09:03 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-03-30 19:20 . 2012-03-30 19:20 137416 ----a-w- c:\windows\system32\drivers\tsk6115.tmp
2012-03-30 15:22 . 2012-03-30 14:36 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-03-30 14:36 . 2012-03-30 19:45 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-27 19:31 . 2012-03-27 19:31 -------- d-----w- c:\program files\Enigma Software Group
2012-03-27 19:31 . 2012-03-27 19:49 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-27 19:31 . 2012-03-27 19:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-03-26 16:31 . 2012-03-26 16:31 -------- d-----w- c:\users\Piotrek\AppData\Local\Mozilla
2012-03-24 15:35 . 2012-03-24 15:35 -------- d-----w- c:\program files\Wolfram Research
2012-03-24 15:34 . 2012-03-24 15:34 -------- d-----w- c:\windows\Downloaded Installations
2012-03-24 15:14 . 2012-03-26 07:41 -------- d--h--w- c:\users\Piotrek\AppData\Local\MicrosoftNT
2012-03-24 15:06 . 2012-03-24 15:37 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Mathematica
2012-03-24 15:06 . 2012-03-24 15:20 -------- d-----w- c:\users\Piotrek\AppData\Local\Mathematica
2012-03-24 15:06 . 2012-03-24 15:37 -------- d-----w- c:\programdata\Mathematica
2012-03-24 15:06 . 2012-03-24 15:06 -------- d-----w- c:\program files\Common Files\Wolfram Research
2012-03-24 15:06 . 2012-03-24 15:06 -------- d-----w- c:\program files\Common Files\ResearchSoft
2012-03-24 15:01 . 2010-11-07 19:17 333840 ----a-w- c:\windows\system32\mltcpip32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 93712 ----a-w- c:\windows\system32\mltcp32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 88080 ----a-w- c:\windows\system32\mlshm32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 167952 ----a-w- c:\windows\system32\mlmodule32.dll
2012-03-24 15:01 . 2010-11-07 19:17 79376 ----a-w- c:\windows\system32\mlmap32.mlp
2012-03-24 15:01 . 2010-11-07 19:16 369680 ----a-w- c:\windows\system32\ml32i3.dll
2012-03-24 15:01 . 2010-11-07 19:16 260112 ----a-w- c:\windows\system32\ml32i2.dll
2012-03-24 15:01 . 2010-11-07 19:16 253968 ----a-w- c:\windows\system32\ml32i1.dll
2012-03-22 02:42 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07D59B9F-E9D7-4789-8B5C-323015FEEA43}\mpengine.dll
2012-03-08 20:54 . 2012-03-08 20:54 -------- d-----w- c:\program files\Haali
2012-03-08 20:54 . 2012-03-08 20:54 -------- d-----w- c:\program files\CoreCodec
2012-03-03 13:55 . 2012-03-03 13:55 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Macrovision
2012-03-03 11:36 . 2012-03-03 11:36 -------- d-----w- c:\program files\Common Files\Java
2012-03-03 11:34 . 2012-03-03 11:34 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-30 19:46 . 2012-01-15 00:30 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-30 18:51 . 2012-01-15 15:11 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-30 18:21 . 2012-01-15 15:11 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-26 16:27 . 2012-01-30 09:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-03 11:34 . 2012-01-16 17:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-23 08:18 . 2012-01-15 00:10 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-15 16:00 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2011-07-16 . 921F8B3FF01501C9934CCB3C270833D7 . 868352 . . [6.1.7601.21772] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.21772_none_960c0dc1cdddb3a2\kernel32.dll
[7] 2011-07-16 . 7E99A20C758ABB5AE89C7AEEA3A9AEB2 . 868352 . . [6.1.7600.16850] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16850_none_93afb334b78b3d5c\kernel32.dll
[7] 2011-07-16 . E570CBD732848438EAC574EB3442A2A8 . 868352 . . [6.1.7601.17651] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17651_none_95971084b4b0c29f\kernel32.dll
[7] 2011-07-16 . 12DD18C6ECADEDB922E40B494D315206 . 868352 . . [6.1.7600.21010] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.21010_none_946467d1d088a0a4\kernel32.dll
[-] 2010-11-20 . 3C9AB2C90201380E1034D71AD5670E01 . 868352 . . [6.1.7600.16385] . . c:\windows\System32\kernel32.dll
[7] 2010-11-20 . 5553784D774CA845380650E010BBDA2C . 857600 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.17514_none_95c54f2cb48da1b9\kernel32.dll
[7] 2009-12-08 . EB7B2309A2B16EEB73C2C13477FEF8FB . 857088 . . [6.1.7600.20591] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.20591_none_940f0901d0c871a5\kernel32.dll
[7] 2009-12-08 . 0369BA73CE6D918745579B24339765E8 . 857088 . . [6.1.7600.16481] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16481_none_93903c22b7a2b5ea\kernel32.dll
[7] 2009-07-14 . 4605F7EE9805F7E1C98D6C959DD2949C . 857088 . . [6.1.7600.16385] . . c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16385_none_93943b64b79f1e1f\kernel32.dll
.
