Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google keeps redirecting to Happili


  • This topic is locked This topic is locked
13 replies to this topic

#1 Blueoni91

Blueoni91

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 09 April 2012 - 01:34 PM

A couple days ago my Google started to redirect to Happili search and some other suspicious search sites. I ran Malwarebytes but it didn't help. Also, if I try to open Google searches in a new tab it doesn't redirect, but instead it gives me a 404 error. I use Firefox as my main browser, but the problem also exists in Internet Explorer.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:03 PM

Posted 09 April 2012 - 11:35 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Blueoni91

Blueoni91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 11 April 2012 - 02:32 PM

ComboFix 12-04-11.03 - Andrew 1/2012 Wed 14:11:25.2.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.932.81.1033.18.16301.14622 [GMT -5:00]
Running from: c:\users\Andrew\Downloads\Programs\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
Error: Cfiles.dat
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\ntuser.dat
c:\users\Andrew\AppData\Local\TempDIR
.
.
((((((((((((((((((((((((( Files Created from 2012-03-11 to 2012-04-11 )))))))))))))))))))))))))))))))
.
.
2012-04-09 17:42 . 2009-07-14 01:14 20480 ----a-w- c:\windows\svchost.exe
2012-04-09 17:01 . 2012-04-09 17:01 -------- d-----w- c:\windows\system32\appmgmt
2012-04-07 18:34 . 2012-04-07 18:34 8767136 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-07 18:21 . 2012-04-07 18:21 -------- d-----w- c:\windows\SysWow64\Adobe
2012-04-07 18:16 . 2012-04-07 18:34 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-05 23:23 . 2012-04-05 23:23 -------- d-----w- c:\program files (x86)\Common Files\Enterbrain
2012-04-05 23:21 . 2012-04-05 23:21 -------- d-----w- c:\program files (x86)\Enterbrain
2012-04-05 21:07 . 2012-04-05 21:07 -------- d-----w- c:\windows\Sun
2012-03-30 23:48 . 2012-03-30 23:48 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-30 23:48 . 2012-03-30 23:48 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-03-27 19:42 . 2012-03-27 19:42 -------- d-----w- c:\program files (x86)\WinGlulxe
2012-03-26 04:37 . 2012-03-26 04:37 -------- d-----w- c:\program files (x86)\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-07 18:34 . 2011-12-26 02:45 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0F3DC9E0-C459-4a40-BCF8-747BD9322E10}"= "c:\program files (x86)\Splashtop\Splashtop Connect IE\AddressBarSearch.dll" [2011-03-04 165776]
.
[HKEY_CLASSES_ROOT\clsid\{0f3dc9e0-c459-4a40-bcf8-747bd9322e10}]
[HKEY_CLASSES_ROOT\AddressBarSearch.SearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{4E8E0178-00EF-413d-9324-E7B3E31572E3}]
[HKEY_CLASSES_ROOT\AddressBarSearch.SearchHook]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2011-12-19 3462552]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
"Clownfish"="c:\program files (x86)\Clownfish\Clownfish.exe" [2012-01-13 1033728]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-29 17151624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"STCAgent"="c:\program files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe" [2011-03-04 776064]
"ZyngaGamesAgent"="c:\program files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe" [2010-11-15 841544]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
"Mionix NAOS 5000"="c:\program files (x86)\Mionix\NAOS 5000 Laser Gaming Mouse\NAOS_Monitor.EXE" [2011-02-19 184320]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
LOLRecorder.lnk - c:\program files (x86)\LOLReplay\LOLRecorder.exe [2012-2-24 495104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 253600]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 TunngleService;TunngleService;c:\program files (x86)\Tunngle\TnglCtrl.exe [2011-12-13 751464]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-20 2253120]
S2 SCBackService;Splashtop Connect Service;c:\program files (x86)\Splashtop\Splashtop Connect\BackService.exe [2010-11-15 477000]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-20 381248]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-10-06 2655768]
S2 WCUService_STC_FF;Splashtop Connect Firefox Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe [2011-03-24 493384]
S2 WCUService_STC_IE;Splashtop Connect IE Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe [2011-03-22 497480]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [x]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 18:34]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-12-19 20:46 22408 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-17 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-17 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-17 416024]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-26 12681320]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\ev1m4c9w.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6R8hSZbVbi&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - b26584f500000000000050e549c2432c
FF - user.js: extensions.incredibar_i.hardId - b26584f500000000000050e549c2432c
FF - user.js: extensions.incredibar_i.instlDay - 15364
FF - user.js: extensions.incredibar_i.vrsn - 1.5.3.27
FF - user.js: extensions.incredibar_i.vrsni - 1.5.3.27
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.3.270:02
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6R8hSZbVbi
FF - user.js: extensions.incredibar_i.upn2n - 92823733769806232
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10589
FF - user.js: extensions.incredibar_i.ppd -
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKU-Default-Run-dplaysvr - c:\windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2562463082-1944084115-1738294176-1000_Classes\Wow6432Node\CLSID\{3087c365-870c-4169-b11a-7394219aa6bc}]
@Denied: (Full) (Everyone)
.
[HKEY_USERS\S-1-5-21-2562463082-1944084115-1738294176-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):44,e1,b1,05,1a,7a,f4,5a,02,53,b6,89,68,82,7b,02,fc,2d,6b,da,4d,
8b,43,71,2d,b6,d2,8f,60,2b,2c,4b,d9,a4,01,e7,90,d2,2f,ec,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\\.\globalroot\systemroot\svchost.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-04-11 14:22:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-11 19:22
.
Pre-Run: 212,213,809,152 bytes free
Post-Run: 213,137,985,536 bytes free
.
- - End Of File - - A161AE25E9765BDE58AD1B66F23CE7A0



During the first run of combofix I had a blue screen. This has been occurring periodically, about once every two weeks or so, so it may be unrelated. The second run ran fine. It restarted once, and then formed the log file. During this restart, I couldn't run any programs because it said the registry key value had been selected for deletion. After a restart my programs are running fine. I am sill getting redirects in both Firefox and Internet Explorer.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:03 PM

Posted 11 April 2012 - 03:53 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Blueoni91

Blueoni91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 11 April 2012 - 04:29 PM

