Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Redirect Trojan, or two, or three...


  • This topic is locked This topic is locked
20 replies to this topic

#1 NataleAnne

NataleAnne

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Upstate New York
  • Local time:08:23 AM

Posted 12 April 2012 - 01:04 AM

Good evening! I recently discovered that my laptop is infected with a redirect trojan. It may even be infected with several trojans, I don't know at this point. I've restored this laptop to factory settings 3 times, I've used several different anti-virus/malware/spyware etc services and they either didn't find the virus, found it and couldn't get rid of it, or they found it and claimed to get rid of it but they really didn't. Right now, there is nothing on my computer that isn't per factory settings except for DDS. No matter what I do, I still have this redirect virus. I'm getting fairly frustrated, and I saw how helpful this forum is. I hope someone could help me. If not, that's totally okay too. I'm grateful that you're reading this to begin with, so thank you!
I looked at the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" topic. I installed DDS and did what was asked. I'm running 64bit Windows 7 on an Acer laptop, so I did not follow the GMER step as it said 32bit Windows only. Below is the log from notepad as per instructions. McAfee is installed automatically; if I need to uninstall it, please let me know and I'll do so. Thank you for your time!


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Natale at 1:56:49 on 2012-04-12
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3558.2442 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
-netsvcs
C:\Windows\system32\conhost.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files (x86)\Launch Manager\dsiwmis.exe
C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
C:\Program Files (x86)\Launch Manager\LMutilps32.exe
C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
C:\Program Files\Acer\Acer Updater\UpdaterService.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Windows\system32\mfevtps.exe
C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe
C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
C:\Program Files\Acer\Acer ePower Management\ePowerEvent.exe
C:\Dolby PCEE4\pcee4.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe
C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files (x86)\Microsoft\BingBar\BingBar.exe
C:\Program Files (x86)\Microsoft\BingBar\BingApp.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10u_ActiveX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://acer.msn.com
uDefault_Page_URL = hxxp://acer.msn.com
mDefault_Page_URL = hxxp://acer.msn.com
mStart Page = hxxp://acer.msn.com
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110727004640.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
mRun: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [BackupManagerTray] "C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
mRun: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [Dolby Advanced Audio v2] "C:\Dolby PCEE4\pcee4.exe" -autostart
mRun: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun: [ArcadeMovieService] "C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe"
dRunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid}
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{3C835C3D-CC13-491F-9568-006D5CEF79BA} : DhcpNameServer = 192.168.1.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20110727004640.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\progra~2\mcafee\sitead~1\mcieplg.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
mRun-x64: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [BackupManagerTray] "C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" -h -k
mRun-x64: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
mRun-x64: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
mRun-x64: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [Dolby Advanced Audio v2] "C:\Dolby PCEE4\pcee4.exe" -autostart
mRun-x64: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
mRun-x64: [ArcadeMovieService] "C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 amd_sata;amd_sata;C:\Windows\system32\DRIVERS\amd_sata.sys --> C:\Windows\system32\DRIVERS\amd_sata.sys [?]
R0 amd_xata;amd_xata;C:\Windows\system32\DRIVERS\amd_xata.sys --> C:\Windows\system32\DRIVERS\amd_xata.sys [?]
R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\system32\drivers\mfehidk.sys --> C:\Windows\system32\drivers\mfehidk.sys [?]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\system32\drivers\mfewfpk.sys --> C:\Windows\system32\drivers\mfewfpk.sys [?]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\system32\DRIVERS\mfenlfk.sys --> C:\Windows\system32\DRIVERS\mfenlfk.sys [?]
R1 mwlPSDFilter;mwlPSDFilter;C:\Windows\system32\DRIVERS\mwlPSDFilter.sys --> C:\Windows\system32\DRIVERS\mwlPSDFilter.sys [?]
R1 mwlPSDNServ;mwlPSDNServ;C:\Windows\system32\DRIVERS\mwlPSDNServ.sys --> C:\Windows\system32\DRIVERS\mwlPSDNServ.sys [?]
R1 mwlPSDVDisk;mwlPSDVDisk;C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys --> C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-5-12 249648]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 DsiWMIService;Dritek WMI Service;C:\Program Files (x86)\Launch Manager\dsiwmis.exe [2012-4-12 352336]
R2 ePowerSvc;Acer ePower Service;C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe [2012-4-12 872552]
R2 GREGService;GREGService;C:\Program Files (x86)\Acer\Registration\GREGsvc.exe [2011-1-17 39528]
R2 Live Updater Service;Live Updater Service;C:\Program Files\Acer\Acer Updater\UpdaterService.exe [2011-7-27 244624]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-27 249936]
R2 McMPFSvc;McAfee Personal Firewall Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-27 249936]
R2 McNaiAnn;McAfee VirusScan Announcer;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-27 249936]
R2 McOobeSv;McAfee OOBE Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-27 249936]
R2 McProxy;McAfee Proxy Service;C:\Program Files\Common Files\mcafee\mcsvchost\McSvHost.exe [2011-1-27 249936]
R2 McShield;McAfee McShield;C:\Program Files\Common Files\mcafee\systemcore\mcshield.exe [2011-7-27 197960]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\mcafee\systemcore\mfefire.exe [2011-7-27 208272]
R2 mfevtp;McAfee Validation Trust Protection Service;"C:\Windows\system32\mfevtps.exe" --> C:\Windows\system32\mfevtps.exe [?]
R2 NOBU;Norton Online Backup;C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2010-6-1 2804568]
R2 NTI IScheduleSvc;NTI IScheduleSvc;C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [2011-4-23 256832]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;C:\Windows\system32\drivers\AtihdW76.sys --> C:\Windows\system32\drivers\AtihdW76.sys [?]
R3 b57xdbd;Broadcom xD Picture Bus Driver Service;C:\Windows\system32\DRIVERS\b57xdbd.sys --> C:\Windows\system32\DRIVERS\b57xdbd.sys [?]
R3 b57xdmp;Broadcom xD Picture vstorp client drv;C:\Windows\system32\DRIVERS\b57xdmp.sys --> C:\Windows\system32\DRIVERS\b57xdmp.sys [?]
R3 bScsiMSa;bScsiMSa;C:\Windows\system32\DRIVERS\bScsiMSa.sys --> C:\Windows\system32\DRIVERS\bScsiMSa.sys [?]
R3 bScsiSDa;bScsiSDa;C:\Windows\system32\DRIVERS\bScsiSDa.sys --> C:\Windows\system32\DRIVERS\bScsiSDa.sys [?]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\system32\drivers\cfwids.sys --> C:\Windows\system32\drivers\cfwids.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\system32\drivers\mfeavfk.sys --> C:\Windows\system32\drivers\mfeavfk.sys [?]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\system32\drivers\mfefirek.sys --> C:\Windows\system32\drivers\mfefirek.sys [?]
R3 usbfilter;AMD USB Filter Driver;C:\Windows\system32\DRIVERS\usbfilter.sys --> C:\Windows\system32\DRIVERS\usbfilter.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-6-7 191752]
S3 EgisTec Ticket Service;EgisTec Ticket Service;C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2011-4-2 173424]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 McAWFwk;McAfee Activation Service;C:\PROGRA~1\mcafee\msc\mcawfwk.exe [2011-7-27 224704]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\system32\drivers\mferkdet.sys --> C:\Windows\system32\drivers\mferkdet.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
.
=============== Created Last 30 ================
.
2012-04-12 08:11:38 -------- d-----w- C:\Windows\NAPP_Dism_Log
2012-04-12 08:08:57 995328 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2012-04-12 08:04:39 281168 ----a-w- C:\Windows\UNINSTLMv4.EXE
2012-04-12 08:02:54 79488 ----a-w- C:\Windows\System32\drivers\amd_sata.sys
2012-04-12 08:01:34 518184 ----a-w- C:\Windows\WGRegOfPEX64.exe
2012-04-12 08:01:34 494632 ----a-w- C:\Windows\WisMvImg.exe
2012-04-12 08:01:20 434728 ----a-w- C:\Windows\WisGAPasx64.exe
2012-04-12 08:01:20 342560 ----a-w- C:\Windows\ParseModule_X64.exe
2012-04-12 08:01:19 433952 ----a-w- C:\Windows\CAPSULE.DLL
2012-04-12 08:01:19 357416 ----a-w- C:\Windows\WisGAPas.exe
2012-04-12 08:01:19 231968 ----a-w- C:\Windows\ParseModule_X86.exe
2012-04-12 07:49:07 -------- d-----w- C:\ProgramData\clear.fi
2012-04-12 07:47:57 33000960 ----a-w- C:\ProgramData\Microsoft\OEMOffice14\OStarter\en-us\click2run64.msi
2012-04-12 07:47:57 26051072 ----a-w- C:\ProgramData\Microsoft\OEMOffice14\OStarter\en-us\click2run.msi
2012-04-12 07:47:57 2376704 ----a-w- C:\ProgramData\Microsoft\OEMOffice14\OOBE\oobe.msi
2012-04-12 07:47:57 101888 ----a-w- C:\ProgramData\Microsoft\OEMOffice14\OOBE\oobe-x-none.msp
2012-04-12 07:47:25 -------- d--h--w- C:\BOOK
2012-04-12 07:46:55 -------- d-----w- C:\Windows\OEMTemp
2012-04-12 07:45:27 -------- d-----w- C:\ProgramData\CLSK
2012-04-12 07:41:02 -------- d-----w- C:\Program Files (x86)\Microsoft
2012-04-12 07:40:54 -------- d-----r- C:\Program Files (x86)\Skype
2012-04-12 07:39:05 0 ----a-w- C:\Windows\ativpsrm.bin
2012-04-12 07:31:11 -------- d-----w- C:\Program Files (x86)\Launch Manager
2012-04-12 07:30:28 -------- d-----w- C:\Program Files\Synaptics
2012-04-12 07:27:07 64000 ------w- C:\Windows\SysWow64\agrsmdel.exe
2012-04-12 07:27:07 27648 ------w- C:\Windows\SysWow64\agrsco64.dll
2012-04-12 07:27:05 -------- d-----w- C:\Windows\Options
2012-04-12 07:25:59 1698408 ----a-w- C:\Windows\RtlExUpd.dll
2012-04-12 07:24:49 47232 ----a-w- C:\Windows\System32\drivers\usbfilter.sys
2012-04-12 07:24:20 -------- d-----w- C:\Program Files\ATI
2012-04-12 07:24:18 -------- d-----w- C:\Program Files (x86)\ATI Technologies
2012-04-12 07:20:15 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2012-04-12 07:20:02 3137536 ----a-w- C:\Windows\System32\win32k.sys
2012-04-12 07:18:16 4096 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-localization-l1-1-0.dll
2012-04-12 07:16:21 20480 ----a-w- C:\Windows\svchost.exe
2012-04-12 05:13:07 -------- d-----w- C:\Users\Natale\AppData\Local\Diagnostics
2012-04-12 05:12:04 -------- d-----w- C:\Program Files (x86)\OEM
2012-04-12 05:11:55 -------- d-----w- C:\ProgramData\OEM_E471269A730D
2012-04-12 05:11:43 -------- d-----w- C:\Program Files (x86)\Times Reader
2012-04-12 05:10:41 -------- d-----w- C:\Users\Natale\AppData\Local\Adobe
2012-04-12 05:10:21 -------- d-----w- C:\Users\Natale\AppData\Local\EgisTec IPS
2012-04-12 05:10:20 -------- d-----w- C:\Users\Natale\AppData\Roaming\Screensaver
2012-04-12 05:10:09 -------- d-----w- C:\Users\Natale\AppData\Roaming\Barnes & Noble
2012-04-12 05:10:05 -------- d-----w- C:\Program Files (x86)\Barnes & Noble
2012-04-12 05:09:57 -------- d-----w- C:\Program Files\Preload
2012-04-12 05:08:45 -------- d-----w- C:\Users\Natale\AppData\Local\Acer
2012-04-12 05:08:34 -------- d-----w- C:\Program Files (x86)\AMD
.
==================== Find3M ====================
.
2012-04-12 08:10:05 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-04-12 08:10:05 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-04-12 08:10:05 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2012-04-12 08:10:05 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-04-12 08:02:03 951680 ----a-w- C:\Windows\System32\drivers\ndis.sys
.
============= FINISH: 1:58:13.18 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:23 AM

Posted 12 April 2012 - 02:12 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 NataleAnne

NataleAnne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Upstate New York
  • Local time:08:23 AM

Posted 12 April 2012 - 02:54 AM

Thank you so much for getting back to me, Gringo :)
When I ran Combofix, I received the following error that you mentioned in your post: "Illegal operation attempted on a registry key that has been marked for deletion." So I saved the log to my desktop and restarted the computer.
To see if the computer was helped at all, which I suspect it wasn't supposed to if I got that message; I googled the world "hello" and clicked on the second search result, the Wikipedia page for hello. As expected, I was redirected to the Happili* Page with this text underneath the sponsored ads: "Warning: mysql_connect() [function.mysql-connect]: Too many connections in /home/happili.com/php/comm_includes/mysql.php on line 5"
Below is a copy of the log from Combofix.
EDIT: Also, I uninstalled McAfee but did not restart, and then I ran Combofix to ensure that it wouldn't interfere.