((((((((((((((((((((((((((((( SnapShot@2012-03-31_09.05.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-15 00:07 . 2012-04-01 08:34 28060 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2012-03-31 09:19 37156 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 04:55 . 2012-03-31 09:06 37156 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2012-01-15 00:02 . 2012-03-31 09:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-15 00:02 . 2012-04-01 08:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-15 00:02 . 2012-03-31 09:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-15 00:02 . 2012-04-01 08:36 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-15 00:02 . 2012-03-31 08:38 9790 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-140570312-3957278227-4139224077-1001_UserData.bin
+ 2012-01-15 00:02 . 2012-03-31 09:19 9790 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-140570312-3957278227-4139224077-1001_UserData.bin
- 2012-03-31 08:55 . 2012-03-31 09:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-01 08:32 . 2012-04-01 08:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-01 08:32 . 2012-04-01 08:32 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-03-31 08:55 . 2012-03-31 09:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:05 . 2012-04-01 08:38 616008 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2012-03-31 09:01 616008 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2012-03-31 09:01 106388 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2012-04-01 08:38 106388 c:\windows\System32\perfc009.dat
- 2009-07-14 04:47 . 2012-03-31 08:54 380784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:47 . 2012-03-31 22:45 380784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"31908D594CED5854D19D92F49DDC940669DDCEEB._service_run"="c:\users\Piotrek\AppData\Local\Google\Chrome\Application\chrome.exe" [2012-03-27 1224176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-02 13789728]
"BCSSync"="d:\programy\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R0 31719790;31719790;c:\windows\system32\drivers\94476259.sys [x]
R1 ynftyerq;ynftyerq;c:\windows\system32\drivers\ynftyerq.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Kmm4xNT;Kmm4xNT; [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\programy\Microsoft Office\Office14\GROOVE.EXE [2010-12-27 31124344]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-15 1343400]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-03-30 239168]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy
ADIDTSFiltService
adiloader
AeLookupSvc
AFGMp50
Appinfo
AppMgmt
AtlsAud
axsaki
backupexecdevicemediaservice
basic2
BDESVC
BITS
Browser
bthidmgr
cbidf2k
CertPropSvc
clisvc
DCFS2K
DXEC02
EapHost
ELacpi
eSettingsService
gpsvc
hkmsvc
hprfdev
IKEEXT
Intel_MIPMNMP
iphlpsvc
itmrtsvc
kpf4
LanmanServer
lexbces
lvsrvlauncher
mapserver6.3
maya70docserver
mctaskmanager
MMCSS
MREMP50
MSiSCSI
mwagent
nmsaccess
nvcap
oracleformsserver-forms60server-oraform
ProcObsrv
prodrv06
ProfSvc
ptserial
RasAuto
RasMan
RemoteAccess
roammgr
roxmediadb9
RR2Ctrl
Schedule
SCPolicySvc
SE2Cmdm
SE2Dmdfl
SE2Eobex
seclogon
SENS
SessionEnv
SharedAccess
ShellHWDetection
softfax
SrvcEPECioctl
svcwrsssdk
sysmonlog
tapeware
Themes
tosrfec
TPPWRIF
uleadburninghelper
upnp
USBDongle
usbio
usbser
usbsermpt
usbvm321
vulfnths
w200mdm
wercplsupport
Winmgmt
wuauserv
xpagentserver
AudioSrv
FastUserSwitchingCompatibility
helpsvc
Ias
Irmon
LogonHours
Nla
Ntmssvc
NWCWorkstation
PCAudit
SRService
Tapisrv
TermService
uploadmgr
WmdmPmSp
Wmi
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Zawartość folderu 'Zaplanowane zadania'
.
2012-03-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001Core.job
- c:\users\Piotrek\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-26 17:37]
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001UA.job
- c:\users\Piotrek\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-26 17:37]
.
.
------- Skan uzupełniający -------
.
IE: E&ksportuj do programu Microsoft Excel - d:\programy\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 95.160.170.92 88.156.222.92
FF - ProfilePath - c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\3i2tgao4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cdrom]
"ImagePath"="system32\drivers\tskF8C1.tmp"
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,3e,8f,a6,d8,92,f3,4c,8e,22,ca,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,3e,8f,a6,d8,92,f3,4c,8e,22,ca,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Czas ukończenia: 2012-04-01 10:48:47
ComboFix-quarantined-files.txt 2012-04-01 08:48
ComboFix2.txt 2012-03-31 09:09
ComboFix3.txt 2012-03-30 16:00
.
Przed: 6 048 153 600 bytes free
Po: 6 016 778 240 bytes free
.
- - End Of File - - 86CAE1D22DAF5BE10406AA20854CEE23