15:57:53.0285 1996 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
15:57:53.0754 1996 ============================================================
15:57:53.0754 1996 Current date / time: 2012/04/11 15:57:53.0754
15:57:53.0754 1996 SystemInfo:
15:57:53.0754 1996
15:57:53.0754 1996 OS Version: 6.1.7601 ServicePack: 1.0
15:57:53.0754 1996 Product type: Workstation
15:57:53.0754 1996 ComputerName: ANDREW-PC
15:57:53.0754 1996 UserName: Andrew
15:57:53.0754 1996 Windows directory: C:\Windows
15:57:53.0754 1996 System windows directory: C:\Windows
15:57:53.0754 1996 Running under WOW64
15:57:53.0754 1996 Processor architecture: Intel x64
15:57:53.0754 1996 Number of processors: 4
15:57:53.0754 1996 Page size: 0x1000
15:57:53.0754 1996 Boot type: Normal boot
15:57:53.0754 1996 ============================================================
15:57:54.0608 1996 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1F8B1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
15:57:54.0612 1996 \Device\Harddisk0\DR0:
15:57:54.0612 1996 MBR used
15:57:54.0613 1996 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
15:57:54.0613 1996 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x746D3800
15:57:54.0624 1996 Initialize success
15:57:54.0624 1996 ============================================================
15:58:04.0226 4044 ============================================================
15:58:04.0226 4044 Scan started
15:58:04.0226 4044 Mode: Manual;
15:58:04.0226 4044 ============================================================
15:58:05.0197 4044 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
15:58:05.0199 4044 1394ohci - ok
15:58:05.0233 4044 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
15:58:05.0236 4044 ACPI - ok
15:58:05.0252 4044 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
15:58:05.0255 4044 AcpiPmi - ok
15:58:05.0374 4044 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
15:58:05.0375 4044 AdobeARMservice - ok
15:58:05.0443 4044 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
15:58:05.0446 4044 AdobeFlashPlayerUpdateSvc - ok
15:58:05.0494 4044 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\drivers\adp94xx.sys
15:58:05.0499 4044 adp94xx - ok
15:58:05.0514 4044 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\drivers\adpahci.sys
15:58:05.0517 4044 adpahci - ok
15:58:05.0538 4044 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\drivers\adpu320.sys
15:58:05.0540 4044 adpu320 - ok
15:58:05.0566 4044 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
15:58:05.0567 4044 AeLookupSvc - ok
15:58:05.0600 4044 AFD (d31dc7a16dea4a9baf179f3d6fbdb38c) C:\Windows\system32\drivers\afd.sys
15:58:05.0606 4044 AFD - ok
15:58:05.0622 4044 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
15:58:05.0623 4044 agp440 - ok
15:58:05.0639 4044 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
15:58:05.0641 4044 ALG - ok
15:58:05.0651 4044 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
15:58:05.0652 4044 aliide - ok
15:58:05.0664 4044 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
15:58:05.0665 4044 amdide - ok
15:58:05.0678 4044 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\drivers\amdk8.sys
15:58:05.0679 4044 AmdK8 - ok
15:58:05.0692 4044 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\drivers\amdppm.sys
15:58:05.0693 4044 AmdPPM - ok
15:58:05.0709 4044 amdsata (6ec6d772eae38dc17c14aed9b178d24b) C:\Windows\system32\drivers\amdsata.sys
15:58:05.0710 4044 amdsata - ok
15:58:05.0736 4044 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\drivers\amdsbs.sys
15:58:05.0738 4044 amdsbs - ok
15:58:05.0755 4044 amdxata (1142a21db581a84ea5597b03a26ebaa0) C:\Windows\system32\drivers\amdxata.sys
15:58:05.0756 4044 amdxata - ok
15:58:05.0773 4044 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
15:58:05.0775 4044 AppID - ok
15:58:05.0799 4044 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
15:58:05.0800 4044 AppIDSvc - ok
15:58:05.0814 4044 Appinfo (3977d4a871ca0d4f2ed1e7db46829731) C:\Windows\System32\appinfo.dll
15:58:05.0816 4044 Appinfo - ok
15:58:05.0841 4044 AppleCharger (6be11ad81d4527d299f0cb5f3731aabc) C:\Windows\system32\DRIVERS\AppleCharger.sys
15:58:05.0841 4044 AppleCharger - ok
15:58:05.0858 4044 AppleChargerSrv (95ef7247c50c7241fdae39a9b3aff4ae) C:\Windows\system32\AppleChargerSrv.exe
15:58:05.0860 4044 AppleChargerSrv - ok
15:58:05.0877 4044 AppMgmt (4aba3e75a76195a3e38ed2766c962899) C:\Windows\System32\appmgmts.dll
15:58:05.0880 4044 AppMgmt - ok
15:58:05.0896 4044 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\drivers\arc.sys
15:58:05.0898 4044 arc - ok
15:58:05.0929 4044 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\drivers\arcsas.sys
15:58:05.0932 4044 arcsas - ok
15:58:05.0955 4044 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
15:58:05.0956 4044 AsyncMac - ok
15:58:05.0962 4044 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
15:58:05.0963 4044 atapi - ok
15:58:05.0983 4044 AudioEndpointBuilder (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
15:58:05.0989 4044 AudioEndpointBuilder - ok
15:58:05.0997 4044 AudioSrv (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
15:58:06.0001 4044 AudioSrv - ok
15:58:06.0019 4044 AxInstSV (a6bf31a71b409dfa8cac83159e1e2aff) C:\Windows\System32\AxInstSV.dll
15:58:06.0021 4044 AxInstSV - ok
15:58:06.0075 4044 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\drivers\bxvbda.sys
15:58:06.0081 4044 b06bdrv - ok
15:58:06.0129 4044 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
15:58:06.0132 4044 b57nd60a - ok
15:58:06.0153 4044 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll
15:58:06.0155 4044 BDESVC - ok
15:58:06.0169 4044 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
15:58:06.0171 4044 Beep - ok
15:58:06.0191 4044 BFE (82974d6a2fd19445cc5171fc378668a4) C:\Windows\System32\bfe.dll
15:58:06.0198 4044 BFE - ok
15:58:06.0233 4044 BITS (1ea7969e3271cbc59e1730697dc74682) C:\Windows\system32\qmgr.dll
15:58:06.0241 4044 BITS - ok
15:58:06.0253 4044 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
15:58:06.0254 4044 blbdrive - ok
15:58:06.0265 4044 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
15:58:06.0267 4044 bowser - ok
15:58:06.0285 4044 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\BrFiltLo.sys
15:58:06.0286 4044 BrFiltLo - ok
15:58:06.0298 4044 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\BrFiltUp.sys
15:58:06.0300 4044 BrFiltUp - ok
15:58:06.0328 4044 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
15:58:06.0330 4044 BridgeMP - ok
15:58:06.0366 4044 Browser (8ef0d5c41ec907751b8429162b1239ed) C:\Windows\System32\browser.dll
15:58:06.0368 4044 Browser - ok
15:58:06.0393 4044 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
15:58:06.0397 4044 Brserid - ok
15:58:06.0416 4044 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
15:58:06.0417 4044 BrSerWdm - ok
15:58:06.0430 4044 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
15:58:06.0431 4044 BrUsbMdm - ok
15:58:06.0442 4044 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
15:58:06.0443 4044 BrUsbSer - ok
15:58:06.0460 4044 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\drivers\bthmodem.sys
15:58:06.0462 4044 BTHMODEM - ok
15:58:06.0487 4044 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll
15:58:06.0488 4044 bthserv - ok
15:58:06.0491 4044 catchme - ok
15:58:06.0507 4044 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
15:58:06.0508 4044 cdfs - ok
15:58:06.0530 4044 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
15:58:06.0531 4044 cdrom - ok
15:58:06.0539 4044 CertPropSvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
15:58:06.0540 4044 CertPropSvc - ok
15:58:06.0558 4044 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\drivers\circlass.sys
15:58:06.0559 4044 circlass - ok
15:58:06.0580 4044 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
15:58:06.0585 4044 CLFS - ok
15:58:06.0636 4044 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:58:06.0638 4044 clr_optimization_v2.0.50727_32 - ok
15:58:06.0663 4044 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
15:58:06.0665 4044 clr_optimization_v2.0.50727_64 - ok
15:58:06.0680 4044 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\drivers\CmBatt.sys
15:58:06.0682 4044 CmBatt - ok
15:58:06.0692 4044 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
15:58:06.0693 4044 cmdide - ok
15:58:06.0714 4044 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
15:58:06.0718 4044 CNG - ok
15:58:06.0737 4044 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\drivers\compbatt.sys
15:58:06.0738 4044 Compbatt - ok
15:58:06.0759 4044 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\DRIVERS\CompositeBus.sys
15:58:06.0760 4044 CompositeBus - ok
15:58:06.0765 4044 COMSysApp - ok
15:58:06.0777 4044 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\drivers\crcdisk.sys
15:58:06.0779 4044 crcdisk - ok
15:58:06.0793 4044 CryptSvc (15597883fbe9b056f276ada3ad87d9af) C:\Windows\system32\cryptsvc.dll
15:58:06.0795 4044 CryptSvc - ok
15:58:06.0806 4044 CSC (54da3dfd29ed9f1619b6f53f3ce55e49) C:\Windows\system32\drivers\csc.sys
15:58:06.0811 4044 CSC - ok
15:58:06.0830 4044 CscService (3ab183ab4d2c79dcf459cd2c1266b043) C:\Windows\System32\cscsvc.dll
15:58:06.0837 4044 CscService - ok
15:58:06.0866 4044 DcomLaunch (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
15:58:06.0872 4044 DcomLaunch - ok
15:58:06.0894 4044 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll
15:58:06.0898 4044 defragsvc - ok
15:58:06.0911 4044 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
15:58:06.0913 4044 DfsC - ok
15:58:06.0930 4044 Dhcp (43d808f5d9e1a18e5eeb5ebc83969e4e) C:\Windows\system32\dhcpcore.dll
15:58:06.0934 4044 Dhcp - ok
15:58:06.0946 4044 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
15:58:06.0947 4044 discache - ok
15:58:06.0962 4044 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\drivers\disk.sys
15:58:06.0964 4044 Disk - ok
15:58:06.0982 4044 dmvsc (5db085a8a6600be6401f2b24eecb5415) C:\Windows\system32\drivers\dmvsc.sys
15:58:06.0984 4044 dmvsc - ok
15:58:07.0001 4044 Dnscache (cd55f5355d8f55d44c9f4ed875705bd6) C:\Windows\System32\dnsrslvr.dll
15:58:07.0003 4044 Dnscache - ok
15:58:07.0011 4044 dot3svc (b1fb3ddca0fdf408750d5843591afbc6) C:\Windows\System32\dot3svc.dll