ComboFix 12-04-12.01 - Natale 04/12/2012 3:30.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3558.2493 [GMT -4:00]
Running from: c:\users\Natale\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\svchost.exe
c:\windows\Temp\log.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-03-12 to 2012-04-12 )))))))))))))))))))))))))))))))
.
.
2012-04-12 08:11 . 2012-04-12 08:11 -------- d-----w- c:\windows\NAPP_Dism_Log
2012-04-12 08:08 . 2012-04-12 08:08 995328 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2012-04-12 08:04 . 2010-12-02 03:08 281168 ----a-w- c:\windows\UNINSTLMv4.EXE
2012-04-12 08:02 . 2011-05-26 09:08 58880 ----a-w- c:\windows\system32\coinst.dll
2012-04-12 08:01 . 2011-05-10 07:36 494632 ----a-w- c:\windows\WisMvImg.exe
2012-04-12 08:01 . 2011-05-03 11:25 518184 ----a-w- c:\windows\WGRegOfPEX64.exe
2012-04-12 08:01 . 2011-07-23 22:12 434728 ----a-w- c:\windows\WisGAPasx64.exe
2012-04-12 08:01 . 2009-10-27 18:46 342560 ----a-w- c:\windows\ParseModule_X64.exe
2012-04-12 08:01 . 2011-07-23 22:12 357416 ----a-w- c:\windows\WisGAPas.exe
2012-04-12 08:01 . 2009-10-27 18:46 231968 ----a-w- c:\windows\ParseModule_X86.exe
2012-04-12 08:01 . 2009-10-20 14:50 433952 ----a-w- c:\windows\CAPSULE.DLL
2012-04-12 07:49 . 2012-04-12 07:53 -------- d-----w- c:\programdata\clear.fi
2012-04-12 07:47 . 2010-10-09 06:31 101888 ----a-w- c:\programdata\Microsoft\OEMOffice14\OOBE\oobe-x-none.msp
2012-04-12 07:47 . 2010-06-23 10:42 2376704 ----a-w- c:\programdata\Microsoft\OEMOffice14\OOBE\oobe.msi
2012-04-12 07:47 . 2010-03-30 18:18 33000960 ----a-w- c:\programdata\Microsoft\OEMOffice14\OStarter\en-us\click2run64.msi
2012-04-12 07:47 . 2010-03-30 18:14 26051072 ----a-w- c:\programdata\Microsoft\OEMOffice14\OStarter\en-us\click2run.msi
2012-04-12 07:47 . 2012-04-12 07:47 -------- d-----w- C:\BOOK
2012-04-12 07:46 . 2012-04-12 07:47 -------- d-----w- c:\windows\OEMTemp
2012-04-12 07:45 . 2012-04-12 07:46 -------- d-----w- c:\programdata\CLSK
2012-04-12 07:44 . 2012-04-12 07:44 -------- d-----w- c:\program files (x86)\Cyberlink
2012-04-12 07:43 . 2012-04-12 07:46 -------- d-----w- c:\programdata\CyberLink
2012-04-12 07:41 . 2012-04-12 07:41 -------- d-----w- c:\program files (x86)\Microsoft
2012-04-12 07:40 . 2012-04-12 07:40 -------- d-----r- c:\program files (x86)\Skype
2012-04-12 07:40 . 2012-04-12 07:40 -------- d-----w- c:\programdata\Skype
2012-04-12 07:39 . 2012-04-12 07:39 0 ----a-w- c:\windows\ativpsrm.bin
2012-04-12 07:27 . 2009-12-03 23:28 27648 ------w- c:\windows\SysWow64\agrsco64.dll
2012-04-12 07:27 . 2009-12-03 23:28 64000 ------w- c:\windows\SysWow64\agrsmdel.exe
2012-04-12 07:27 . 2012-04-12 07:27 -------- d-----w- c:\windows\Options
2012-04-12 07:25 . 2011-08-24 21:14 1698408 ----a-w- c:\windows\RtlExUpd.dll
2012-04-12 07:25 . 2012-04-12 07:25 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2012-04-12 07:25 . 2012-04-12 07:25 -------- d-----w- c:\program files (x86)\AMD APP
2012-04-12 07:25 . 2012-04-12 07:25 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-04-12 07:25 . 2012-04-12 07:25 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-04-12 07:24 . 2012-04-12 07:24 -------- dc----w- c:\windows\system32\DRVSTORE
2012-04-12 07:24 . 2010-12-16 07:06 47232 ----a-w- c:\windows\system32\drivers\usbfilter.sys
2012-04-12 07:24 . 2012-04-12 07:24 -------- d-----w- c:\program files\ATI
2012-04-12 07:24 . 2012-04-12 07:25 -------- d-----w- c:\program files (x86)\ATI Technologies
2012-04-12 07:20 . 2011-07-09 02:46 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2012-04-12 07:20 . 2011-06-11 03:07 3137536 ----a-w- c:\windows\system32\win32k.sys
2012-04-12 07:18 . 2011-06-03 06:44 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-04-12 05:12 . 2012-04-12 05:12 -------- d-----w- c:\program files (x86)\OEM
2012-04-12 05:11 . 2012-04-12 05:11 -------- d-----w- c:\programdata\OEM_E471269A730D
2012-04-12 05:11 . 2012-04-12 05:11 -------- d-----w- c:\program files (x86)\Times Reader
2012-04-12 05:11 . 2012-04-12 05:11 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-04-12 05:10 . 2012-04-12 05:10 -------- d-----w- c:\program files (x86)\Barnes & Noble
2012-04-12 05:09 . 2012-04-12 05:09 -------- d-----w- c:\program files\Preload
2012-04-12 05:08 . 2012-04-12 05:08 -------- d-----w- c:\program files (x86)\AMD
2012-04-12 05:07 . 2012-04-12 05:08 -------- d-----w- c:\users\Natale
2012-04-12 05:07 . 2012-04-12 05:07 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"BackupManagerTray"="c:\program files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" [2011-04-24 297280]
"SuiteTray"="c:\program files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2011-04-02 340848]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2011-03-29 408432]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2011-03-29 202608]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-26 336384]
"Dolby Advanced Audio v2"="c:\dolby pcee4\pcee4.exe" [2011-06-01 506712]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2011-03-15 1081424]
"ArcadeMovieService"="c:\program files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe" [2011-05-10 177448]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 73216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 0280081334207274mcinstcleanup;McAfee Application Installer Cleanup (0280081334207274);c:\windows\TEMP\028008~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-06-07 191752]
R3 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2011-04-02 173424]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-05-12 249648]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2011-03-15 352336]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2011-05-10 872552]
S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe [2011-01-18 39528]
S2 Live Updater Service;Live Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2011-04-22 244624]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\McSACore.exe [2011-02-16 101048]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [2011-04-24 256832]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 b57xdbd;Broadcom xD Picture Bus Driver Service;c:\windows\system32\DRIVERS\b57xdbd.sys [x]
S3 b57xdmp;Broadcom xD Picture vstorp client drv;c:\windows\system32\DRIVERS\b57xdmp.sys [x]
S3 bScsiMSa;bScsiMSa;c:\windows\system32\DRIVERS\bScsiMSa.sys [x]
S3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-26 12681320]
"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-08-16 2277480]
"Power Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2011-05-10 1831528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://acer.msn.com
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://acer.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Launch Manager\LMutilps32.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
c:\program files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
c:\\.\globalroot\systemroot\svchost.exe
.
**************************************************************************
.
Completion time: 2012-04-12 03:43:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-12 07:43
.
Pre-Run: 453,702,467,584 bytes free
Post-Run: 453,658,320,896 bytes free
.
- - End Of File - - 2405FD71655543D2396F6368EA12618D

Edited by NataleAnne, 12 April 2012 - 02:56 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:23 AM

Posted 12 April 2012 - 03:00 AM

Greetings

I would like you to check all the browsers that are installed on the computer and let me know which ones are redirecting

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 NataleAnne

NataleAnne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Upstate New York
  • Local time:08:23 AM

Posted 12 April 2012 - 03:22 AM

I only have IE installed on my laptop presently, because I went back to factory settings. When this all started, I was using Chrome. I just ran TDSSKiller, the log is included in this post. I just searched "hello" again on google and this time even after several searches, there was no redirect. I just tried a few more words, and there was still no redirect. I think that program helped quite a bit. I'm about to run the next one now, aswmbr.