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:52 PM

Posted 01 April 2012 - 07:27 PM

Please do this next:

Download CKScanner from here

Important : Save it to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

FCopy::
c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.21772_none_960c0dc1cdddb3a2\kernel32.dll | c:\windows\System32\kernel32.dll
Driver::
31719790
ynftyerq

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • Ckscanner log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 kowalos123

kowalos123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 02 April 2012 - 05:08 AM

CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.VLNARQ
----- EOF -----



ComboFix 12-03-30.06 - Piotrek 2012-04-02 11:52:16.4.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1250.48.1033.18.2047.1215 [GMT 2:00]
Uruchomiony z: d:\moje dokumenty\Pobrane\ComboFix.exe
Użyto następujących komend :: d:\moje dokumenty\Pulpit\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Utworzono nowy punkt przywracania
.
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\winsxs\x86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7601.21772_none_960c0dc1cdddb3a2\kernel32.dll --> c:\windows\System32\kernel32.dll
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_31719790
-------\Service_ynftyerq
.
.
((((((((((((((((((((((((( Pliki utworzone od 2012-03-02 do 2012-04-02 )))))))))))))))))))))))))))))))
.
.
2012-04-02 09:58 . 2012-04-02 09:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-01 08:52 . 2012-04-01 08:52 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Malwarebytes
2012-04-01 08:52 . 2012-04-01 08:52 -------- d-----w- c:\programdata\Malwarebytes
2012-04-01 08:52 . 2012-04-01 08:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-01 08:52 . 2011-12-10 13:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-31 09:04 . 2012-04-02 10:00 -------- d-----w- c:\users\Piotrek\AppData\Local\temp
2012-03-31 09:03 . 2009-07-13 23:12 74240 ----a-w- c:\windows\system32\drivers\tdx.sys
2012-03-30 19:20 . 2012-03-30 19:20 137416 ----a-w- c:\windows\system32\drivers\tsk6115.tmp
2012-03-30 15:22 . 2012-03-30 14:36 239168 ----a-w- c:\windows\system32\drivers\dtsoftbus01.sys
2012-03-30 14:36 . 2012-03-30 19:45 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-27 19:31 . 2012-03-27 19:31 -------- d-----w- c:\program files\Enigma Software Group
2012-03-27 19:31 . 2012-03-27 19:49 -------- d-----w- c:\windows\4E0C6314A8B84026AC15084E8B63AFB5.TMP
2012-03-27 19:31 . 2012-03-27 19:31 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-03-26 16:31 . 2012-03-26 16:31 -------- d-----w- c:\users\Piotrek\AppData\Local\Mozilla
2012-03-24 15:35 . 2012-03-24 15:35 -------- d-----w- c:\program files\Wolfram Research
2012-03-24 15:34 . 2012-03-24 15:34 -------- d-----w- c:\windows\Downloaded Installations
2012-03-24 15:14 . 2012-03-26 07:41 -------- d--h--w- c:\users\Piotrek\AppData\Local\MicrosoftNT
2012-03-24 15:06 . 2012-03-24 15:37 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Mathematica
2012-03-24 15:06 . 2012-03-24 15:20 -------- d-----w- c:\users\Piotrek\AppData\Local\Mathematica
2012-03-24 15:06 . 2012-03-24 15:37 -------- d-----w- c:\programdata\Mathematica
2012-03-24 15:06 . 2012-03-24 15:06 -------- d-----w- c:\program files\Common Files\Wolfram Research
2012-03-24 15:06 . 2012-03-24 15:06 -------- d-----w- c:\program files\Common Files\ResearchSoft
2012-03-24 15:01 . 2010-11-07 19:17 333840 ----a-w- c:\windows\system32\mltcpip32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 93712 ----a-w- c:\windows\system32\mltcp32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 88080 ----a-w- c:\windows\system32\mlshm32.mlp
2012-03-24 15:01 . 2010-11-07 19:17 167952 ----a-w- c:\windows\system32\mlmodule32.dll
2012-03-24 15:01 . 2010-11-07 19:17 79376 ----a-w- c:\windows\system32\mlmap32.mlp
2012-03-24 15:01 . 2010-11-07 19:16 369680 ----a-w- c:\windows\system32\ml32i3.dll
2012-03-24 15:01 . 2010-11-07 19:16 260112 ----a-w- c:\windows\system32\ml32i2.dll
2012-03-24 15:01 . 2010-11-07 19:16 253968 ----a-w- c:\windows\system32\ml32i1.dll
2012-03-22 02:42 . 2012-02-08 06:03 6552120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{07D59B9F-E9D7-4789-8B5C-323015FEEA43}\mpengine.dll
2012-03-08 20:54 . 2012-03-08 20:54 -------- d-----w- c:\program files\Haali
2012-03-08 20:54 . 2012-03-08 20:54 -------- d-----w- c:\program files\CoreCodec
2012-03-03 13:55 . 2012-03-03 13:55 -------- d-----w- c:\users\Piotrek\AppData\Roaming\Macrovision
2012-03-03 11:36 . 2012-03-03 11:36 -------- d-----w- c:\program files\Common Files\Java
2012-03-03 11:34 . 2012-03-03 11:34 -------- d-----w- c:\program files\Java