15:58:07.0014 4044 dot3svc - ok
15:58:07.0021 4044 DPS (b26f4f737e8f9df4f31af6cf31d05820) C:\Windows\system32\dps.dll
15:58:07.0023 4044 DPS - ok
15:58:07.0045 4044 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
15:58:07.0046 4044 drmkaud - ok
15:58:07.0070 4044 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
15:58:07.0077 4044 DXGKrnl - ok
15:58:07.0095 4044 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll
15:58:07.0097 4044 EapHost - ok
15:58:07.0173 4044 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\drivers\evbda.sys
15:58:07.0233 4044 ebdrv - ok
15:58:07.0261 4044 EFS (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\System32\lsass.exe
15:58:07.0263 4044 EFS - ok
15:58:07.0300 4044 ehRecvr (c4002b6b41975f057d98c439030cea07) C:\Windows\ehome\ehRecvr.exe
15:58:07.0307 4044 ehRecvr - ok
15:58:07.0330 4044 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe
15:58:07.0333 4044 ehSched - ok
15:58:07.0389 4044 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\drivers\elxstor.sys
15:58:07.0406 4044 elxstor - ok
15:58:07.0427 4044 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
15:58:07.0428 4044 ErrDev - ok
15:58:07.0455 4044 EtronHub3 (72eccb2f5c9cfc32a9b2a60933832501) C:\Windows\system32\Drivers\EtronHub3.sys
15:58:07.0456 4044 EtronHub3 - ok
15:58:07.0480 4044 EtronXHCI (7bb310f6fb9e1b9d21dd2ce7eb0d5464) C:\Windows\system32\Drivers\EtronXHCI.sys
15:58:07.0481 4044 EtronXHCI - ok
15:58:07.0499 4044 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll
15:58:07.0503 4044 EventSystem - ok
15:58:07.0521 4044 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
15:58:07.0523 4044 exfat - ok
15:58:07.0557 4044 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
15:58:07.0560 4044 fastfat - ok
15:58:07.0594 4044 Fax (dbefd454f8318a0ef691fdd2eaab44eb) C:\Windows\system32\fxssvc.exe
15:58:07.0601 4044 Fax - ok
15:58:07.0619 4044 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\drivers\fdc.sys
15:58:07.0621 4044 fdc - ok
15:58:07.0635 4044 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll
15:58:07.0636 4044 fdPHost - ok
15:58:07.0648 4044 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll
15:58:07.0649 4044 FDResPub - ok
15:58:07.0661 4044 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
15:58:07.0662 4044 FileInfo - ok
15:58:07.0677 4044 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
15:58:07.0678 4044 Filetrace - ok
15:58:07.0689 4044 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\drivers\flpydisk.sys
15:58:07.0690 4044 flpydisk - ok
15:58:07.0709 4044 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
15:58:07.0712 4044 FltMgr - ok
15:58:07.0742 4044 FontCache (b4447f606bb19fd8ad0bafb59b90f5d9) C:\Windows\system32\FntCache.dll
15:58:07.0759 4044 FontCache - ok
15:58:07.0798 4044 FontCache3.0.0.0 (a8b7f3818ab65695e3a0bb3279f6dce6) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
15:58:07.0799 4044 FontCache3.0.0.0 - ok
15:58:07.0816 4044 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
15:58:07.0818 4044 FsDepends - ok
15:58:07.0824 4044 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
15:58:07.0825 4044 Fs_Rec - ok
15:58:07.0845 4044 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
15:58:07.0847 4044 fvevol - ok
15:58:07.0865 4044 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\drivers\gagp30kx.sys
15:58:07.0866 4044 gagp30kx - ok
15:58:07.0878 4044 gdrv - ok
15:58:07.0900 4044 gpsvc (277bbc7e1aa1ee957f573a10eca7ef3a) C:\Windows\System32\gpsvc.dll
15:58:07.0908 4044 gpsvc - ok
15:58:07.0924 4044 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
15:58:07.0925 4044 hcw85cir - ok
15:58:07.0960 4044 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
15:58:07.0964 4044 HdAudAddService - ok
15:58:07.0995 4044 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\DRIVERS\HDAudBus.sys
15:58:08.0003 4044 HDAudBus - ok
15:58:08.0022 4044 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\drivers\HidBatt.sys
15:58:08.0022 4044 HidBatt - ok
15:58:08.0040 4044 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\drivers\hidbth.sys
15:58:08.0042 4044 HidBth - ok
15:58:08.0056 4044 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\drivers\hidir.sys
15:58:08.0057 4044 HidIr - ok
15:58:08.0072 4044 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\System32\hidserv.dll
15:58:08.0073 4044 hidserv - ok
15:58:08.0095 4044 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
15:58:08.0096 4044 HidUsb - ok
15:58:08.0107 4044 hkmsvc (387e72e739e15e3d37907a86d9ff98e2) C:\Windows\system32\kmsvc.dll
15:58:08.0109 4044 hkmsvc - ok
15:58:08.0127 4044 HomeGroupListener (efdfb3dd38a4376f93e7985173813abd) C:\Windows\system32\ListSvc.dll
15:58:08.0130 4044 HomeGroupListener - ok
15:58:08.0149 4044 HomeGroupProvider (908acb1f594274965a53926b10c81e89) C:\Windows\system32\provsvc.dll
15:58:08.0152 4044 HomeGroupProvider - ok
15:58:08.0166 4044 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
15:58:08.0167 4044 HpSAMD - ok
15:58:08.0197 4044 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
15:58:08.0203 4044 HTTP - ok
15:58:08.0219 4044 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
15:58:08.0220 4044 hwpolicy - ok
15:58:08.0336 4044 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
15:58:08.0343 4044 i8042prt - ok
15:58:08.0517 4044 iaStorV (3df4395a7cf8b7a72a5f4606366b8c2d) C:\Windows\system32\drivers\iaStorV.sys
15:58:08.0523 4044 iaStorV - ok
15:58:08.0589 4044 IDMWFP (baa99b15ace07eeb6d1d354f4d96eccc) C:\Windows\system32\DRIVERS\idmwfp.sys
15:58:08.0590 4044 IDMWFP - ok
15:58:08.0646 4044 idsvc (5988fc40f8db5b0739cd1e3a5d0d78bd) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
15:58:08.0656 4044 idsvc - ok
15:58:08.0842 4044 igfx (9937600a1584ff00565d5379eb4c9edb) C:\Windows\system32\DRIVERS\igdkmd64.sys
15:58:08.0999 4044 igfx - ok
15:58:09.0013 4044 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\drivers\iirsp.sys
15:58:09.0014 4044 iirsp - ok
15:58:09.0044 4044 IKEEXT (fcd84c381e0140af901e58d48882d26b) C:\Windows\System32\ikeext.dll
15:58:09.0054 4044 IKEEXT - ok
15:58:09.0134 4044 IntcAzAudAddService (a5f7cef8a939ebe270462edefd629f20) C:\Windows\system32\drivers\RTKVHD64.sys
15:58:09.0151 4044 IntcAzAudAddService - ok
15:58:09.0181 4044 IntcDAud (fc727061c0f47c8059e88e05d5c8e381) C:\Windows\system32\DRIVERS\IntcDAud.sys
15:58:09.0185 4044 IntcDAud - ok
15:58:09.0195 4044 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
15:58:09.0196 4044 intelide - ok
15:58:09.0222 4044 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
15:58:09.0222 4044 intelppm - ok
15:58:09.0269 4044 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll
15:58:09.0274 4044 IPBusEnum - ok
15:58:09.0297 4044 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
15:58:09.0299 4044 IpFilterDriver - ok
15:58:09.0343 4044 iphlpsvc (a34a587fffd45fa649fba6d03784d257) C:\Windows\System32\iphlpsvc.dll
15:58:09.0351 4044 iphlpsvc - ok
15:58:09.0364 4044 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
15:58:09.0366 4044 IPMIDRV - ok
15:58:09.0377 4044 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
15:58:09.0379 4044 IPNAT - ok
15:58:09.0395 4044 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
15:58:09.0403 4044 IRENUM - ok
15:58:09.0415 4044 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
15:58:09.0416 4044 isapnp - ok
15:58:09.0439 4044 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
15:58:09.0442 4044 iScsiPrt - ok
15:58:09.0460 4044 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
15:58:09.0461 4044 kbdclass - ok
15:58:09.0471 4044 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
15:58:09.0472 4044 kbdhid - ok
15:58:09.0492 4044 KeyIso (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
15:58:09.0493 4044 KeyIso - ok
15:58:09.0506 4044 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
15:58:09.0508 4044 KSecDD - ok
15:58:09.0524 4044 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
15:58:09.0526 4044 KSecPkg - ok
15:58:09.0536 4044 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
15:58:09.0537 4044 ksthunk - ok
15:58:09.0579 4044 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll
15:58:09.0585 4044 KtmRm - ok
15:58:09.0616 4044 LanmanServer (d9f42719019740baa6d1c6d536cbdaa6) C:\Windows\System32\srvsvc.dll
15:58:09.0621 4044 LanmanServer - ok
15:58:09.0645 4044 LanmanWorkstation (851a1382eed3e3a7476db004f4ee3e1a) C:\Windows\System32\wkssvc.dll
15:58:09.0649 4044 LanmanWorkstation - ok
15:58:09.0680 4044 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
15:58:09.0682 4044 lltdio - ok
15:58:09.0706 4044 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll
15:58:09.0711 4044 lltdsvc - ok
15:58:09.0731 4044 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll
15:58:09.0733 4044 lmhosts - ok
15:58:09.0786 4044 LMS (0803906d607a9b83184447b75b60ecc2) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
15:58:09.0790 4044 LMS - ok
15:58:09.0824 4044 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\drivers\lsi_fc.sys
15:58:09.0826 4044 LSI_FC - ok
15:58:09.0837 4044 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\drivers\lsi_sas.sys
15:58:09.0839 4044 LSI_SAS - ok
15:58:09.0857 4044 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\drivers\lsi_sas2.sys
15:58:09.0858 4044 LSI_SAS2 - ok
15:58:09.0880 4044 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\drivers\lsi_scsi.sys
15:58:09.0882 4044 LSI_SCSI - ok
15:58:09.0902 4044 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
15:58:09.0904 4044 luafv - ok
15:58:09.0933 4044 Mcx2Svc (0be09cd858abf9df6ed259d57a1a1663) C:\Windows\system32\Mcx2Svc.dll
15:58:09.0936 4044 Mcx2Svc - ok
15:58:09.0956 4044 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\drivers\megasas.sys
15:58:09.0957 4044 megasas - ok
15:58:09.0978 4044 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\drivers\MegaSR.sys
15:58:09.0981 4044 MegaSR - ok
15:58:10.0010 4044 MEIx64 (1c6e73fc46b509eff9d0086aa37132df) C:\Windows\system32\DRIVERS\HECIx64.sys
15:58:10.0011 4044 MEIx64 - ok
15:58:10.0065 4044 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
15:58:10.0067 4044 MMCSS - ok
15:58:10.0080 4044 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
15:58:10.0081 4044 Modem - ok
15:58:10.0094 4044 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