TDSSKiller Log:
04:08:36.0551 5828 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
04:08:36.0888 5828 ============================================================
04:08:36.0888 5828 Current date / time: 2012/04/12 04:08:36.0888
04:08:36.0888 5828 SystemInfo:
04:08:36.0888 5828
04:08:36.0888 5828 OS Version: 6.1.7601 ServicePack: 1.0
04:08:36.0888 5828 Product type: Workstation
04:08:36.0888 5828 ComputerName: NATBOOK
04:08:36.0888 5828 UserName: Natale
04:08:36.0888 5828 Windows directory: C:\Windows
04:08:36.0888 5828 System windows directory: C:\Windows
04:08:36.0888 5828 Running under WOW64
04:08:36.0888 5828 Processor architecture: Intel x64
04:08:36.0888 5828 Number of processors: 4
04:08:36.0888 5828 Page size: 0x1000
04:08:36.0888 5828 Boot type: Normal boot
04:08:36.0888 5828 ============================================================
04:08:37.0506 5828 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
04:08:37.0511 5828 \Device\Harddisk0\DR0:
04:08:37.0512 5828 MBR used
04:08:37.0512 5828 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1E46800, BlocksNum 0x32000
04:08:37.0512 5828 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1E78800, BlocksNum 0x3850D000
04:08:37.0561 5828 Initialize success
04:08:37.0561 5828 ============================================================
04:08:58.0200 5504 ============================================================
04:08:58.0200 5504 Scan started
04:08:58.0200 5504 Mode: Manual;
04:08:58.0200 5504 ============================================================
04:09:04.0121 5504 0280081334207274mcinstcleanup - ok
04:09:04.0490 5504 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
04:09:04.0495 5504 1394ohci - ok
04:09:05.0028 5504 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
04:09:05.0033 5504 ACPI - ok
04:09:05.0398 5504 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
04:09:05.0399 5504 AcpiPmi - ok
04:09:05.0834 5504 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\drivers\adp94xx.sys
04:09:05.0842 5504 adp94xx - ok
04:09:06.0229 5504 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\drivers\adpahci.sys
04:09:06.0234 5504 adpahci - ok
04:09:06.0737 5504 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\drivers\adpu320.sys
04:09:06.0741 5504 adpu320 - ok
04:09:07.0011 5504 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
04:09:07.0013 5504 AeLookupSvc - ok
04:09:07.0405 5504 AFD (d5b031c308a409a0a576bff4cf083d30) C:\Windows\system32\drivers\afd.sys
04:09:07.0413 5504 AFD - ok
04:09:07.0786 5504 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
04:09:07.0794 5504 agp440 - ok
04:09:08.0218 5504 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
04:09:08.0221 5504 ALG - ok
04:09:08.0600 5504 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
04:09:08.0602 5504 aliide - ok
04:09:08.0931 5504 AMD External Events Utility (833d43cfbac21365d36cf797377457d9) C:\Windows\system32\atiesrxx.exe
04:09:08.0936 5504 AMD External Events Utility - ok
04:09:09.0426 5504 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
04:09:09.0428 5504 amdide - ok
04:09:09.0803 5504 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\drivers\amdk8.sys
04:09:09.0806 5504 AmdK8 - ok
04:09:10.0508 5504 amdkmdag (fad670b417adccd9c99bc3aa3d754958) C:\Windows\system32\DRIVERS\atikmdag.sys
04:09:10.0717 5504 amdkmdag - ok
04:09:11.0121 5504 amdkmdap (f0b63dead17f760dbc85ccd7bf978c05) C:\Windows\system32\DRIVERS\atikmpag.sys
04:09:11.0123 5504 amdkmdap - ok
04:09:11.0488 5504 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
04:09:11.0489 5504 AmdPPM - ok
04:09:11.0882 5504 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
04:09:11.0885 5504 amdsata - ok
04:09:12.0288 5504 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\drivers\amdsbs.sys
04:09:12.0292 5504 amdsbs - ok
04:09:12.0777 5504 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
04:09:12.0777 5504 amdxata - ok
04:09:13.0157 5504 amd_sata (f9d46b6b322708bd5afcc8767ebdc901) C:\Windows\system32\DRIVERS\amd_sata.sys
04:09:13.0158 5504 amd_sata - ok
04:09:13.0678 5504 amd_xata (329cc9c7e20deebcd4cd10816193ef14) C:\Windows\system32\DRIVERS\amd_xata.sys
04:09:13.0678 5504 amd_xata - ok
04:09:14.0193 5504 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
04:09:14.0196 5504 AppID - ok
04:09:14.0478 5504 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
04:09:14.0481 5504 AppIDSvc - ok
04:09:14.0918 5504 Appinfo (3977d4a871ca0d4f2ed1e7db46829731) C:\Windows\System32\appinfo.dll
04:09:14.0921 5504 Appinfo - ok
04:09:15.0318 5504 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\drivers\arc.sys
04:09:15.0318 5504 arc - ok
04:09:15.0693 5504 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\drivers\arcsas.sys
04:09:15.0698 5504 arcsas - ok
04:09:16.0293 5504 aspnet_state (9217d874131ae6ff8f642f124f00a555) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
04:09:16.0318 5504 aspnet_state - ok
04:09:16.0698 5504 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
04:09:16.0698 5504 AsyncMac - ok
04:09:17.0083 5504 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
04:09:17.0083 5504 atapi - ok
04:09:17.0508 5504 AtiHDAudioService (cbd14f698def12ee3557604b726cb8eb) C:\Windows\system32\drivers\AtihdW76.sys
04:09:17.0513 5504 AtiHDAudioService - ok
04:09:17.0803 5504 AudioEndpointBuilder (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
04:09:17.0828 5504 AudioEndpointBuilder - ok
04:09:17.0858 5504 AudioSrv (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
04:09:17.0863 5504 AudioSrv - ok
04:09:18.0303 5504 AxInstSV (a6bf31a71b409dfa8cac83159e1e2aff) C:\Windows\System32\AxInstSV.dll
04:09:18.0303 5504 AxInstSV - ok
04:09:18.0698 5504 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\drivers\bxvbda.sys
04:09:18.0788 5504 b06bdrv - ok
04:09:19.0238 5504 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
04:09:19.0248 5504 b57nd60a - ok
04:09:19.0628 5504 b57xdbd (a424cb46a145e5aabf15621550976df2) C:\Windows\system32\DRIVERS\b57xdbd.sys
04:09:19.0628 5504 b57xdbd - ok
04:09:20.0288 5504 b57xdmp (be4e6fd5a898812b85d5817ad9754a9f) C:\Windows\system32\DRIVERS\b57xdmp.sys
04:09:20.0298 5504 b57xdmp - ok
04:09:20.0428 5504 BBSvc (87f3bcf82a63e900af896cd930bf7e05) C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE
04:09:20.0428 5504 BBSvc - ok
04:09:20.0458 5504 BBUpdate (78779ee07231c658b483b1f38b5088df) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
04:09:20.0468 5504 BBUpdate - ok
04:09:20.0938 5504 BCM43XX (85111026f1c5a1c4cce3697f0da7bc1a) C:\Windows\system32\DRIVERS\bcmwl664.sys
04:09:20.0988 5504 BCM43XX - ok
04:09:21.0288 5504 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll
04:09:21.0298 5504 BDESVC - ok
04:09:21.0678 5504 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
04:09:21.0678 5504 Beep - ok
04:09:21.0968 5504 BFE (82974d6a2fd19445cc5171fc378668a4) C:\Windows\System32\bfe.dll
04:09:21.0988 5504 BFE - ok
04:09:22.0548 5504 BITS (1ea7969e3271cbc59e1730697dc74682) C:\Windows\system32\qmgr.dll
04:09:22.0578 5504 BITS - ok
04:09:22.0958 5504 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\drivers\blbdrive.sys
04:09:22.0958 5504 blbdrive - ok
04:09:23.0338 5504 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
04:09:23.0338 5504 bowser - ok
04:09:23.0708 5504 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\BrFiltLo.sys
04:09:23.0708 5504 BrFiltLo - ok
04:09:24.0088 5504 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\BrFiltUp.sys
04:09:24.0098 5504 BrFiltUp - ok
04:09:24.0578 5504 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
04:09:24.0578 5504 BridgeMP - ok
04:09:24.0838 5504 Browser (8ef0d5c41ec907751b8429162b1239ed) C:\Windows\System32\browser.dll
04:09:24.0838 5504 Browser - ok
04:09:25.0218 5504 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
04:09:25.0218 5504 Brserid - ok
04:09:25.0578 5504 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
04:09:25.0578 5504 BrSerWdm - ok
04:09:25.0958 5504 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
04:09:25.0958 5504 BrUsbMdm - ok
04:09:26.0618 5504 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
04:09:26.0618 5504 BrUsbSer - ok
04:09:26.0998 5504 bScsiMSa (413dd8ab0bb30b9c4f5e6a34977a1c34) C:\Windows\system32\DRIVERS\bScsiMSa.sys
04:09:26.0998 5504 bScsiMSa - ok
04:09:27.0418 5504 bScsiSDa (9f880f03f4a72215c8b77fd51322c297) C:\Windows\system32\DRIVERS\bScsiSDa.sys
04:09:27.0418 5504 bScsiSDa - ok
04:09:27.0868 5504 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\drivers\bthmodem.sys
04:09:27.0878 5504 BTHMODEM - ok
04:09:28.0318 5504 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll
04:09:28.0318 5504 bthserv - ok
04:09:28.0358 5504 catchme - ok
04:09:28.0748 5504 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
04:09:28.0748 5504 cdfs - ok
04:09:29.0288 5504 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
04:09:29.0288 5504 cdrom - ok
04:09:29.0568 5504 CertPropSvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
04:09:29.0568 5504 CertPropSvc - ok
04:09:29.0938 5504 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\drivers\circlass.sys
04:09:29.0978 5504 circlass - ok
04:09:30.0488 5504 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
04:09:30.0498 5504 CLFS - ok
04:09:30.0728 5504 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
04:09:30.0728 5504 clr_optimization_v2.0.50727_32 - ok
04:09:30.0968 5504 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
04:09:30.0968 5504 clr_optimization_v2.0.50727_64 - ok
04:09:31.0458 5504 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
04:09:31.0498 5504 clr_optimization_v4.0.30319_32 - ok
04:09:31.0830 5504 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
04:09:31.0852 5504 clr_optimization_v4.0.30319_64 - ok
04:09:32.0641 5504 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\drivers\CmBatt.sys
04:09:32.0646 5504 CmBatt - ok
04:09:33.0037 5504 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
04:09:33.0041 5504 cmdide - ok
04:09:33.0570 5504 CNG (d5fea92400f12412b3922087c09da6a5) C:\Windows\system32\Drivers\cng.sys
04:09:33.0578 5504 CNG - ok
04:09:33.0975 5504 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\drivers\compbatt.sys
04:09:33.0976 5504 Compbatt - ok
04:09:34.0702 5504 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
04:09:34.0704 5504 CompositeBus - ok
04:09:34.0960 5504 COMSysApp - ok
04:09:35.0473 5504 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\drivers\crcdisk.sys
04:09:35.0483 5504 crcdisk - ok
04:09:35.0784 5504 CryptSvc (15597883fbe9b056f276ada3ad87d9af) C:\Windows\system32\cryptsvc.dll
04:09:35.0793 5504 CryptSvc - ok
04:09:36.0274 5504 DcomLaunch (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
04:09:36.0284 5504 DcomLaunch - ok
04:09:36.0751 5504 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll
04:09:36.0756 5504 defragsvc - ok
04:09:37.0203 5504 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
04:09:37.0206 5504 DfsC - ok
04:09:37.0485 5504 Dhcp (43d808f5d9e1a18e5eeb5ebc83969e4e) C:\Windows\system32\dhcpcore.dll
04:09:37.0491 5504 Dhcp - ok
04:09:37.0876 5504 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
04:09:37.0879 5504 discache - ok
04:09:38.0528 5504 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\drivers\disk.sys
04:09:38.0531 5504 Disk - ok
04:09:38.0823 5504 Dnscache (16835866aaa693c7d7fceba8fff706e4) C:\Windows\System32\dnsrslvr.dll
04:09:38.0828 5504 Dnscache - ok
04:09:39.0103 5504 dot3svc (b1fb3ddca0fdf408750d5843591afbc6) C:\Windows\System32\dot3svc.dll
04:09:39.0108 5504 dot3svc - ok
04:09:39.0383 5504 DPS (b26f4f737e8f9df4f31af6cf31d05820) C:\Windows\system32\dps.dll
04:09:39.0387 5504 DPS - ok
04:09:39.0896 5504 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
04:09:39.0898 5504 drmkaud - ok
04:09:40.0058 5504 DsiWMIService (4ab2a58816cc6be771f1d8c768b804c5) C:\Program Files (x86)\Launch Manager\dsiwmis.exe
04:09:40.0066 5504 DsiWMIService - ok
04:09:40.0599 5504 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
04:09:40.0609 5504 DXGKrnl - ok
04:09:40.0890 5504 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll
04:09:40.0894 5504 EapHost - ok
04:09:41.0316 5504 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\drivers\evbda.sys
04:09:41.0408 5504 ebdrv - ok
04:09:41.0707 5504 EFS (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\System32\lsass.exe
04:09:41.0709 5504 EFS - ok
04:09:41.0808 5504 EgisTec Ticket Service (18dd872dd46acb24e106dc2c9c270466) C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe
04:09:41.0812 5504 EgisTec Ticket Service - ok
04:09:42.0010 5504 ehRecvr (c4002b6b41975f057d98c439030cea07) C:\Windows\ehome\ehRecvr.exe
04:09:42.0033 5504 ehRecvr - ok
04:09:42.0372 5504 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe
04:09:42.0377 5504 ehSched - ok