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-30 19:46 . 2012-01-15 00:30 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2012-03-30 18:51 . 2012-01-15 15:11 187904 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-03-30 18:21 . 2012-01-15 15:11 108544 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-26 16:27 . 2012-01-30 09:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-03 11:34 . 2012-01-16 17:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-23 08:18 . 2012-01-15 00:10 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-15 16:00 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-31_09.05.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-15 00:07 . 2012-04-02 09:44 29012 c:\windows\System32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2012-04-02 10:02 37282 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2012-01-15 00:02 . 2012-03-31 09:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-01-15 00:02 . 2012-04-02 09:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-01-15 00:02 . 2012-03-31 09:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-15 00:02 . 2012-04-02 09:46 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-01-15 00:02 . 2012-04-02 09:44 9996 c:\windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-140570312-3957278227-4139224077-1001_UserData.bin
+ 2012-04-02 09:42 . 2012-04-02 09:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-31 08:55 . 2012-03-31 09:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-31 08:55 . 2012-03-31 09:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-02 09:42 . 2012-04-02 09:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:05 . 2012-04-02 09:47 616008 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2012-03-31 09:01 616008 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2012-03-31 09:01 106388 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2012-04-02 09:47 106388 c:\windows\System32\perfc009.dat
+ 2012-01-24 23:28 . 2012-04-01 21:28 796784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2012-01-24 23:28 . 2012-03-26 20:17 796784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 04:47 . 2012-03-31 08:54 380784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:47 . 2012-04-02 06:17 380784 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"31908D594CED5854D19D92F49DDC940669DDCEEB._service_run"="c:\users\Piotrek\AppData\Local\Google\Chrome\Application\chrome.exe" [2012-03-27 1224176]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-02 13789728]
"BCSSync"="d:\programy\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Kmm4xNT;Kmm4xNT; [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;d:\programy\Microsoft Office\Office14\GROOVE.EXE [2010-12-27 31124344]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-01-15 1343400]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-03-30 239168]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-10 20464]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-06-10 394856]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc
.
NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy
ADIDTSFiltService
adiloader
AeLookupSvc
AFGMp50
Appinfo
AppMgmt
AtlsAud
axsaki
backupexecdevicemediaservice
basic2
BDESVC
BITS
Browser
bthidmgr
cbidf2k
CertPropSvc
clisvc
DCFS2K
DXEC02
EapHost
ELacpi
eSettingsService
gpsvc
hkmsvc
hprfdev
IKEEXT
Intel_MIPMNMP
iphlpsvc
itmrtsvc
kpf4
LanmanServer
lexbces
lvsrvlauncher
mapserver6.3
maya70docserver
mctaskmanager
MMCSS
MREMP50
MSiSCSI
mwagent
nmsaccess
nvcap
oracleformsserver-forms60server-oraform
ProcObsrv
prodrv06
ProfSvc
ptserial
RasAuto
RasMan
RemoteAccess
roammgr
roxmediadb9
RR2Ctrl
Schedule
SCPolicySvc
SE2Cmdm
SE2Dmdfl
SE2Eobex
seclogon
SENS
SessionEnv
SharedAccess
ShellHWDetection
softfax
SrvcEPECioctl
svcwrsssdk
sysmonlog
tapeware
Themes
tosrfec
TPPWRIF
uleadburninghelper
upnp
USBDongle
usbio
usbser
usbsermpt
usbvm321
vulfnths
w200mdm
wercplsupport
Winmgmt
wuauserv
xpagentserver
AudioSrv
FastUserSwitchingCompatibility
helpsvc
Ias
Irmon
LogonHours
Nla
Ntmssvc
NWCWorkstation
PCAudit
SRService
Tapisrv
TermService
uploadmgr
WmdmPmSp
Wmi
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
.
.
Zawartość folderu 'Zaplanowane zadania'
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001Core.job
- c:\users\Piotrek\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-26 17:37]
.
2012-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-140570312-3957278227-4139224077-1001UA.job
- c:\users\Piotrek\AppData\Local\Google\Update\GoogleUpdate.exe [2012-03-26 17:37]
.
.
------- Skan uzupełniający -------
.
IE: E&ksportuj do programu Microsoft Excel - d:\programy\MICROS~1\Office14\EXCEL.EXE/3000
TCP: DhcpNameServer = 95.160.170.92 88.156.222.92
FF - ProfilePath - c:\users\Piotrek\AppData\Roaming\Mozilla\Firefox\Profiles\3i2tgao4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cdrom]
"ImagePath"="system32\drivers\tskF8C1.tmp"
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,3e,8f,a6,d8,92,f3,4c,8e,22,ca,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f9,3e,8f,a6,d8,92,f3,4c,8e,22,ca,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Czas ukończenia: 2012-04-02 12:04:56 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2012-04-02 10:04
ComboFix2.txt 2012-04-01 08:48
ComboFix3.txt 2012-03-31 09:09
ComboFix4.txt 2012-03-30 16:00
.
Przed: 5 927 235 584 bytes free
Po: 5 950 353 408 bytes free
.
- - End Of File - - FB3A7CEBB1B44FC6A4231E2F40E8D535