15:58:10.0095 4044 monitor - ok
15:58:10.0109 4044 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
15:58:10.0110 4044 mouclass - ok
15:58:10.0144 4044 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
15:58:10.0145 4044 mouhid - ok
15:58:10.0164 4044 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
15:58:10.0166 4044 mountmgr - ok
15:58:10.0186 4044 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
15:58:10.0188 4044 mpio - ok
15:58:10.0195 4044 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
15:58:10.0197 4044 mpsdrv - ok
15:58:10.0226 4044 MpsSvc (54ffc9c8898113ace189d4aa7199d2c1) C:\Windows\system32\mpssvc.dll
15:58:10.0232 4044 MpsSvc - ok
15:58:10.0245 4044 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
15:58:10.0246 4044 MRxDAV - ok
15:58:10.0266 4044 mrxsmb (faf015b07e3a2874a790a39b7d2c579f) C:\Windows\system32\DRIVERS\mrxsmb.sys
15:58:10.0268 4044 mrxsmb - ok
15:58:10.0287 4044 mrxsmb10 (08e2345df129082bcdffdc1440f9c00d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
15:58:10.0290 4044 mrxsmb10 - ok
15:58:10.0301 4044 mrxsmb20 (108d87409c5812ef47d81e22843e8c9d) C:\Windows\system32\DRIVERS\mrxsmb20.sys
15:58:10.0302 4044 mrxsmb20 - ok
15:58:10.0318 4044 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
15:58:10.0319 4044 msahci - ok
15:58:10.0336 4044 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
15:58:10.0337 4044 msdsm - ok
15:58:10.0366 4044 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe
15:58:10.0368 4044 MSDTC - ok
15:58:10.0392 4044 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
15:58:10.0393 4044 Msfs - ok
15:58:10.0399 4044 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
15:58:10.0399 4044 mshidkmdf - ok
15:58:10.0456 4044 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
15:58:10.0464 4044 msisadrv - ok
15:58:10.0492 4044 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll
15:58:10.0495 4044 MSiSCSI - ok
15:58:10.0502 4044 msiserver - ok
15:58:10.0527 4044 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
15:58:10.0528 4044 MSKSSRV - ok
15:58:10.0541 4044 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
15:58:10.0542 4044 MSPCLOCK - ok
15:58:10.0548 4044 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
15:58:10.0548 4044 MSPQM - ok
15:58:10.0566 4044 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
15:58:10.0570 4044 MsRPC - ok
15:58:10.0582 4044 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
15:58:10.0583 4044 mssmbios - ok
15:58:10.0596 4044 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
15:58:10.0597 4044 MSTEE - ok
15:58:10.0612 4044 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\drivers\MTConfig.sys
15:58:10.0613 4044 MTConfig - ok
15:58:10.0625 4044 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
15:58:10.0626 4044 Mup - ok
15:58:10.0650 4044 napagent (582ac6d9873e31dfa28a4547270862dd) C:\Windows\system32\qagentRT.dll
15:58:10.0656 4044 napagent - ok
15:58:10.0688 4044 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
15:58:10.0692 4044 NativeWifiP - ok
15:58:10.0720 4044 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
15:58:10.0737 4044 NDIS - ok
15:58:10.0755 4044 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
15:58:10.0756 4044 NdisCap - ok
15:58:10.0773 4044 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
15:58:10.0774 4044 NdisTapi - ok
15:58:10.0789 4044 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
15:58:10.0790 4044 Ndisuio - ok
15:58:10.0806 4044 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
15:58:10.0808 4044 NdisWan - ok
15:58:10.0824 4044 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
15:58:10.0829 4044 NDProxy - ok
15:58:10.0847 4044 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
15:58:10.0848 4044 NetBIOS - ok
15:58:10.0869 4044 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
15:58:10.0872 4044 NetBT - ok
15:58:10.0882 4044 Netlogon (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
15:58:10.0883 4044 Netlogon - ok
15:58:10.0910 4044 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll
15:58:10.0914 4044 Netman - ok
15:58:10.0924 4044 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll
15:58:10.0929 4044 netprofm - ok
15:58:10.0971 4044 NetTcpPortSharing (3e5a36127e201ddf663176b66828fafe) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
15:58:10.0973 4044 NetTcpPortSharing - ok
15:58:10.0996 4044 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\drivers\nfrd960.sys
15:58:10.0997 4044 nfrd960 - ok
15:58:11.0017 4044 NlaSvc (1ee99a89cc788ada662441d1e9830529) C:\Windows\System32\nlasvc.dll
15:58:11.0022 4044 NlaSvc - ok
15:58:11.0033 4044 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
15:58:11.0034 4044 Npfs - ok
15:58:11.0057 4044 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll
15:58:11.0059 4044 nsi - ok
15:58:11.0075 4044 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
15:58:11.0076 4044 nsiproxy - ok
15:58:11.0111 4044 Ntfs (05d78aa5cb5f3f5c31160bdb955d0b7c) C:\Windows\system32\drivers\Ntfs.sys
15:58:11.0137 4044 Ntfs - ok
15:58:11.0150 4044 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
15:58:11.0151 4044 Null - ok
15:58:11.0180 4044 NVHDA (10204955027011e08a9dc27737a48a54) C:\Windows\system32\drivers\nvhda64v.sys
15:58:11.0181 4044 NVHDA - ok
15:58:11.0376 4044 nvlddmkm (d877fd69e520de8cf2ba831bf76506e9) C:\Windows\system32\DRIVERS\nvlddmkm.sys
15:58:11.0418 4044 nvlddmkm - ok
15:58:11.0460 4044 nvraid (5d9fd91f3d38dc9da01e3cb5fa89cd48) C:\Windows\system32\drivers\nvraid.sys
15:58:11.0461 4044 nvraid - ok
15:58:11.0478 4044 nvstor (f7cd50fe7139f07e77da8ac8033d1832) C:\Windows\system32\drivers\nvstor.sys
15:58:11.0480 4044 nvstor - ok
15:58:11.0525 4044 nvsvc (8d1d42215100566824d2693d7ff4866d) C:\Windows\system32\nvvsvc.exe
15:58:11.0550 4044 nvsvc - ok
15:58:11.0617 4044 nvUpdatusService (496bd042f418e2b98a1947f5800e32f0) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
15:58:11.0629 4044 nvUpdatusService - ok
15:58:11.0649 4044 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
15:58:11.0651 4044 nv_agp - ok
15:58:11.0670 4044 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
15:58:11.0671 4044 ohci1394 - ok
15:58:11.0691 4044 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
15:58:11.0694 4044 p2pimsvc - ok
15:58:11.0722 4044 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll
15:58:11.0727 4044 p2psvc - ok
15:58:11.0746 4044 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\drivers\parport.sys
15:58:11.0747 4044 Parport - ok
15:58:11.0754 4044 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
15:58:11.0755 4044 partmgr - ok
15:58:11.0770 4044 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll
15:58:11.0773 4044 PcaSvc - ok
15:58:11.0781 4044 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
15:58:11.0782 4044 pci - ok
15:58:11.0792 4044 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
15:58:11.0793 4044 pciide - ok
15:58:11.0809 4044 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\drivers\pcmcia.sys
15:58:11.0811 4044 pcmcia - ok
15:58:11.0830 4044 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
15:58:11.0831 4044 pcw - ok
15:58:11.0852 4044 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
15:58:11.0859 4044 PEAUTH - ok
15:58:11.0893 4044 PeerDistSvc (b9b0a4299dd2d76a4243f75fd54dc680) C:\Windows\system32\peerdistsvc.dll
15:58:11.0917 4044 PeerDistSvc - ok
15:58:11.0962 4044 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe
15:58:11.0964 4044 PerfHost - ok
15:58:11.0998 4044 pla (c7cf6a6e137463219e1259e3f0f0dd6c) C:\Windows\system32\pla.dll
15:58:12.0023 4044 pla - ok
15:58:12.0063 4044 PlugPlay (b806e50427511bcf4ad8e8239c3e25fa) C:\Windows\system32\umpnpmgr.dll
15:58:12.0069 4044 PlugPlay - ok
15:58:12.0083 4044 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll
15:58:12.0085 4044 PNRPAutoReg - ok
15:58:12.0094 4044 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
15:58:12.0097 4044 PNRPsvc - ok
15:58:12.0129 4044 PolicyAgent (4f15d75adf6156bf56eced6d4a55c389) C:\Windows\System32\ipsecsvc.dll
15:58:12.0136 4044 PolicyAgent - ok
15:58:12.0157 4044 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll
15:58:12.0161 4044 Power - ok
15:58:12.0182 4044 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
15:58:12.0184 4044 PptpMiniport - ok
15:58:12.0200 4044 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\drivers\processr.sys
15:58:12.0202 4044 Processor - ok
15:58:12.0220 4044 ProfSvc (5c78838b4d166d1a27db3a8a820c799a) C:\Windows\system32\profsvc.dll
15:58:12.0223 4044 ProfSvc - ok
15:58:12.0239 4044 ProtectedStorage (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
15:58:12.0240 4044 ProtectedStorage - ok
15:58:12.0252 4044 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
15:58:12.0254 4044 Psched - ok
15:58:12.0302 4044 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\drivers\ql2300.sys
15:58:12.0327 4044 ql2300 - ok
15:58:12.0348 4044 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\drivers\ql40xx.sys
15:58:12.0349 4044 ql40xx - ok
15:58:12.0370 4044 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll
15:58:12.0373 4044 QWAVE - ok
15:58:12.0380 4044 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
15:58:12.0381 4044 QWAVEdrv - ok
15:58:12.0396 4044 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
15:58:12.0402 4044 RasAcd - ok
15:58:12.0438 4044 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
15:58:12.0441 4044 RasAgileVpn - ok
15:58:12.0456 4044 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll
15:58:12.0459 4044 RasAuto - ok
15:58:12.0485 4044 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
15:58:12.0487 4044 Rasl2tp - ok
15:58:12.0517 4044 RasMan (ee867a0870fc9e4972ba9eaad35651e2) C:\Windows\System32\rasmans.dll
15:58:12.0522 4044 RasMan - ok
15:58:12.0536 4044 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
15:58:12.0538 4044 RasPppoe - ok
15:58:12.0545 4044 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
15:58:12.0546 4044 RasSstp - ok
15:58:12.0562 4044 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
15:58:12.0565 4044 rdbss - ok
15:58:12.0572 4044 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
15:58:12.0573 4044 rdpbus - ok
15:58:12.0588 4044 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