04:09:42.0771 5504 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\drivers\elxstor.sys
04:09:42.0779 5504 elxstor - ok
04:09:42.0942 5504 ePowerSvc (ac5c64f828c0a6a1350971501ac2a0c7) C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
04:09:42.0957 5504 ePowerSvc - ok
04:09:43.0406 5504 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
04:09:43.0409 5504 ErrDev - ok
04:09:43.0732 5504 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll
04:09:43.0739 5504 EventSystem - ok
04:09:44.0268 5504 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
04:09:44.0274 5504 exfat - ok
04:09:44.0833 5504 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
04:09:44.0838 5504 fastfat - ok
04:09:45.0427 5504 Fax (dbefd454f8318a0ef691fdd2eaab44eb) C:\Windows\system32\fxssvc.exe
04:09:45.0450 5504 Fax - ok
04:09:45.0901 5504 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\drivers\fdc.sys
04:09:45.0904 5504 fdc - ok
04:09:46.0432 5504 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll
04:09:46.0433 5504 fdPHost - ok
04:09:46.0800 5504 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll
04:09:46.0805 5504 FDResPub - ok
04:09:47.0179 5504 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
04:09:47.0183 5504 FileInfo - ok
04:09:47.0542 5504 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
04:09:47.0545 5504 Filetrace - ok
04:09:47.0659 5504 FLEXnet Licensing Service (bb0667b0171b632b97ea759515476f07) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
04:09:47.0682 5504 FLEXnet Licensing Service - ok
04:09:48.0170 5504 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\drivers\flpydisk.sys
04:09:48.0173 5504 flpydisk - ok
04:09:48.0553 5504 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
04:09:48.0559 5504 FltMgr - ok
04:09:48.0872 5504 FontCache (5c4cb4086fb83115b153e47add961a0c) C:\Windows\system32\FntCache.dll
04:09:48.0906 5504 FontCache - ok
04:09:49.0064 5504 FontCache3.0.0.0 (a8b7f3818ab65695e3a0bb3279f6dce6) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
04:09:49.0066 5504 FontCache3.0.0.0 - ok
04:09:49.0433 5504 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
04:09:49.0436 5504 FsDepends - ok
04:09:49.0808 5504 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
04:09:49.0809 5504 Fs_Rec - ok
04:09:50.0340 5504 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
04:09:50.0344 5504 fvevol - ok
04:09:50.0997 5504 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\drivers\gagp30kx.sys
04:09:51.0000 5504 gagp30kx - ok
04:09:51.0113 5504 GamesAppService (c403c5db49a0f9aaf4f2128edc0106d8) C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
04:09:51.0118 5504 GamesAppService - ok
04:09:51.0529 5504 gpsvc (277bbc7e1aa1ee957f573a10eca7ef3a) C:\Windows\System32\gpsvc.dll
04:09:51.0552 5504 gpsvc - ok
04:09:51.0649 5504 GREGService (f95126e44eba95a30fb0e4ce6e916015) C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
04:09:51.0650 5504 GREGService - ok
04:09:52.0014 5504 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
04:09:52.0016 5504 hcw85cir - ok
04:09:52.0697 5504 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
04:09:52.0703 5504 HdAudAddService - ok
04:09:53.0084 5504 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
04:09:53.0087 5504 HDAudBus - ok
04:09:53.0445 5504 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\drivers\HidBatt.sys
04:09:53.0447 5504 HidBatt - ok
04:09:53.0811 5504 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\drivers\hidbth.sys
04:09:53.0814 5504 HidBth - ok
04:09:54.0319 5504 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\drivers\hidir.sys
04:09:54.0322 5504 HidIr - ok
04:09:54.0573 5504 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\System32\hidserv.dll
04:09:54.0576 5504 hidserv - ok
04:09:54.0981 5504 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\drivers\hidusb.sys
04:09:54.0984 5504 HidUsb - ok
04:09:55.0280 5504 hkmsvc (387e72e739e15e3d37907a86d9ff98e2) C:\Windows\system32\kmsvc.dll
04:09:55.0284 5504 hkmsvc - ok
04:09:55.0554 5504 HomeGroupListener (efdfb3dd38a4376f93e7985173813abd) C:\Windows\system32\ListSvc.dll
04:09:55.0559 5504 HomeGroupListener - ok
04:09:55.0815 5504 HomeGroupProvider (908acb1f594274965a53926b10c81e89) C:\Windows\system32\provsvc.dll
04:09:55.0819 5504 HomeGroupProvider - ok
04:09:56.0492 5504 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
04:09:56.0495 5504 HpSAMD - ok
04:09:57.0011 5504 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
04:09:57.0047 5504 HTTP - ok
04:09:57.0525 5504 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
04:09:57.0525 5504 hwpolicy - ok
04:09:57.0967 5504 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
04:09:57.0982 5504 i8042prt - ok
04:09:58.0864 5504 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
04:09:58.0876 5504 iaStorV - ok
04:09:59.0090 5504 idsvc (5988fc40f8db5b0739cd1e3a5d0d78bd) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
04:09:59.0115 5504 idsvc - ok
04:09:59.0777 5504 igfx (a87261ef1546325b559374f5689cf5bc) C:\Windows\system32\DRIVERS\igdkmd64.sys
04:09:59.0928 5504 igfx - ok
04:10:00.0575 5504 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\drivers\iirsp.sys
04:10:00.0577 5504 iirsp - ok
04:10:00.0854 5504 IKEEXT (fcd84c381e0140af901e58d48882d26b) C:\Windows\System32\ikeext.dll
04:10:00.0879 5504 IKEEXT - ok
04:10:01.0388 5504 IntcAzAudAddService (e7e0e8f2f44bcb48143fbba70106d8c1) C:\Windows\system32\drivers\RTKVHD64.sys
04:10:01.0416 5504 IntcAzAudAddService - ok
04:10:01.0797 5504 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
04:10:01.0799 5504 intelide - ok
04:10:02.0338 5504 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\drivers\intelppm.sys
04:10:02.0340 5504 intelppm - ok
04:10:02.0619 5504 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll
04:10:02.0622 5504 IPBusEnum - ok
04:10:02.0999 5504 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
04:10:03.0002 5504 IpFilterDriver - ok
04:10:03.0289 5504 iphlpsvc (a34a587fffd45fa649fba6d03784d257) C:\Windows\System32\iphlpsvc.dll
04:10:03.0299 5504 iphlpsvc - ok
04:10:03.0661 5504 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
04:10:03.0664 5504 IPMIDRV - ok
04:10:04.0026 5504 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
04:10:04.0029 5504 IPNAT - ok
04:10:04.0764 5504 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
04:10:04.0766 5504 IRENUM - ok
04:10:05.0128 5504 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
04:10:05.0130 5504 isapnp - ok
04:10:05.0497 5504 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
04:10:05.0502 5504 iScsiPrt - ok
04:10:05.0892 5504 k57nd60a (1d7aab58f4e21697af8f46eaa81823dd) C:\Windows\system32\DRIVERS\k57nd60a.sys
04:10:05.0896 5504 k57nd60a - ok
04:10:06.0571 5504 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
04:10:06.0572 5504 kbdclass - ok
04:10:07.0045 5504 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
04:10:07.0048 5504 kbdhid - ok
04:10:07.0317 5504 KeyIso (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
04:10:07.0319 5504 KeyIso - ok
04:10:07.0681 5504 KSecDD (ccd53b5bd33ce0c889e830d839c8b66e) C:\Windows\system32\Drivers\ksecdd.sys
04:10:07.0684 5504 KSecDD - ok
04:10:08.0037 5504 KSecPkg (9ff918a261752c12639e8ad4208d2c2f) C:\Windows\system32\Drivers\ksecpkg.sys
04:10:08.0043 5504 KSecPkg - ok
04:10:08.0421 5504 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
04:10:08.0423 5504 ksthunk - ok
04:10:08.0687 5504 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll
04:10:08.0694 5504 KtmRm - ok
04:10:09.0062 5504 L1E (2ac603c3188c704cfce353659aa7ad71) C:\Windows\system32\DRIVERS\L1E62x64.sys
04:10:09.0065 5504 L1E - ok
04:10:09.0383 5504 LanmanServer (d9f42719019740baa6d1c6d536cbdaa6) C:\Windows\System32\srvsvc.dll
04:10:09.0389 5504 LanmanServer - ok
04:10:09.0655 5504 LanmanWorkstation (851a1382eed3e3a7476db004f4ee3e1a) C:\Windows\System32\wkssvc.dll
04:10:09.0660 5504 LanmanWorkstation - ok
04:10:09.0753 5504 Live Updater Service (b705c7097f9a0ec941d02dce7c7d426c) C:\Program Files\Acer\Acer Updater\UpdaterService.exe
04:10:09.0755 5504 Live Updater Service - ok
04:10:10.0306 5504 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
04:10:10.0309 5504 lltdio - ok
04:10:10.0603 5504 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll
04:10:10.0609 5504 lltdsvc - ok
04:10:10.0876 5504 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll
04:10:10.0877 5504 lmhosts - ok
04:10:11.0267 5504 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\drivers\lsi_fc.sys
04:10:11.0270 5504 LSI_FC - ok
04:10:11.0654 5504 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\drivers\lsi_sas.sys
04:10:11.0658 5504 LSI_SAS - ok
04:10:12.0019 5504 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\drivers\lsi_sas2.sys
04:10:12.0021 5504 LSI_SAS2 - ok
04:10:12.0539 5504 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\drivers\lsi_scsi.sys
04:10:12.0543 5504 LSI_SCSI - ok
04:10:12.0907 5504 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
04:10:12.0910 5504 luafv - ok
04:10:13.0023 5504 McAfee SiteAdvisor Service (b4726deec4c27d47f9141d45504dce29) c:\PROGRA~2\mcafee\SITEAD~1\McSACore.exe
04:10:13.0026 5504 McAfee SiteAdvisor Service - ok
04:10:13.0276 5504 Mcx2Svc (0be09cd858abf9df6ed259d57a1a1663) C:\Windows\system32\Mcx2Svc.dll
04:10:13.0280 5504 Mcx2Svc - ok
04:10:13.0666 5504 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\drivers\megasas.sys
04:10:13.0669 5504 megasas - ok
04:10:14.0206 5504 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\drivers\MegaSR.sys
04:10:14.0212 5504 MegaSR - ok
04:10:14.0522 5504 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
04:10:14.0525 5504 MMCSS - ok
04:10:14.0953 5504 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
04:10:14.0954 5504 Modem - ok
04:10:15.0490 5504 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
04:10:15.0491 5504 monitor - ok
04:10:15.0859 5504 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\drivers\mouclass.sys
04:10:15.0860 5504 mouclass - ok
04:10:16.0549 5504 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\drivers\mouhid.sys
04:10:16.0552 5504 mouhid - ok
04:10:16.0915 5504 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
04:10:16.0918 5504 mountmgr - ok
04:10:17.0271 5504 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
04:10:17.0275 5504 mpio - ok
04:10:17.0668 5504 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
04:10:17.0671 5504 mpsdrv - ok
04:10:17.0966 5504 MpsSvc (54ffc9c8898113ace189d4aa7199d2c1) C:\Windows\system32\mpssvc.dll
04:10:18.0056 5504 MpsSvc - ok
04:10:18.0550 5504 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
04:10:18.0554 5504 MRxDAV - ok
04:10:18.0916 5504 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
04:10:18.0920 5504 mrxsmb - ok
04:10:19.0284 5504 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
04:10:19.0290 5504 mrxsmb10 - ok
04:10:19.0691 5504 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
04:10:19.0695 5504 mrxsmb20 - ok
04:10:20.0100 5504 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
04:10:20.0101 5504 msahci - ok
04:10:20.0467 5504 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
04:10:20.0471 5504 msdsm - ok
04:10:20.0745 5504 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe
04:10:20.0755 5504 MSDTC - ok
04:10:21.0314 5504 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
04:10:21.0317 5504 Msfs - ok
04:10:21.0865 5504 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
04:10:21.0867 5504 mshidkmdf - ok
04:10:22.0602 5504 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
04:10:22.0603 5504 msisadrv - ok
04:10:22.0888 5504 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll
04:10:22.0892 5504 MSiSCSI - ok
04:10:23.0176 5504 msiserver - ok
04:10:23.0567 5504 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
04:10:23.0569 5504 MSKSSRV - ok
04:10:23.0963 5504 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
04:10:23.0966 5504 MSPCLOCK - ok
04:10:24.0767 5504 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
04:10:24.0769 5504 MSPQM - ok
04:10:25.0163 5504 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
04:10:25.0169 5504 MsRPC - ok
04:10:25.0536 5504 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
04:10:25.0537 5504 mssmbios - ok
04:10:25.0921 5504 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
04:10:25.0923 5504 MSTEE - ok
04:10:26.0406 5504 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\drivers\MTConfig.sys
04:10:26.0408 5504 MTConfig - ok
04:10:26.0804 5504 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
04:10:26.0804 5504 Mup - ok
04:10:27.0317 5504 mwlPSDFilter (c009123b206c56854f4e88596035231d) C:\Windows\system32\DRIVERS\mwlPSDFilter.sys
04:10:27.0317 5504 mwlPSDFilter - ok
04:10:27.0705 5504 mwlPSDNServ (bf3739eeb9f008b1debac115089a53f8) C:\Windows\system32\DRIVERS\mwlPSDNServ.sys