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:52 PM

Posted 02 April 2012 - 11:06 PM

How is your computer running now? Please do this next:

Posted Image Go to thisLINK to run an online scannner from ESET.
  • Note: For browsers other than Internet Explorer, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If you are using Internet Explorer, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running now?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 kowalos123

kowalos123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 03 April 2012 - 04:28 AM

Computer is working better, this is log from eset


ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=02f7c7a9f94d4141bfc8778ed874b8c3
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-03 09:23:11
# local_time=2012-04-03 11:23:11 (+0100, Central European Daylight Time)
# country="Poland"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=5893 16776573 100 94 304487 85071083 0 0
# compatibility_mode=8192 67108863 100 0 656 656 0 0
# scanned=162074
# found=14
# cleaned=0
# scan_time=5098
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\dtsoftbus01.sys.vir a variant of Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\dtsoftbus01.sys.vir_ a variant of Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\30.03.2012_16.34.36\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Rootkit.Kryptik.KI trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\30.03.2012_16.34.36\rtkt0000\zafs0000\tsk0008.dta Win32/Sirefef.ES trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\30.03.2012_16.34.36\rtkt0000\zafs0000\tsk0010.dta a variant of Win32/Sirefef.EU trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\30.03.2012_20.14.06\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\30.03.2012_20.49.03\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\30.03.2012_21.19.11\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\30.03.2012_21.44.55\rtkt0000\svc0000\tsk0000.dta a variant of Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys a variant of Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys a variant of Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
D:\Moje dokumenty\Pobrane\Hack na wiatr instrukcja ver 2.0 NEW !.rar multiple threats (unable to clean) 00000000000000000000000000000000 I
D:\Programy\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe Win32/Adware.Toolbar.Dealio application (unable to clean) 00000000000000000000000000000000 I
E:\w7lxe.exe a variant of Win32/HackKMS.A application (unable to clean) 00000000000000000000000000000000 I

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:52 PM

Posted 03 April 2012 - 09:39 AM

Please do this next:

Posted Image Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL

    :Files
    C:\Windows\winsxs\x86_microsoft-windows-dfsclient_31bf3856ad364e35_6.1.7601.17514_none_89a197c9445dfde9\dfsc.sys
    C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
    D:\Moje dokumenty\Pobrane\Hack na wiatr instrukcja ver 2.0 NEW !.rar
    D:\Programy\PDFCreator\Toolbar\pdfforge Toolbar_setup.exe
    E:\w7lxe.exe 
    :Commands
    [EmptyTemp]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, it will reboot when it is done and produce a log
Please include the following in your next post:
  • OTL Fix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 kowalos123

kowalos123
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 03 April 2012 - 12:34 PM

I run OTL, it deleted some files but it hasn't produced log




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users