15:58:12.0589 4044 RDPCDD - ok
15:58:12.0609 4044 RDPDR (1b6163c503398b23ff8b939c67747683) C:\Windows\system32\drivers\rdpdr.sys
15:58:12.0611 4044 RDPDR - ok
15:58:12.0626 4044 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
15:58:12.0633 4044 RDPENCDD - ok
15:58:12.0664 4044 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
15:58:12.0665 4044 RDPREFMP - ok
15:58:12.0684 4044 RdpVideoMiniport (70cba1a0c98600a2aa1863479b35cb90) C:\Windows\system32\drivers\rdpvideominiport.sys
15:58:12.0685 4044 RdpVideoMiniport - ok
15:58:12.0706 4044 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
15:58:12.0709 4044 RDPWD - ok
15:58:12.0727 4044 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
15:58:12.0729 4044 rdyboost - ok
15:58:12.0752 4044 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll
15:58:12.0755 4044 RemoteAccess - ok
15:58:12.0775 4044 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll
15:58:12.0779 4044 RemoteRegistry - ok
15:58:12.0791 4044 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll
15:58:12.0793 4044 RpcEptMapper - ok
15:58:12.0799 4044 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe
15:58:12.0800 4044 RpcLocator - ok
15:58:12.0818 4044 RpcSs (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
15:58:12.0822 4044 RpcSs - ok
15:58:12.0829 4044 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
15:58:12.0830 4044 rspndr - ok
15:58:12.0871 4044 RTL8167 (e50cfb92986dcab49de93788fd695813) C:\Windows\system32\DRIVERS\Rt64win7.sys
15:58:12.0875 4044 RTL8167 - ok
15:58:12.0888 4044 s3cap (e60c0a09f997826c7627b244195ab581) C:\Windows\system32\drivers\vms3cap.sys
15:58:12.0889 4044 s3cap - ok
15:58:12.0905 4044 SamSs (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
15:58:12.0906 4044 SamSs - ok
15:58:12.0925 4044 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
15:58:12.0926 4044 sbp2port - ok
15:58:12.0943 4044 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll
15:58:12.0946 4044 SCardSvr - ok
15:58:13.0010 4044 SCBackService (8475e746eb72d04f1015e6f091f50e09) C:\Program Files (x86)\Splashtop\Splashtop Connect\BackService.exe
15:58:13.0014 4044 SCBackService - ok
15:58:13.0027 4044 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
15:58:13.0028 4044 scfilter - ok
15:58:13.0060 4044 Schedule (262f6592c3299c005fd6bec90fc4463a) C:\Windows\system32\schedsvc.dll
15:58:13.0085 4044 Schedule - ok
15:58:13.0106 4044 SCPolicySvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
15:58:13.0107 4044 SCPolicySvc - ok
15:58:13.0115 4044 SDRSVC (6ea4234dc55346e0709560fe7c2c1972) C:\Windows\System32\SDRSVC.dll
15:58:13.0118 4044 SDRSVC - ok
15:58:13.0135 4044 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
15:58:13.0136 4044 secdrv - ok
15:58:13.0153 4044 seclogon (bc617a4e1b4fa8df523a061739a0bd87) C:\Windows\system32\seclogon.dll
15:58:13.0155 4044 seclogon - ok
15:58:13.0175 4044 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\system32\sens.dll
15:58:13.0177 4044 SENS - ok
15:58:13.0189 4044 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll
15:58:13.0191 4044 SensrSvc - ok
15:58:13.0210 4044 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
15:58:13.0211 4044 Serenum - ok
15:58:13.0242 4044 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
15:58:13.0243 4044 Serial - ok
15:58:13.0261 4044 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\drivers\sermouse.sys
15:58:13.0263 4044 sermouse - ok
15:58:13.0278 4044 SessionEnv (0b6231bf38174a1628c4ac812cc75804) C:\Windows\system32\sessenv.dll
15:58:13.0281 4044 SessionEnv - ok
15:58:13.0297 4044 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
15:58:13.0305 4044 sffdisk - ok
15:58:13.0332 4044 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
15:58:13.0334 4044 sffp_mmc - ok
15:58:13.0348 4044 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
15:58:13.0349 4044 sffp_sd - ok
15:58:13.0365 4044 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\drivers\sfloppy.sys
15:58:13.0366 4044 sfloppy - ok
15:58:13.0402 4044 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\Windows\System32\ipnathlp.dll
15:58:13.0407 4044 SharedAccess - ok
15:58:13.0423 4044 ShellHWDetection (aaf932b4011d14052955d4b212a4da8d) C:\Windows\System32\shsvcs.dll
15:58:13.0429 4044 ShellHWDetection - ok
15:58:13.0447 4044 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\drivers\SiSRaid2.sys
15:58:13.0449 4044 SiSRaid2 - ok
15:58:13.0466 4044 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\drivers\sisraid4.sys
15:58:13.0474 4044 SiSRaid4 - ok
15:58:13.0591 4044 SkypeUpdate (8c5477eb1c03ca76cd8eb66a610a9e90) C:\Program Files (x86)\Skype\Updater\Updater.exe
15:58:13.0593 4044 SkypeUpdate - ok
15:58:13.0614 4044 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
15:58:13.0616 4044 Smb - ok
15:58:13.0637 4044 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe
15:58:13.0639 4044 SNMPTRAP - ok
15:58:13.0649 4044 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
15:58:13.0650 4044 spldr - ok
15:58:13.0673 4044 Spooler (b96c17b5dc1424d56eea3a99e97428cd) C:\Windows\System32\spoolsv.exe
15:58:13.0680 4044 Spooler - ok
15:58:13.0743 4044 sppsvc (e17e0188bb90fae42d83e98707efa59c) C:\Windows\system32\sppsvc.exe
15:58:13.0803 4044 sppsvc - ok
15:58:13.0816 4044 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll
15:58:13.0818 4044 sppuinotify - ok
15:58:13.0864 4044 sptd (d519ad2de7968cd2b47fea807c5b29b2) C:\Windows\System32\Drivers\sptd.sys
15:58:13.0864 4044 Suspicious file (NoAccess): C:\Windows\System32\Drivers\sptd.sys. md5: d519ad2de7968cd2b47fea807c5b29b2
15:58:13.0876 4044 sptd ( LockedFile.Multi.Generic ) - warning
15:58:13.0876 4044 sptd - detected LockedFile.Multi.Generic (1)
15:58:13.0902 4044 srv (2098b8556d1cec2aca9a29cd479e3692) C:\Windows\system32\DRIVERS\srv.sys
15:58:13.0908 4044 srv - ok
15:58:13.0925 4044 srv2 (d0f73a42040f21f92fd314b42ac5c9e7) C:\Windows\system32\DRIVERS\srv2.sys
15:58:13.0929 4044 srv2 - ok
15:58:13.0948 4044 srvnet (2ba8f3250828ccdb4204ecf2c6f40b6a) C:\Windows\system32\DRIVERS\srvnet.sys
15:58:13.0950 4044 srvnet - ok
15:58:13.0979 4044 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll
15:58:13.0982 4044 SSDPSRV - ok
15:58:13.0994 4044 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll
15:58:13.0997 4044 SstpSvc - ok
15:58:14.0049 4044 Stereo Service (37e909075c910b37779dbe1dbe7f180b) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
15:58:14.0052 4044 Stereo Service - ok
15:58:14.0064 4044 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\drivers\stexstor.sys
15:58:14.0065 4044 stexstor - ok
15:58:14.0105 4044 stisvc (8dd52e8e6128f4b2da92ce27402871c1) C:\Windows\System32\wiaservc.dll
15:58:14.0114 4044 stisvc - ok
15:58:14.0127 4044 storflt (7785dc213270d2fc066538daf94087e7) C:\Windows\system32\drivers\vmstorfl.sys
15:58:14.0128 4044 storflt - ok
15:58:14.0145 4044 storvsc (d34e4943d5ac096c8edeebfd80d76e23) C:\Windows\system32\drivers\storvsc.sys
15:58:14.0146 4044 storvsc - ok
15:58:14.0163 4044 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
15:58:14.0163 4044 swenum - ok
15:58:14.0181 4044 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll
15:58:14.0187 4044 swprv - ok
15:58:14.0203 4044 Synth3dVsc (c3a39c4079305480972d29c44b868c78) C:\Windows\system32\drivers\synth3dvsc.sys
15:58:14.0206 4044 Synth3dVsc - ok
15:58:14.0244 4044 SysMain (bf9ccc0bf39b418c8d0ae8b05cf95b7d) C:\Windows\system32\sysmain.dll
15:58:14.0269 4044 SysMain - ok
15:58:14.0287 4044 TabletInputService (e3c61fd7b7c2557e1f1b0b4cec713585) C:\Windows\System32\TabSvc.dll
15:58:14.0289 4044 TabletInputService - ok
15:58:14.0355 4044 tap0901t (b08740047145b9bce15bf75ca0f9718a) C:\Windows\system32\DRIVERS\tap0901t.sys
15:58:14.0357 4044 tap0901t - ok
15:58:14.0402 4044 TapiSrv (40f0849f65d13ee87b9a9ae3c1dd6823) C:\Windows\System32\tapisrv.dll
15:58:14.0408 4044 TapiSrv - ok
15:58:14.0426 4044 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll
15:58:14.0428 4044 TBS - ok
15:58:14.0475 4044 Tcpip (509383e505c973ed7534a06b3d19688d) C:\Windows\system32\drivers\tcpip.sys
15:58:14.0518 4044 Tcpip - ok
15:58:14.0557 4044 TCPIP6 (509383e505c973ed7534a06b3d19688d) C:\Windows\system32\DRIVERS\tcpip.sys
15:58:14.0568 4044 TCPIP6 - ok
15:58:14.0586 4044 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
15:58:14.0587 4044 tcpipreg - ok
15:58:14.0602 4044 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
15:58:14.0602 4044 TDPIPE - ok
15:58:14.0617 4044 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
15:58:14.0618 4044 TDTCP - ok
15:58:14.0638 4044 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
15:58:14.0640 4044 tdx - ok
15:58:14.0659 4044 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\DRIVERS\termdd.sys
15:58:14.0660 4044 TermDD - ok
15:58:14.0674 4044 terminpt (2b5bdff688ec9871d7ec5837833374e9) C:\Windows\system32\drivers\terminpt.sys
15:58:14.0675 4044 terminpt - ok
15:58:14.0699 4044 TermService (2e648163254233755035b46dd7b89123) C:\Windows\System32\termsrv.dll
15:58:14.0707 4044 TermService - ok
15:58:14.0718 4044 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll
15:58:14.0720 4044 Themes - ok
15:58:14.0743 4044 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
15:58:14.0744 4044 THREADORDER - ok
15:58:14.0760 4044 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll
15:58:14.0763 4044 TrkWks - ok
15:58:14.0789 4044 TrustedInstaller (773212b2aaa24c1e31f10246b15b276c) C:\Windows\servicing\TrustedInstaller.exe
15:58:14.0792 4044 TrustedInstaller - ok
15:58:14.0803 4044 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
15:58:14.0805 4044 tssecsrv - ok
15:58:14.0818 4044 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
15:58:14.0820 4044 TsUsbFlt - ok
15:58:14.0836 4044 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\Windows\system32\drivers\TsUsbGD.sys
15:58:14.0837 4044 TsUsbGD - ok
15:58:14.0851 4044 tsusbhub (e1748d04ae40118b62bc18ac86032192) C:\Windows\system32\drivers\tsusbhub.sys
15:58:14.0853 4044 tsusbhub - ok
15:58:14.0876 4044 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
15:58:14.0879 4044 tunnel - ok
15:58:14.0962 4044 TunngleService (c114a8d9a3ec5fef60b34ec015828752) C:\Program Files (x86)\Tunngle\TnglCtrl.exe
15:58:14.0970 4044 TunngleService - ok