04:10:27.0706 5504 mwlPSDNServ - ok
04:10:28.0484 5504 mwlPSDVDisk (38dd143d95e7a01b86f219dda9c28779) C:\Windows\system32\DRIVERS\mwlPSDVDisk.sys
04:10:28.0485 5504 mwlPSDVDisk - ok
04:10:28.0784 5504 napagent (582ac6d9873e31dfa28a4547270862dd) C:\Windows\system32\qagentRT.dll
04:10:28.0796 5504 napagent - ok
04:10:29.0361 5504 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
04:10:29.0367 5504 NativeWifiP - ok
04:10:29.0783 5504 NDIS (c38b8ae57f78915905064a9a24dc1586) C:\Windows\system32\drivers\ndis.sys
04:10:29.0817 5504 NDIS - ok
04:10:30.0470 5504 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
04:10:30.0472 5504 NdisCap - ok
04:10:30.0889 5504 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
04:10:30.0891 5504 NdisTapi - ok
04:10:31.0286 5504 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
04:10:31.0288 5504 Ndisuio - ok
04:10:31.0653 5504 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
04:10:31.0659 5504 NdisWan - ok
04:10:32.0281 5504 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
04:10:32.0284 5504 NDProxy - ok
04:10:32.0821 5504 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
04:10:32.0823 5504 NetBIOS - ok
04:10:33.0193 5504 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
04:10:33.0198 5504 NetBT - ok
04:10:33.0468 5504 Netlogon (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
04:10:33.0469 5504 Netlogon - ok
04:10:33.0767 5504 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll
04:10:33.0775 5504 Netman - ok
04:10:34.0074 5504 NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
04:10:34.0306 5504 NetMsmqActivator - ok
04:10:34.0316 5504 NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
04:10:34.0318 5504 NetPipeActivator - ok
04:10:34.0684 5504 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll
04:10:34.0692 5504 netprofm - ok
04:10:34.0965 5504 NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
04:10:34.0967 5504 NetTcpActivator - ok
04:10:34.0987 5504 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
04:10:34.0990 5504 NetTcpPortSharing - ok
04:10:35.0358 5504 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\drivers\nfrd960.sys
04:10:35.0361 5504 nfrd960 - ok
04:10:35.0653 5504 NlaSvc (1ee99a89cc788ada662441d1e9830529) C:\Windows\System32\nlasvc.dll
04:10:35.0660 5504 NlaSvc - ok
04:10:35.0793 5504 NOBU (5839a8027d6d324a7cd494051a96628c) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
04:10:35.0873 5504 NOBU - ok
04:10:36.0372 5504 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
04:10:36.0375 5504 Npfs - ok
04:10:36.0627 5504 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll
04:10:36.0629 5504 nsi - ok
04:10:37.0000 5504 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
04:10:37.0002 5504 nsiproxy - ok
04:10:37.0393 5504 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
04:10:37.0436 5504 Ntfs - ok
04:10:37.0597 5504 NTI IScheduleSvc (1873214666f6f0a883742df91fbc48c9) C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
04:10:37.0599 5504 NTI IScheduleSvc - ok
04:10:38.0003 5504 NTIDrvr (ee3ba1024594d5d09e314f206b94069e) C:\Windows\system32\drivers\NTIDrvr.sys
04:10:38.0004 5504 NTIDrvr - ok
04:10:38.0645 5504 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
04:10:38.0647 5504 Null - ok
04:10:39.0024 5504 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
04:10:39.0028 5504 nvraid - ok
04:10:39.0414 5504 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
04:10:39.0418 5504 nvstor - ok
04:10:39.0779 5504 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
04:10:39.0782 5504 nv_agp - ok
04:10:40.0411 5504 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
04:10:40.0414 5504 ohci1394 - ok
04:10:40.0672 5504 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
04:10:40.0679 5504 p2pimsvc - ok
04:10:40.0974 5504 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll
04:10:40.0983 5504 p2psvc - ok
04:10:41.0342 5504 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\drivers\parport.sys
04:10:41.0345 5504 Parport - ok
04:10:41.0707 5504 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
04:10:41.0709 5504 partmgr - ok
04:10:41.0990 5504 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll
04:10:41.0995 5504 PcaSvc - ok
04:10:42.0636 5504 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
04:10:42.0639 5504 pci - ok
04:10:43.0020 5504 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
04:10:43.0022 5504 pciide - ok
04:10:43.0546 5504 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\drivers\pcmcia.sys
04:10:43.0551 5504 pcmcia - ok
04:10:44.0083 5504 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
04:10:44.0084 5504 pcw - ok
04:10:44.0480 5504 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
04:10:44.0490 5504 PEAUTH - ok
04:10:44.0905 5504 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe
04:10:44.0909 5504 PerfHost - ok
04:10:45.0374 5504 pla (c7cf6a6e137463219e1259e3f0f0dd6c) C:\Windows\system32\pla.dll
04:10:45.0409 5504 pla - ok
04:10:45.0822 5504 PlugPlay (25fbdef06c4d92815b353f6e792c8129) C:\Windows\system32\umpnpmgr.dll
04:10:45.0831 5504 PlugPlay - ok
04:10:46.0410 5504 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll
04:10:46.0414 5504 PNRPAutoReg - ok
04:10:46.0726 5504 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
04:10:46.0730 5504 PNRPsvc - ok
04:10:47.0160 5504 PolicyAgent (4f15d75adf6156bf56eced6d4a55c389) C:\Windows\System32\ipsecsvc.dll
04:10:47.0169 5504 PolicyAgent - ok
04:10:47.0427 5504 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll
04:10:47.0432 5504 Power - ok
04:10:47.0812 5504 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
04:10:47.0815 5504 PptpMiniport - ok
04:10:48.0480 5504 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\drivers\processr.sys
04:10:48.0483 5504 Processor - ok
04:10:48.0744 5504 ProfSvc (5c78838b4d166d1a27db3a8a820c799a) C:\Windows\system32\profsvc.dll
04:10:48.0781 5504 ProfSvc - ok
04:10:49.0074 5504 ProtectedStorage (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
04:10:49.0076 5504 ProtectedStorage - ok
04:10:49.0460 5504 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
04:10:49.0460 5504 Psched - ok
04:10:50.0000 5504 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\drivers\ql2300.sys
04:10:50.0040 5504 ql2300 - ok
04:10:50.0990 5504 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\drivers\ql40xx.sys
04:10:50.0990 5504 ql40xx - ok
04:10:51.0260 5504 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll
04:10:51.0260 5504 QWAVE - ok
04:10:51.0640 5504 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
04:10:51.0640 5504 QWAVEdrv - ok
04:10:52.0000 5504 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
04:10:52.0010 5504 RasAcd - ok
04:10:52.0640 5504 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
04:10:52.0650 5504 RasAgileVpn - ok
04:10:52.0910 5504 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll
04:10:52.0910 5504 RasAuto - ok
04:10:53.0290 5504 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
04:10:53.0300 5504 Rasl2tp - ok
04:10:53.0710 5504 RasMan (ee867a0870fc9e4972ba9eaad35651e2) C:\Windows\System32\rasmans.dll
04:10:53.0720 5504 RasMan - ok
04:10:54.0240 5504 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
04:10:54.0250 5504 RasPppoe - ok
04:10:54.0640 5504 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
04:10:54.0650 5504 RasSstp - ok
04:10:55.0010 5504 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
04:10:55.0020 5504 rdbss - ok
04:10:55.0380 5504 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\drivers\rdpbus.sys
04:10:55.0380 5504 rdpbus - ok
04:10:55.0790 5504 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
04:10:55.0790 5504 RDPCDD - ok
04:10:56.0320 5504 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
04:10:56.0330 5504 RDPENCDD - ok
04:10:56.0860 5504 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
04:10:56.0870 5504 RDPREFMP - ok
04:10:57.0360 5504 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
04:10:57.0370 5504 RDPWD - ok
04:10:57.0900 5504 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
04:10:57.0910 5504 rdyboost - ok
04:10:58.0170 5504 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll
04:10:58.0170 5504 RemoteAccess - ok
04:10:58.0580 5504 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll
04:10:58.0590 5504 RemoteRegistry - ok
04:10:58.0840 5504 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll
04:10:58.0850 5504 RpcEptMapper - ok
04:10:59.0110 5504 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe
04:10:59.0110 5504 RpcLocator - ok
04:10:59.0500 5504 RpcSs (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
04:10:59.0500 5504 RpcSs - ok
04:11:00.0000 5504 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
04:11:00.0000 5504 rspndr - ok
04:11:00.0360 5504 SamSs (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
04:11:00.0360 5504 SamSs - ok
04:11:00.0750 5504 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
04:11:00.0760 5504 sbp2port - ok
04:11:01.0330 5504 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll
04:11:01.0330 5504 SCardSvr - ok
04:11:01.0730 5504 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
04:11:01.0730 5504 scfilter - ok
04:11:02.0040 5504 Schedule (262f6592c3299c005fd6bec90fc4463a) C:\Windows\system32\schedsvc.dll
04:11:02.0070 5504 Schedule - ok
04:11:02.0640 5504 SCPolicySvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
04:11:02.0640 5504 SCPolicySvc - ok
04:11:03.0030 5504 sdbus (111e0ebc0ad79cb0fa014b907b231cf0) C:\Windows\system32\DRIVERS\sdbus.sys
04:11:03.0030 5504 sdbus - ok
04:11:03.0440 5504 SDRSVC (6ea4234dc55346e0709560fe7c2c1972) C:\Windows\System32\SDRSVC.dll
04:11:03.0440 5504 SDRSVC - ok
04:11:03.0850 5504 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
04:11:03.0850 5504 secdrv - ok
04:11:04.0412 5504 seclogon (bc617a4e1b4fa8df523a061739a0bd87) C:\Windows\system32\seclogon.dll
04:11:04.0416 5504 seclogon - ok
04:11:04.0685 5504 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\system32\sens.dll
04:11:04.0688 5504 SENS - ok
04:11:04.0960 5504 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll
04:11:04.0967 5504 SensrSvc - ok
04:11:05.0350 5504 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\drivers\serenum.sys
04:11:05.0352 5504 Serenum - ok
04:11:05.0770 5504 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\drivers\serial.sys
04:11:05.0774 5504 Serial - ok
04:11:07.0234 5504 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\drivers\sermouse.sys
04:11:07.0244 5504 sermouse - ok
04:11:07.0618 5504 SessionEnv (0b6231bf38174a1628c4ac812cc75804) C:\Windows\system32\sessenv.dll
04:11:07.0623 5504 SessionEnv - ok
04:11:08.0005 5504 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
04:11:08.0008 5504 sffdisk - ok
04:11:08.0644 5504 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
04:11:08.0646 5504 sffp_mmc - ok
04:11:09.0128 5504 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
04:11:09.0134 5504 sffp_sd - ok
04:11:09.0668 5504 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\drivers\sfloppy.sys
04:11:09.0671 5504 sfloppy - ok
04:11:09.0966 5504 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\Windows\System32\ipnathlp.dll
04:11:09.0973 5504 SharedAccess - ok
04:11:10.0417 5504 ShellHWDetection (aaf932b4011d14052955d4b212a4da8d) C:\Windows\System32\shsvcs.dll
04:11:10.0425 5504 ShellHWDetection - ok
04:11:10.0793 5504 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\drivers\SiSRaid2.sys
04:11:10.0795 5504 SiSRaid2 - ok
04:11:11.0180 5504 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\drivers\sisraid4.sys
04:11:11.0182 5504 SiSRaid4 - ok
04:11:11.0567 5504 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
04:11:11.0572 5504 Smb - ok
04:11:11.0855 5504 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe
04:11:11.0859 5504 SNMPTRAP - ok
04:11:12.0327 5504 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
04:11:12.0328 5504 spldr - ok
04:11:12.0606 5504 Spooler (b96c17b5dc1424d56eea3a99e97428cd) C:\Windows\System32\spoolsv.exe
04:11:12.0630 5504 Spooler - ok
04:11:12.0987 5504 sppsvc (e17e0188bb90fae42d83e98707efa59c) C:\Windows\system32\sppsvc.exe
04:11:13.0019 5504 sppsvc - ok
04:11:13.0283 5504 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll
04:11:13.0288 5504 sppuinotify - ok
04:11:13.0651 5504 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
04:11:13.0658 5504 srv - ok
04:11:14.0042 5504 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
04:11:14.0065 5504 srv2 - ok
04:11:14.0559 5504 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
04:11:14.0563 5504 srvnet - ok
04:11:14.0848 5504 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll
04:11:14.0854 5504 SSDPSRV - ok
04:11:15.0124 5504 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll
04:11:15.0129 5504 SstpSvc - ok
04:11:15.0497 5504 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\drivers\stexstor.sys
04:11:15.0500 5504 stexstor - ok
04:11:15.0767 5504 stisvc (8dd52e8e6128f4b2da92ce27402871c1) C:\Windows\System32\wiaservc.dll
04:11:15.0789 5504 stisvc - ok
04:11:16.0195 5504 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
04:11:16.0195 5504 swenum - ok
04:11:16.0600 5504 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll
04:11:16.0624 5504 swprv - ok
04:11:17.0060 5504 SynTP (547988596190bb44818b0653f8f7c0d3) C:\Windows\system32\DRIVERS\SynTP.sys
04:11:17.0073 5504 SynTP - ok
04:11:17.0381 5504 SysMain (bf9ccc0bf39b418c8d0ae8b05cf95b7d) C:\Windows\system32\sysmain.dll
04:11:17.0428 5504 SysMain - ok
04:11:17.0699 5504 TabletInputService (e3c61fd7b7c2557e1f1b0b4cec713585) C:\Windows\System32\TabSvc.dll
04:11:17.0703 5504 TabletInputService - ok
04:11:17.0965 5504 TapiSrv (40f0849f65d13ee87b9a9ae3c1dd6823) C:\Windows\System32\tapisrv.dll
04:11:17.0972 5504 TapiSrv - ok
04:11:18.0451 5504 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll
04:11:18.0456 5504 TBS - ok
04:11:18.0867 5504 Tcpip (92ce29d95ac9dd2d0ee9061d551ba250) C:\Windows\system32\drivers\tcpip.sys
04:11:18.0918 5504 Tcpip - ok
04:11:19.0362 5504 TCPIP6 (92ce29d95ac9dd2d0ee9061d551ba250) C:\Windows\system32\DRIVERS\tcpip.sys
04:11:19.0378 5504 TCPIP6 - ok
04:11:19.0763 5504 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
04:11:19.0765 5504 tcpipreg - ok
04:11:20.0292 5504 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
04:11:20.0297 5504 TDPIPE - ok
04:11:20.0733 5504 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
04:11:20.0735 5504 TDTCP - ok
04:11:21.0110 5504 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
04:11:21.0113 5504 tdx - ok
04:11:21.0509 5504 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
04:11:21.0510 5504 TermDD - ok
04:11:21.0797 5504 TermService (2e648163254233755035b46dd7b89123) C:\Windows\System32\termsrv.dll
04:11:21.0819 5504 TermService - ok
04:11:22.0088 5504 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll
04:11:22.0096 5504 Themes - ok
04:11:22.0373 5504 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
04:11:22.0375 5504 THREADORDER - ok
04:11:22.0759 5504 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll
04:11:22.0765 5504 TrkWks - ok
04:11:22.0893 5504 TrustedInstaller (773212b2aaa24c1e31f10246b15b276c) C:\Windows\servicing\TrustedInstaller.exe
04:11:22.0896 5504 TrustedInstaller - ok
04:11:23.0202 5504 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
04:11:23.0205 5504 tssecsrv - ok
04:11:23.0577 5504 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
04:11:23.0580 5504 TsUsbFlt - ok
04:11:23.0941 5504 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\Windows\system32\drivers\TsUsbGD.sys
04:11:23.0944 5504 TsUsbGD - ok
04:11:24.0551 5504 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
04:11:24.0555 5504 tunnel - ok
04:11:25.0058 5504 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\drivers\uagp35.sys
04:11:25.0061 5504 uagp35 - ok
04:11:25.0626 5504 UBHelper (a17d5e1a6df4eab0a480f2c490de4c9d) C:\Windows\system32\drivers\UBHelper.sys
04:11:25.0627 5504 UBHelper - ok
04:11:26.0464 5504 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
04:11:26.0474 5504 udfs - ok
04:11:26.0733 5504 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe
04:11:26.0737 5504 UI0Detect - ok
04:11:27.0225 5504 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
04:11:27.0228 5504 uliagpkx - ok
04:11:27.0655 5504 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
04:11:27.0657 5504 umbus - ok
04:11:28.0027 5504 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\drivers\umpass.sys
04:11:28.0030 5504 UmPass - ok
04:11:28.0694 5504 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll
04:11:28.0702 5504 upnphost - ok
04:11:29.0080 5504 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
04:11:29.0083 5504 usbccgp - ok
04:11:29.0476 5504 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
04:11:29.0479 5504 usbcir - ok
04:11:29.0841 5504 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\drivers\usbehci.sys
04:11:29.0843 5504 usbehci - ok
04:11:30.0450 5504 usbfilter (573d192e268f0c5b486b7e96f661e538) C:\Windows\system32\DRIVERS\usbfilter.sys
04:11:30.0451 5504 usbfilter - ok
04:11:30.0815 5504 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\drivers\usbhub.sys
04:11:30.0825 5504 usbhub - ok
04:11:31.0190 5504 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
04:11:31.0190 5504 usbohci - ok
04:11:31.0580 5504 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\drivers\usbprint.sys
04:11:31.0580 5504 usbprint - ok
04:11:31.0955 5504 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\drivers\USBSTOR.SYS
04:11:31.0970 5504 USBSTOR - ok
04:11:32.0501 5504 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\drivers\usbuhci.sys
04:11:32.0501 5504 usbuhci - ok
04:11:32.0885 5504 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows\system32\Drivers\usbvideo.sys
04:11:32.0885 5504 usbvideo - ok
04:11:33.0135 5504 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll
04:11:33.0135 5504 UxSms - ok
04:11:33.0405 5504 VaultSvc (0793f40b9b8a1bdd266296409dbd91ea) C:\Windows\system32\lsass.exe
04:11:33.0405 5504 VaultSvc - ok
04:11:33.0815 5504 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
04:11:33.0815 5504 vdrvroot - ok
04:11:34.0185 5504 vds (8d6b481601d01a456e75c3210f1830be) C:\Windows\System32\vds.exe
04:11:34.0195 5504 vds - ok
04:11:34.0585 5504 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
04:11:34.0595 5504 vga - ok
04:11:34.0955 5504 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
04:11:34.0955 5504 VgaSave - ok
04:11:35.0465 5504 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
04:11:35.0465 5504 vhdmp - ok
04:11:35.0845 5504 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
04:11:35.0855 5504 viaide - ok
04:11:36.0625 5504 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
04:11:36.0625 5504 volmgr - ok
04:11:37.0095 5504 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
04:11:37.0105 5504 volmgrx - ok
04:11:37.0675 5504 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
04:11:37.0685 5504 volsnap - ok
04:11:38.0095 5504 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\drivers\vsmraid.sys
04:11:38.0265 5504 vsmraid - ok
04:11:38.0723 5504 VSS (b60ba0bc31b0cb414593e169f6f21cc2) C:\Windows\system32\vssvc.exe
04:11:38.0769 5504 VSS - ok
04:11:39.0158 5504 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
04:11:39.0159 5504 vwifibus - ok
04:11:39.0545 5504 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
04:11:39.0555 5504 vwififlt - ok
04:11:39.0946 5504 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll
04:11:39.0956 5504 W32Time - ok
04:11:40.0678 5504 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\drivers\wacompen.sys
04:11:40.0680 5504 WacomPen - ok
04:11:41.0076 5504 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
04:11:41.0079 5504 WANARP - ok
04:11:41.0099 5504 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
04:11:41.0099 5504 Wanarpv6 - ok
04:11:41.0387 5504 wbengine (78f4e7f5c56cb9716238eb57da4b6a75) C:\Windows\system32\wbengine.exe
04:11:41.0434 5504 wbengine - ok
04:11:41.0702 5504 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll
04:11:41.0708 5504 WbioSrvc - ok
04:11:41.0962 5504 wcncsvc (7368a2afd46e5a4481d1de9d14848edd) C:\Windows\System32\wcncsvc.dll
04:11:41.0971 5504 wcncsvc - ok
04:11:42.0701 5504 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
04:11:42.0705 5504 WcsPlugInService - ok
04:11:43.0334 5504 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\drivers\wd.sys
04:11:43.0353 5504 Wd - ok
04:11:43.0743 5504 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
04:11:43.0752 5504 Wdf01000 - ok
04:11:44.0017 5504 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
04:11:44.0022 5504 WdiServiceHost - ok
04:11:44.0029 5504 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
04:11:44.0032 5504 WdiSystemHost - ok
04:11:44.0489 5504 WebClient (3db6d04e1c64272f8b14eb8bc4616280) C:\Windows\System32\webclnt.dll
04:11:44.0496 5504 WebClient - ok
04:11:44.0788 5504 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
04:11:44.0798 5504 Wecsvc - ok
04:11:45.0047 5504 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
04:11:45.0051 5504 wercplsupport - ok
04:11:45.0319 5504 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
04:11:45.0324 5504 WerSvc - ok
04:11:45.0720 5504 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
04:11:45.0722 5504 WfpLwf - ok
04:11:46.0413 5504 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
04:11:46.0416 5504 WIMMount - ok
04:11:46.0480 5504 WinDefend - ok
04:11:46.0492 5504 WinHttpAutoProxySvc - ok
04:11:46.0859 5504 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
04:11:46.0863 5504 Winmgmt - ok
04:11:47.0162 5504 WinRM (bcb1310604aa415c4508708975b3931e) C:\Windows\system32\WsmSvc.dll
04:11:47.0223 5504 WinRM - ok
04:11:47.0518 5504 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
04:11:47.0552 5504 Wlansvc - ok
04:11:47.0664 5504 wlcrasvc (06c8fa1cf39de6a735b54d906ba791c6) C:\Program Files\Windows Live\Mesh\wlcrasvc.exe
04:11:47.0667 5504 wlcrasvc - ok
04:11:47.0847 5504 wlidsvc (7e47c328fc4768cb8beafbcfafa70362) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
04:11:47.0905 5504 wlidsvc - ok
04:11:48.0835 5504 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
04:11:48.0836 5504 WmiAcpi - ok
04:11:49.0275 5504 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
04:11:49.0279 5504 wmiApSrv - ok
04:11:49.0331 5504 WMPNetworkSvc - ok
04:11:49.0584 5504 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
04:11:49.0588 5504 WPCSvc - ok
04:11:49.0852 5504 WPDBusEnum (93221146d4ebbf314c29b23cd6cc391d) C:\Windows\system32\wpdbusenum.dll
04:11:49.0857 5504 WPDBusEnum - ok
04:11:50.0553 5504 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
04:11:50.0555 5504 ws2ifsl - ok
04:11:50.0820 5504 wscsvc (e8b1fe6669397d1772d8196df0e57a9e) C:\Windows\system32\wscsvc.dll
04:11:50.0825 5504 wscsvc - ok
04:11:51.0064 5504 WSearch - ok
04:11:51.0375 5504 wuauserv (9df12edbc698b0bc353b3ef84861e430) C:\Windows\system32\wuaueng.dll
04:11:51.0456 5504 wuauserv - ok
04:11:51.0831 5504 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
04:11:51.0831 5504 WudfPf - ok
04:11:52.0506 5504 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
04:11:52.0510 5504 WUDFRd - ok
04:11:52.0810 5504 wudfsvc (7a95c95b6c4cf292d689106bcae49543) C:\Windows\System32\WUDFSvc.dll
04:11:52.0825 5504 wudfsvc - ok
04:11:53.0092 5504 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
04:11:53.0099 5504 WwanSvc - ok
04:11:53.0155 5504 MBR (0x1B8) (faee7e40dfb0440ad2cfc39befa1f4c2) \Device\Harddisk0\DR0
04:11:53.0186 5504 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
04:11:53.0187 5504 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
04:11:53.0217 5504 Boot (0x1200) (4e5ce9d1ec93cac1e25e31e92394c508) \Device\Harddisk0\DR0\Partition0
04:11:53.0222 5504 \Device\Harddisk0\DR0\Partition0 - ok
04:11:53.0240 5504 Boot (0x1200) (b69e6f4e3842055a4392a5fea372ab76) \Device\Harddisk0\DR0\Partition1
04:11:53.0243 5504 \Device\Harddisk0\DR0\Partition1 - ok
04:11:53.0244 5504 ============================================================
04:11:53.0244 5504 Scan finished
04:11:53.0244 5504 ============================================================
04:11:53.0258 5048 Detected object count: 1
04:11:53.0258 5048 Actual detected object count: 1
04:12:02.0902 5048 \Device\Harddisk0\DR0\# - copied to quarantine
04:12:02.0902 5048 \Device\Harddisk0\DR0 - copied to quarantine
04:12:03.0026 5048 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
04:12:03.0031 5048 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
04:12:03.0041 5048 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
04:12:03.0057 5048 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
04:12:03.0088 5048 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
04:12:03.0107 5048 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
04:12:03.0109 5048 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
04:12:03.0110 5048 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
04:12:03.0113 5048 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
04:12:03.0117 5048 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
04:12:03.0121 5048 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
04:12:03.0123 5048 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
04:12:03.0160 5048 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
04:12:03.0163 5048 \Device\Harddisk0\DR0 - ok
04:12:03.0286 5048 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
04:12:21.0525 5792 Deinitialize success

Edited by NataleAnne, 12 April 2012 - 04:24 AM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:23 AM

Posted 12 April 2012 - 03:48 AM

yes it removed a rootkit - let me have the aswmbr report when ready



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 NataleAnne

NataleAnne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Upstate New York
  • Local time:08:23 AM

Posted 12 April 2012 - 04:15 AM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-12 04:24:33
-----------------------------
04:24:33.308 OS Version: Windows x64 6.1.7601 Service Pack 1
04:24:33.308 Number of processors: 4 586 0x100
04:24:33.308 ComputerName: NATBOOK UserName: Natale
04:24:34.665 Initialize success
04:25:04.978 AVAST engine defs: 12041101
04:25:45.085 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000062
04:25:45.085 Disk 0 Vendor: ST950032 0001 Size: 476940MB BusType: 11
04:25:45.117 Disk 0 MBR read successfully
04:25:45.117 Disk 0 MBR scan
04:25:45.132 Disk 0 Windows XP default MBR code
04:25:45.148 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 15500 MB offset 2048
04:25:45.163 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 31746048
04:25:45.179 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461338 MB offset 31950848
04:25:45.226 Disk 0 scanning C:\Windows\system32\drivers
04:25:53.073 Service scanning
04:26:18.875 Modules scanning
04:26:18.891 Disk 0 trace - called modules:
04:26:18.906 ntoskrnl.exe CLASSPNP.SYS disk.sys amd_xata.sys ACPI.sys storport.sys hal.dll amd_sata.sys
04:26:18.906 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004710060]
04:26:18.922 3 CLASSPNP.SYS[fffff8800196743f] -> nt!IofCallDriver -> [0xfffffa80036beac0]
04:26:18.922 5 amd_xata.sys[fffff8800114ea1d] -> nt!IofCallDriver -> [0xfffffa80040d8970]
04:26:18.937 7 ACPI.sys[fffff88000efd7a1] -> nt!IofCallDriver -> \Device\00000062[0xfffffa80040d6060]
04:26:20.279 AVAST engine scan C:\Windows
04:26:25.458 AVAST engine scan C:\Windows\system32
04:28:58.042 AVAST engine scan C:\Windows\system32\drivers
04:29:07.855 AVAST engine scan C:\Users\Natale
04:29:42.596 AVAST engine scan C:\ProgramData
04:30:00.442 Scan finished successfully
04:47:18.842 Disk 0 MBR has been saved successfully to "C:\Users\Natale\Desktop\MBR.dat"
04:47:18.842 The log file has been saved successfully to "C:\Users\Natale\Desktop\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:23 AM

Posted 12 April 2012 - 07:33 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 NataleAnne

NataleAnne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Upstate New York
  • Local time:08:23 AM

Posted 13 April 2012 - 12:40 AM

I had the same illegal operation popup that prevents me from opening the web browser after Combofix was done. I restarted the computer and now everything's running properly.