15:58:14.0987 4044 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\drivers\uagp35.sys
15:58:14.0989 4044 uagp35 - ok
15:58:15.0004 4044 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
15:58:15.0008 4044 udfs - ok
15:58:15.0026 4044 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe
15:58:15.0029 4044 UI0Detect - ok
15:58:15.0049 4044 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
15:58:15.0050 4044 uliagpkx - ok
15:58:15.0061 4044 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
15:58:15.0062 4044 umbus - ok
15:58:15.0076 4044 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\drivers\umpass.sys
15:58:15.0077 4044 UmPass - ok
15:58:15.0093 4044 UmRdpService (a293dcd756d04d8492a750d03b9a297c) C:\Windows\System32\umrdp.dll
15:58:15.0096 4044 UmRdpService - ok
15:58:15.0202 4044 UNS (eb79c6c91a99930015ef29ae7fa802d1) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
15:58:15.0253 4044 UNS - ok
15:58:15.0287 4044 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll
15:58:15.0292 4044 upnphost - ok
15:58:15.0350 4044 usbaudio (82e8f44688e6fac57b5b7c6fc7adbc2a) C:\Windows\system32\drivers\usbaudio.sys
15:58:15.0352 4044 usbaudio - ok
15:58:15.0367 4044 usbccgp (481dff26b4dca8f4cbac1f7dce1d6829) C:\Windows\system32\drivers\usbccgp.sys
15:58:15.0369 4044 usbccgp - ok
15:58:15.0385 4044 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
15:58:15.0387 4044 usbcir - ok
15:58:15.0407 4044 usbehci (74ee782b1d9c241efe425565854c661c) C:\Windows\system32\DRIVERS\usbehci.sys
15:58:15.0409 4044 usbehci - ok
15:58:15.0426 4044 usbhub (dc96bd9ccb8403251bcf25047573558e) C:\Windows\system32\DRIVERS\usbhub.sys
15:58:15.0430 4044 usbhub - ok
15:58:15.0444 4044 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\drivers\usbohci.sys
15:58:15.0446 4044 usbohci - ok
15:58:15.0460 4044 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\drivers\usbprint.sys
15:58:15.0461 4044 usbprint - ok
15:58:15.0472 4044 USBSTOR (d76510cfa0fc09023077f22c2f979d86) C:\Windows\system32\DRIVERS\USBSTOR.SYS
15:58:15.0474 4044 USBSTOR - ok
15:58:15.0487 4044 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\drivers\usbuhci.sys
15:58:15.0497 4044 usbuhci - ok
15:58:15.0510 4044 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll
15:58:15.0512 4044 UxSms - ok
15:58:15.0527 4044 VaultSvc (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
15:58:15.0528 4044 VaultSvc - ok
15:58:15.0539 4044 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
15:58:15.0540 4044 vdrvroot - ok
15:58:15.0561 4044 vds (8d6b481601d01a456e75c3210f1830be) C:\Windows\System32\vds.exe
15:58:15.0567 4044 vds - ok
15:58:15.0573 4044 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
15:58:15.0574 4044 vga - ok
15:58:15.0592 4044 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
15:58:15.0593 4044 VgaSave - ok
15:58:15.0599 4044 VGPU - ok
15:58:15.0618 4044 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
15:58:15.0620 4044 vhdmp - ok
15:58:15.0641 4044 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
15:58:15.0642 4044 viaide - ok
15:58:15.0661 4044 vmbus (86ea3e79ae350fea5331a1303054005f) C:\Windows\system32\drivers\vmbus.sys
15:58:15.0664 4044 vmbus - ok
15:58:15.0687 4044 VMBusHID (7de90b48f210d29649380545db45a187) C:\Windows\system32\drivers\VMBusHID.sys
15:58:15.0688 4044 VMBusHID - ok
15:58:15.0706 4044 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
15:58:15.0708 4044 volmgr - ok
15:58:15.0780 4044 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
15:58:15.0785 4044 volmgrx - ok
15:58:15.0803 4044 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
15:58:15.0807 4044 volsnap - ok
15:58:15.0826 4044 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\drivers\vsmraid.sys
15:58:15.0828 4044 vsmraid - ok
15:58:15.0868 4044 VSS (b60ba0bc31b0cb414593e169f6f21cc2) C:\Windows\system32\vssvc.exe
15:58:15.0894 4044 VSS - ok
15:58:15.0906 4044 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
15:58:15.0907 4044 vwifibus - ok
15:58:15.0940 4044 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll
15:58:15.0945 4044 W32Time - ok
15:58:15.0964 4044 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\drivers\wacompen.sys
15:58:15.0965 4044 WacomPen - ok
15:58:15.0994 4044 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
15:58:15.0995 4044 WANARP - ok
15:58:15.0999 4044 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
15:58:16.0000 4044 Wanarpv6 - ok
15:58:16.0031 4044 wbengine (78f4e7f5c56cb9716238eb57da4b6a75) C:\Windows\system32\wbengine.exe
15:58:16.0050 4044 wbengine - ok
15:58:16.0067 4044 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll
15:58:16.0069 4044 WbioSrvc - ok
15:58:16.0089 4044 wcncsvc (7368a2afd46e5a4481d1de9d14848edd) C:\Windows\System32\wcncsvc.dll
15:58:16.0092 4044 wcncsvc - ok
15:58:16.0109 4044 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
15:58:16.0110 4044 WcsPlugInService - ok
15:58:16.0155 4044 WCUService_STC_FF (e47e66538692b1cfd6cc8021546fcc83) C:\Program Files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe
15:58:16.0158 4044 WCUService_STC_FF - ok
15:58:16.0173 4044 WCUService_STC_IE (147c60622cb53e901efd8bb6d44a4c46) C:\Program Files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe
15:58:16.0175 4044 WCUService_STC_IE - ok
15:58:16.0193 4044 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\drivers\wd.sys
15:58:16.0194 4044 Wd - ok
15:58:16.0220 4044 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
15:58:16.0225 4044 Wdf01000 - ok
15:58:16.0238 4044 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
15:58:16.0240 4044 WdiServiceHost - ok
15:58:16.0242 4044 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
15:58:16.0243 4044 WdiSystemHost - ok
15:58:16.0254 4044 WebClient (3db6d04e1c64272f8b14eb8bc4616280) C:\Windows\System32\webclnt.dll
15:58:16.0257 4044 WebClient - ok
15:58:16.0275 4044 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
15:58:16.0279 4044 Wecsvc - ok
15:58:16.0294 4044 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
15:58:16.0296 4044 wercplsupport - ok
15:58:16.0315 4044 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
15:58:16.0317 4044 WerSvc - ok
15:58:16.0340 4044 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
15:58:16.0341 4044 WfpLwf - ok
15:58:16.0354 4044 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
15:58:16.0355 4044 WIMMount - ok
15:58:16.0358 4044 WinDefend - ok
15:58:16.0362 4044 WinHttpAutoProxySvc - ok
15:58:16.0403 4044 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
15:58:16.0406 4044 Winmgmt - ok
15:58:16.0461 4044 WinRM (bcb1310604aa415c4508708975b3931e) C:\Windows\system32\WsmSvc.dll
15:58:16.0493 4044 WinRM - ok
15:58:16.0567 4044 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
15:58:16.0578 4044 Wlansvc - ok
15:58:16.0606 4044 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
15:58:16.0607 4044 WmiAcpi - ok
15:58:16.0631 4044 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
15:58:16.0633 4044 wmiApSrv - ok
15:58:16.0635 4044 WMPNetworkSvc - ok
15:58:16.0642 4044 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
15:58:16.0644 4044 WPCSvc - ok
15:58:16.0655 4044 WPDBusEnum (93221146d4ebbf314c29b23cd6cc391d) C:\Windows\system32\wpdbusenum.dll
15:58:16.0658 4044 WPDBusEnum - ok
15:58:16.0668 4044 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
15:58:16.0669 4044 ws2ifsl - ok
15:58:16.0684 4044 wscsvc (e8b1fe6669397d1772d8196df0e57a9e) C:\Windows\system32\wscsvc.dll
15:58:16.0687 4044 wscsvc - ok
15:58:16.0692 4044 WSearch - ok
15:58:16.0739 4044 wuauserv (9df12edbc698b0bc353b3ef84861e430) C:\Windows\system32\wuaueng.dll
15:58:16.0773 4044 wuauserv - ok
15:58:16.0792 4044 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
15:58:16.0794 4044 WudfPf - ok
15:58:16.0814 4044 wudfsvc (7a95c95b6c4cf292d689106bcae49543) C:\Windows\System32\WUDFSvc.dll
15:58:16.0816 4044 wudfsvc - ok
15:58:16.0832 4044 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
15:58:16.0835 4044 WwanSvc - ok
15:58:16.0912 4044 xnacc (4a5ce13408945e525503b5f73d29b9c5) C:\Windows\system32\DRIVERS\xnacc.sys
15:58:16.0919 4044 xnacc - ok
15:58:16.0945 4044 MBR (0x1B8) (0f84f2562620c40d8a3e1908c8075675) \Device\Harddisk0\DR0
15:58:16.0974 4044 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
15:58:16.0974 4044 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
15:58:17.0002 4044 Boot (0x1200) (ab219af4dc8ff8ecaf2a4a0ed647181e) \Device\Harddisk0\DR0\Partition0
15:58:17.0003 4044 \Device\Harddisk0\DR0\Partition0 - ok
15:58:17.0016 4044 Boot (0x1200) (78434d5ee05feb275abdccf63e6c76f5) \Device\Harddisk0\DR0\Partition1
15:58:17.0017 4044 \Device\Harddisk0\DR0\Partition1 - ok
15:58:17.0018 4044 ============================================================
15:58:17.0018 4044 Scan finished
15:58:17.0018 4044 ============================================================
15:58:17.0024 4208 Detected object count: 2
15:58:17.0024 4208 Actual detected object count: 2
15:58:30.0952 4208 sptd ( LockedFile.Multi.Generic ) - skipped by user
15:58:30.0952 4208 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
15:58:30.0967 4208 \Device\Harddisk0\DR0\# - copied to quarantine
15:58:30.0967 4208 \Device\Harddisk0\DR0 - copied to quarantine
15:58:31.0000 4208 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
15:58:31.0002 4208 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
15:58:31.0005 4208 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
15:58:31.0009 4208 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
15:58:31.0019 4208 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
15:58:31.0026 4208 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
15:58:31.0057 4208 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
15:58:31.0058 4208 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
15:58:31.0060 4208 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
15:58:31.0062 4208 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
15:58:31.0064 4208 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
15:58:31.0065 4208 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
15:58:31.0067 4208 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
15:58:31.0068 4208 \Device\Harddisk0\DR0 - ok
15:58:31.0069 4208 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
15:58:35.0137 4080 Deinitialize success









aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-11 16:00:15
-----------------------------
16:00:15.441 OS Version: Windows x64 6.1.7601 Service Pack 1
16:00:15.441 Number of processors: 4 586 0x2A07
16:00:15.451 ComputerName: ANDREW-PC UserName: Andrew
16:00:16.941 Initialize success
16:01:17.031 AVAST engine defs: 12041101
16:02:20.158 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:02:20.158 Disk 0 Vendor: ST31000524AS JC4B Size: 953869MB BusType: 3
16:02:20.168 Disk 0 MBR read successfully
16:02:20.168 Disk 0 MBR scan
16:02:20.178 Disk 0 Windows 7 default MBR code
16:02:20.188 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
16:02:20.198 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 953767 MB offset 206848
16:02:20.218 Disk 0 scanning C:\Windows\system32\drivers
16:02:26.768 Service scanning
16:02:40.748 Modules scanning
16:02:40.748 Disk 0 trace - called modules:
16:02:40.788 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800ca4a2c0]<<sptd.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
16:02:40.798 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800dbf1060]
16:02:40.798 3 CLASSPNP.SYS[fffff88001b7e43f] -> nt!IofCallDriver -> [0xfffffa800d896e40]
16:02:40.808 5 ACPI.sys[fffff880011ad7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800d89f060]
16:02:40.808 \Driver\atapi[0xfffffa800d886e70] -> IRP_MJ_CREATE -> 0xfffffa800ca4a2c0
16:02:45.908 AVAST engine scan C:\Windows
16:02:47.968 AVAST engine scan C:\Windows\system32
16:04:14.428 AVAST engine scan C:\Windows\system32\drivers
16:04:27.348 AVAST engine scan C:\Users\Andrew
16:21:12.485 AVAST engine scan C:\ProgramData
16:21:27.466 Scan finished successfully
16:22:08.801 Disk 0 MBR has been saved successfully to "C:\Users\Andrew\Downloads\MBR.dat"
16:22:08.803 The log file has been saved successfully to "C:\Users\Andrew\Downloads\aswMBR.txt"


After a quick test of Firefox and Internet Explorer, the redirect seems to be gone.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:03 PM

Posted 11 April 2012 - 06:22 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::

Firefox::
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\ev1m4c9w.default\
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6R8hSZbVbi&loc=IB_TB&i=26&search=
FF - user.js: extensions.incredibar_i.id - b26584f500000000000050e549c2432c
FF - user.js: extensions.incredibar_i.hardId - b26584f500000000000050e549c2432c
FF - user.js: extensions.incredibar_i.instlDay - 15364
FF - user.js: extensions.incredibar_i.vrsn - 1.5.3.27
FF - user.js: extensions.incredibar_i.vrsni - 1.5.3.27
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.3.270:02
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6R8hSZbVbi
FF - user.js: extensions.incredibar_i.upn2n - 92823733769806232
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10589
FF - user.js: extensions.incredibar_i.ppd -

RegLockDel::
[HKEY_USERS\S-1-5-21-2562463082-1944084115-1738294176-1000_Classes\Wow6432Node\CLSID\{3087c365-870c-4169-b11a-7394219aa6bc}]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Blueoni91

Blueoni91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 11 April 2012 - 08:06 PM

ComboFix 12-04-11.03 - Andrew 1/2012 Wed 19:48:26.3.4 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.932.81.1033.18.16301.12296 [GMT -5:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
Command switches used :: c:\users\Andrew\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
Error: Cfiles.dat
.
((((((((((((((((((((((((( Files Created from 2012-03-12 to 2012-04-12 )))))))))))))))))))))))))))))))
.
.
2012-04-12 00:51 . 2012-04-12 00:51 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-04-12 00:51 . 2012-04-12 00:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-11 21:47 . 2012-04-11 21:48 -------- d-----w- c:\users\Andrew\AppData\Local\Google
2012-04-11 20:58 . 2012-04-11 20:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-09 17:42 . 2009-07-14 01:14 20480 ----a-w- c:\windows\svchost.exe
2012-04-09 17:01 . 2012-04-09 17:01 -------- d-----w- c:\windows\system32\appmgmt
2012-04-07 18:34 . 2012-04-07 18:34 8767136 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-07 18:21 . 2012-04-07 18:21 -------- d-----w- c:\windows\SysWow64\Adobe
2012-04-07 18:16 . 2012-04-07 18:34 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-05 23:23 . 2012-04-05 23:23 -------- d-----w- c:\program files (x86)\Common Files\Enterbrain
2012-04-05 23:21 . 2012-04-05 23:21 -------- d-----w- c:\program files (x86)\Enterbrain
2012-04-05 21:07 . 2012-04-05 21:07 -------- d-----w- c:\windows\Sun
2012-03-30 23:48 . 2012-03-30 23:48 592824 ----a-w- c:\program files (x86)\Mozilla Firefox\gkmedias.dll
2012-03-30 23:48 . 2012-03-30 23:48 44472 ----a-w- c:\program files (x86)\Mozilla Firefox\mozglue.dll
2012-03-27 19:42 . 2012-03-27 19:42 -------- d-----w- c:\program files (x86)\WinGlulxe
2012-03-26 04:37 . 2012-03-26 04:37 -------- d-----w- c:\program files (x86)\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-07 18:34 . 2011-12-26 02:45 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-11_19.18.11 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-05 18:46 . 2012-04-11 19:26 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2012-04-05 18:46 . 2012-04-11 19:10 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-04-11 19:32 . 2012-04-11 19:26 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012041120120412\index.dat
+ 2012-04-05 18:46 . 2012-04-11 19:26 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-04-05 18:46 . 2012-04-09 18:47 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2010-11-21 03:09 . 2012-04-11 21:01 27960 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-11 21:01 32842 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2011-12-25 14:32 . 2012-04-11 19:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-12-25 14:32 . 2012-04-11 19:25 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-12-25 14:32 . 2012-04-11 19:25 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-12-25 14:32 . 2012-04-11 19:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-12-25 14:32 . 2012-04-11 19:25 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-12-25 14:32 . 2012-04-11 19:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-12-25 14:26 . 2012-04-12 00:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-12-25 14:26 . 2012-04-11 19:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-12-25 14:26 . 2012-04-11 19:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-12-25 14:26 . 2012-04-12 00:01 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-12-25 14:19 . 2012-04-11 21:01 7894 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2562463082-1944084115-1738294176-1000_UserData.bin
- 2012-04-11 19:17 . 2012-04-11 19:17 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-12 00:52 . 2012-04-12 00:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 04:54 . 2012-04-11 19:10 196608 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-04-11 19:26 196608 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-01-23 12:08 . 2012-04-11 21:05 666534 c:\windows\system32\perfh019.dat
- 2011-01-23 12:08 . 2012-04-11 19:15 666534 c:\windows\system32\perfh019.dat
- 2009-07-14 02:36 . 2012-04-11 19:15 606992 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-11 21:05 606992 c:\windows\system32\perfh009.dat
- 2011-01-23 12:08 . 2012-04-11 19:15 128694 c:\windows\system32\perfc019.dat
+ 2011-01-23 12:08 . 2012-04-11 21:05 128694 c:\windows\system32\perfc019.dat
+ 2009-07-14 02:36 . 2012-04-11 21:05 103370 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-04-11 19:15 103370 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-04-11 19:16 226736 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-04-12 00:51 226736 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 04:54 . 2012-04-11 19:26 4669440 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-11 19:26 1458176 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-12-26 06:23 . 2012-04-12 00:51 39752416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2562463082-1944084115-1738294176-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0F3DC9E0-C459-4a40-BCF8-747BD9322E10}"= "c:\program files (x86)\Splashtop\Splashtop Connect IE\AddressBarSearch.dll" [2011-03-04 165776]
.
[HKEY_CLASSES_ROOT\clsid\{0f3dc9e0-c459-4a40-bcf8-747bd9322e10}]
[HKEY_CLASSES_ROOT\AddressBarSearch.SearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{4E8E0178-00EF-413d-9324-E7B3E31572E3}]
[HKEY_CLASSES_ROOT\AddressBarSearch.SearchHook]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files (x86)\Internet Download Manager\IDMan.exe" [2011-12-19 3462552]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2011-11-10 3514176]
"Clownfish"="c:\program files (x86)\Clownfish\Clownfish.exe" [2012-01-13 1033728]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2012-02-29 17151624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"STCAgent"="c:\program files (x86)\Splashtop\Splashtop Connect IE\STCAgent.exe" [2011-03-04 776064]
"ZyngaGamesAgent"="c:\program files (x86)\Splashtop\Splashtop Connect\ZyngaGamesAgent.exe" [2010-11-15 841544]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
"Mionix NAOS 5000"="c:\program files (x86)\Mionix\NAOS 5000 Laser Gaming Mouse\NAOS_Monitor.EXE" [2011-02-19 184320]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
LOLRecorder.lnk - c:\program files (x86)\LOLReplay\LOLRecorder.exe [2012-2-24 495104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux3"=wdmaud.drv
.
2;2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 253600]
R3 AppleChargerSrv;AppleChargerSrv;c:\windows\system32\AppleChargerSrv.exe [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 TunngleService;TunngleService;c:\program files (x86)\Tunngle\TnglCtrl.exe [2011-12-13 751464]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
S0 sptd;sptd;c:\windows\\SystemRoot\System32\Drivers\sptd.sys [x]
S1 AppleCharger;AppleCharger;c:\windows\system32\DRIVERS\AppleCharger.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-20 2253120]
S2 SCBackService;Splashtop Connect Service;c:\program files (x86)\Splashtop\Splashtop Connect\BackService.exe [2010-11-15 477000]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-20 381248]
S2 WCUService_STC_FF;Splashtop Connect Firefox Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Connect Firefox Software Updater\WCUService.exe [2011-03-24 493384]
S2 WCUService_STC_IE;Splashtop Connect IE Software Updater Service;c:\program files (x86)\Splashtop\Splashtop Connect IE Software Updater\WCUService.exe [2011-03-22 497480]
S3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;c:\windows\system32\Drivers\EtronHub3.sys [x]
S3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;c:\windows\system32\Drivers\EtronXHCI.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
S3 tap0901t;TAP-Win32 Adapter V9 (Tunngle);c:\windows\system32\DRIVERS\tap0901t.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-12 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 18:34]
.
2012-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2562463082-1944084115-1738294176-1000Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-11 21:47]
.
2012-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2562463082-1944084115-1738294176-1000UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-11 21:47]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2011-12-19 20:46 22408 ----a-w- c:\program files (x86)\Internet Download Manager\IDMShellExt64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-06-17 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-06-17 392472]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-06-17 416024]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-26 12681320]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Download all links with IDM - c:\program files (x86)\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files (x86)\Internet Download Manager\IEExt.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\ev1m4c9w.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.gamefaqs.com/
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2562463082-1944084115-1738294176-1000_Classes\Wow6432Node\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):44,e1,b1,05,1a,7a,f4,5a,02,53,b6,89,68,82,7b,02,fc,2d,6b,da,4d,
8b,43,71,2d,b6,d2,8f,60,2b,2c,4b,d9,a4,01,e7,90,d2,2f,ec,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_228_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_228.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-04-11 19:55:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-12 00:55
ComboFix2.txt 2012-04-11 19:22
.
Pre-Run: 212,295,733,248 bytes free
Post-Run: 212,348,043,264 bytes free
.
- - End Of File - - A3DD4C73E958DB666BEAB591C0C70CD1

Still no redirects, and everything seems to be running smoothly.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:03 PM

Posted 11 April 2012 - 09:11 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 11 April 2012 - 09:11 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:03 PM

Posted 13 April 2012 - 11:56 PM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Blueoni91

Blueoni91
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:03 PM

Posted 15 April 2012 - 09:16 PM

Sorry, I've just been busy with school and work lately. I do plan on following the directions, I have just not had the free time.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:03 PM

Posted 15 April 2012 - 09:34 PM

no problem - I will check on you in a couple of days if I have not heard from you



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:03 PM

Posted 17 April 2012 - 11:34 PM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:03 PM

Posted 21 April 2012 - 07:23 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:03 PM

Posted 23 April 2012 - 11:23 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users