Here's the log:
ComboFix 12-04-12.01 - Natale 04/13/2012 0:46.2.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3558.2233 [GMT -4:00]
Running from: c:\users\Natale\Desktop\ComboFix.exe
Command switches used :: c:\users\Natale\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-13 to 2012-04-13 )))))))))))))))))))))))))))))))
.
.
2012-04-13 04:56 . 2012-04-13 04:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-13 03:37 . 2012-03-20 07:51 8669240 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1A791B5F-EDFE-4FDB-809E-B512B1120424}\mpengine.dll
2012-04-12 08:12 . 2012-04-12 08:12 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-12 08:11 . 2012-04-12 08:11 -------- d-----w- c:\windows\NAPP_Dism_Log
2012-04-12 08:08 . 2012-04-12 08:08 995328 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\VGX.dll
2012-04-12 08:04 . 2010-12-02 03:08 281168 ----a-w- c:\windows\UNINSTLMv4.EXE
2012-04-12 08:02 . 2011-05-26 09:08 58880 ----a-w- c:\windows\system32\coinst.dll
2012-04-12 08:01 . 2011-05-10 07:36 494632 ----a-w- c:\windows\WisMvImg.exe
2012-04-12 08:01 . 2011-05-03 11:25 518184 ----a-w- c:\windows\WGRegOfPEX64.exe
2012-04-12 08:01 . 2011-07-23 22:12 434728 ----a-w- c:\windows\WisGAPasx64.exe
2012-04-12 08:01 . 2009-10-27 18:46 342560 ----a-w- c:\windows\ParseModule_X64.exe
2012-04-12 08:01 . 2011-07-23 22:12 357416 ----a-w- c:\windows\WisGAPas.exe
2012-04-12 08:01 . 2009-10-27 18:46 231968 ----a-w- c:\windows\ParseModule_X86.exe
2012-04-12 08:01 . 2009-10-20 14:50 433952 ----a-w- c:\windows\CAPSULE.DLL
2012-04-12 07:49 . 2012-04-12 07:53 -------- d-----w- c:\programdata\clear.fi
2012-04-12 07:47 . 2010-10-09 06:31 101888 ----a-w- c:\programdata\Microsoft\OEMOffice14\OOBE\oobe-x-none.msp
2012-04-12 07:47 . 2010-06-23 10:42 2376704 ----a-w- c:\programdata\Microsoft\OEMOffice14\OOBE\oobe.msi
2012-04-12 07:47 . 2010-03-30 18:18 33000960 ----a-w- c:\programdata\Microsoft\OEMOffice14\OStarter\en-us\click2run64.msi
2012-04-12 07:47 . 2010-03-30 18:14 26051072 ----a-w- c:\programdata\Microsoft\OEMOffice14\OStarter\en-us\click2run.msi
2012-04-12 07:47 . 2012-04-12 07:47 -------- d-----w- C:\BOOK
2012-04-12 07:46 . 2012-04-12 07:47 -------- d-----w- c:\windows\OEMTemp
2012-04-12 07:45 . 2012-04-12 07:46 -------- d-----w- c:\programdata\CLSK
2012-04-12 07:44 . 2012-04-12 07:44 -------- d-----w- c:\program files (x86)\Cyberlink
2012-04-12 07:43 . 2012-04-12 07:46 -------- d-----w- c:\programdata\CyberLink
2012-04-12 07:41 . 2012-04-12 07:41 -------- d-----w- c:\program files (x86)\Microsoft
2012-04-12 07:40 . 2012-04-12 07:40 -------- d-----r- c:\program files (x86)\Skype
2012-04-12 07:40 . 2012-04-12 07:40 -------- d-----w- c:\programdata\Skype
2012-04-12 07:39 . 2012-04-12 07:39 0 ----a-w- c:\windows\ativpsrm.bin
2012-04-12 07:31 . 2012-04-12 07:31 -------- d-----w- c:\program files (x86)\Launch Manager
2012-04-12 07:30 . 2012-04-12 07:30 -------- d-----w- c:\program files\Synaptics
2012-04-12 07:27 . 2009-12-03 23:28 27648 ------w- c:\windows\SysWow64\agrsco64.dll
2012-04-12 07:27 . 2009-12-03 23:28 64000 ------w- c:\windows\SysWow64\agrsmdel.exe
2012-04-12 07:27 . 2012-04-12 07:27 -------- d-----w- c:\windows\Options
2012-04-12 07:25 . 2011-08-24 21:14 1698408 ----a-w- c:\windows\RtlExUpd.dll
2012-04-12 07:25 . 2012-04-12 07:25 -------- d-----w- c:\program files (x86)\Common Files\InstallShield
2012-04-12 07:25 . 2012-04-12 07:25 -------- d-----w- c:\program files (x86)\AMD APP
2012-04-12 07:25 . 2012-04-12 07:25 -------- d-----w- c:\program files\Common Files\ATI Technologies
2012-04-12 07:25 . 2012-04-12 07:25 -------- d-----w- c:\program files (x86)\Common Files\ATI Technologies
2012-04-12 07:24 . 2012-04-12 07:24 -------- dc----w- c:\windows\system32\DRVSTORE
2012-04-12 07:24 . 2010-12-16 07:06 47232 ----a-w- c:\windows\system32\drivers\usbfilter.sys
2012-04-12 07:24 . 2012-04-12 07:24 -------- d-----w- c:\program files\ATI
2012-04-12 07:24 . 2012-04-12 07:25 -------- d-----w- c:\program files (x86)\ATI Technologies
2012-04-12 07:20 . 2011-07-09 02:46 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2012-04-12 07:20 . 2011-06-11 03:07 3137536 ----a-w- c:\windows\system32\win32k.sys
2012-04-12 07:18 . 2011-06-03 06:44 4096 ---ha-w- c:\windows\system32\api-ms-win-core-localization-l1-1-0.dll
2012-04-12 05:12 . 2012-04-12 05:12 -------- d-----w- c:\program files (x86)\OEM
2012-04-12 05:11 . 2012-04-12 05:11 -------- d-----w- c:\programdata\OEM_E471269A730D
2012-04-12 05:11 . 2012-04-12 05:11 -------- d-----w- c:\program files (x86)\Times Reader
2012-04-12 05:11 . 2012-04-12 05:11 -------- d-----w- c:\program files (x86)\Common Files\Adobe AIR
2012-04-12 05:10 . 2012-04-12 05:10 -------- d-----w- c:\program files (x86)\Barnes & Noble
2012-04-12 05:09 . 2012-04-12 05:09 -------- d-----w- c:\program files\Preload
2012-04-12 05:08 . 2012-04-12 05:08 -------- d-----w- c:\program files (x86)\AMD
2012-04-12 05:07 . 2012-04-12 05:08 -------- d-----w- c:\users\Natale
2012-04-12 05:07 . 2012-04-12 05:07 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-23 14:18 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-12_07.38.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-12 06:28 . 2012-04-12 07:46 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012041220120413\index.dat
- 2012-04-12 06:28 . 2012-04-12 08:04 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012041220120413\index.dat
+ 2012-04-12 05:08 . 2012-04-12 07:46 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-04-12 05:08 . 2012-04-12 08:04 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-04-12 07:01 . 2012-04-13 03:22 90458 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2010-11-21 03:09 . 2012-04-12 08:15 37116 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-12 08:15 34410 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2012-04-12 05:35 . 2012-04-12 08:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-04-12 05:35 . 2012-04-12 07:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-04-12 05:35 . 2012-04-12 07:45 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-04-12 05:35 . 2012-04-12 08:04 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-04-12 05:35 . 2012-04-12 08:04 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-04-12 05:35 . 2012-04-12 07:45 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-04-12 05:09 . 2012-04-12 08:15 2060 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-982396646-1195641751-842613715-1000_UserData.bin
+ 2012-04-13 04:58 . 2012-04-13 04:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-12 07:37 . 2012-04-12 07:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-13 04:58 . 2012-04-13 04:58 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-04-12 07:37 . 2012-04-12 07:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-12 07:28 . 2012-04-12 07:46 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2012-04-12 07:28 . 2012-04-12 08:04 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 04:54 . 2012-04-12 07:46 163840 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 05:01 . 2012-04-13 04:57 243280 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-04-12 07:36 243280 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-04-12 07:36 . 2012-04-12 08:12 244048 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
- 2012-04-12 07:36 . 2012-04-12 07:36 244048 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
+ 2009-07-14 04:54 . 2012-04-12 07:46 4882432 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-12 07:46 2768896 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-04-12 07:36 . 2012-04-13 04:57 4517152 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-982396646-1195641751-842613715-1000-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Norton Online Backup"="c:\program files (x86)\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-01 1155928]
"BackupManagerTray"="c:\program files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" [2011-04-24 297280]
"SuiteTray"="c:\program files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe" [2011-04-02 340848]
"EgisTecPMMUpdate"="c:\program files (x86)\EgisTec IPS\PmmUpdate.exe" [2011-03-29 408432]
"EgisUpdate"="c:\program files (x86)\EgisTec IPS\EgisUpdate.exe" [2011-03-29 202608]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-05-26 336384]
"Dolby Advanced Audio v2"="c:\dolby pcee4\pcee4.exe" [2011-06-01 506712]
"LManager"="c:\program files (x86)\Launch Manager\LManager.exe" [2011-03-15 1081424]
"ArcadeMovieService"="c:\program files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe" [2011-05-10 177448]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"IsMyWinLockerReboot"="msiexec.exe" [2010-11-21 73216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 0280081334207274mcinstcleanup;McAfee Application Installer Cleanup (0280081334207274);c:\windows\TEMP\028008~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-06-07 191752]
R3 EgisTec Ticket Service;EgisTec Ticket Service;c:\program files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe [2011-04-02 173424]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 57184]
S0 amd_sata;amd_sata;c:\windows\system32\DRIVERS\amd_sata.sys [x]
S0 amd_xata;amd_xata;c:\windows\system32\DRIVERS\amd_xata.sys [x]
S1 mwlPSDFilter;mwlPSDFilter;c:\windows\system32\DRIVERS\mwlPSDFilter.sys [x]
S1 mwlPSDNServ;mwlPSDNServ;c:\windows\system32\DRIVERS\mwlPSDNServ.sys [x]
S1 mwlPSDVDisk;mwlPSDVDisk;c:\windows\system32\DRIVERS\mwlPSDVDisk.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-05-12 249648]
S2 DsiWMIService;Dritek WMI Service;c:\program files (x86)\Launch Manager\dsiwmis.exe [2011-03-15 352336]
S2 ePowerSvc;Acer ePower Service;c:\program files\Acer\Acer ePower Management\ePowerSvc.exe [2011-05-10 872552]
S2 GREGService;GREGService;c:\program files (x86)\Acer\Registration\GREGsvc.exe [2011-01-18 39528]
S2 Live Updater Service;Live Updater Service;c:\program files\Acer\Acer Updater\UpdaterService.exe [2011-04-22 244624]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~2\mcafee\SITEAD~1\McSACore.exe [2011-02-16 101048]
S2 NOBU;Norton Online Backup;c:\program files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe [2011-04-24 256832]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW76.sys [x]
S3 b57xdbd;Broadcom xD Picture Bus Driver Service;c:\windows\system32\DRIVERS\b57xdbd.sys [x]
S3 b57xdmp;Broadcom xD Picture vstorp client drv;c:\windows\system32\DRIVERS\b57xdmp.sys [x]
S3 bScsiMSa;bScsiMSa;c:\windows\system32\DRIVERS\bScsiMSa.sys [x]
S3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys [x]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [x]
S3 usbfilter;AMD USB Filter Driver;c:\windows\system32\DRIVERS\usbfilter.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-982396646-1195641751-842613715-1000Core.job
- c:\users\Natale\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-13 04:42]
.
2012-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-982396646-1195641751-842613715-1000UA.job
- c:\users\Natale\AppData\Local\Google\Update\GoogleUpdate.exe [2012-04-13 04:42]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-08-26 12681320]
"RtHDVBg_Dolby"="c:\program files\Realtek\Audio\HDA\RAVBg64.exe" [2011-08-16 2277480]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"Power Management"="c:\program files\Acer\Acer ePower Management\ePowerTray.exe" [2011-05-10 1831528]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://acer.msn.com
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://acer.msn.com
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10u_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10u.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Launch Manager\LMutilps32.exe
c:\windows\SysWOW64\rundll32.exe
c:\program files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
c:\program files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
.
**************************************************************************
.
Completion time: 2012-04-13 01:15:19 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-13 05:15
ComboFix2.txt 2012-04-12 07:43
.
Pre-Run: 452,113,809,408 bytes free
Post-Run: 451,872,710,656 bytes free
.
- - End Of File - - 144A2B14FA9753278B064DAF26318AC0

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:23 AM

Posted 13 April 2012 - 02:37 AM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 NataleAnne

NataleAnne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Upstate New York
  • Local time:08:23 AM

Posted 13 April 2012 - 12:06 PM

Here's the report. I don't know and don't use the games that are listed here or the bing bar... they just come automatically with the laptop.

Acer Backup Manager
Acer Crystal Eye Webcam
Acer ePower Management
Acer eRecovery Management
Acer Games
Acer Registration
Acer ScreenSaver
Acer Updater
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader X MUI
Agatha Christie - Death on the Nile
AMD System Monitor
AMD VISION Engine Control Center
Backup Manager V3
Bejeweled 2 Deluxe
Bing Bar
Build-a-lot 4 - Power Source
Catalyst Control Center - Branding
Catalyst Control Center Graphics Previews Common
Catalyst Control Center InstallProxy
Catalyst Control Center Localization All
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
Chronicles of Albian
Chuzzle Deluxe
clear.fi
clear.fi Client
Cradle of Rome 2
D3DX10
Dolby Advanced Audio v2
Dora's World Adventure
eBay Worldwide
FATE: The Cursed King
Final Drive: Nitro
Galerie de photos Windows Live
Google Chrome
Governor of Poker 2 Premium Edition
Identity Card
Jewel Match 3
Junk Mail filter update
Launch Manager
Mesh Runtime
Microsoft Office 2010
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
MSVCRT
MSVCRT_amd64
Mystery of Mortlake Mansion
MyWinLocker 4
MyWinLocker Suite
newsXpresso
NOOK for PC
Norton Online Backup
NTI Media Maker 9
Penguins!
Plants vs. Zombies - Game of the Year
Polar Bowler
Polar Golfer
Realtek High Definition Audio Driver
Shredder
Skype™ 5.3
Times Reader
Torchlight
Update Installer for WildTangent Games App
Virtual Villagers 5 - New Believers
Welcome Center
WildTangent Games App (Acer Games)
Windows Live
Windows Live Communications Platform
Windows Live Essentials
Windows Live Installer
Windows Live Mail
Windows Live Mesh
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Zuma's Revenge

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:23 AM

Posted 13 April 2012 - 03:16 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Bing Bar [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.


Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 NataleAnne

NataleAnne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Upstate New York
  • Local time:08:23 AM

Posted 13 April 2012 - 08:38 PM

1. MBAM Log

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.13.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Natale :: NATBOOK [administrator]

4/13/2012 9:24:51 PM
mbam-log-2012-04-13 (21-24-51).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 195350
Time elapsed: 1 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

2. HijackThis Report

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:36:15 PM, on 4/13/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe
C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe
C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe
C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe
C:\Program Files (x86)\Launch Manager\LMworker.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\clear.fiAgent.exe
C:\Program Files (x86)\Acer\clear.fi\MVP\.\Kernel\DMR\DMREngine.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Natale\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Natale\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Natale\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Natale\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Users\Natale\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acer.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Norton Online Backup] C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuClient.exe
O4 - HKLM\..\Run: [BackupManagerTray] "C:\Program Files (x86)\NTI\Acer Backup Manager\BackupManagerTray.exe" -h -k
O4 - HKLM\..\Run: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
O4 - HKLM\..\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
O4 - HKLM\..\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Dolby Advanced Audio v2] "C:\Dolby PCEE4\pcee4.exe" -autostart
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [ArcadeMovieService] "C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKUS\S-1-5-18\..\RunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid} (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid} (User 'Default user')
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Dritek WMI Service (DsiWMIService) - Dritek System Inc. - C:\Program Files (x86)\Launch Manager\dsiwmis.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: EgisTec Ticket Service - Egis Technology Inc. - C:\Program Files (x86)\Common Files\EgisTec\Services\EgisTicketService.exe
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
O23 - Service: GREGService - Acer Incorporated - C:\Program Files (x86)\Acer\Registration\GREGsvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Live Updater Service - Acer Incorporated - C:\Program Files\Acer\Acer Updater\UpdaterService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - c:\PROGRA~2\mcafee\SITEAD~1\McSACore.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Norton Online Backup (NOBU) - Symantec Corporation - C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
O23 - Service: NTI IScheduleSvc - NTI Corporation - C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9169 bytes

3. I didn't run into any problems, I had to run Hijackthis in the way described in the **NOTE section of your reply.
4. My computer is running fantastically :)

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:23 AM

Posted 13 April 2012 - 09:01 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [SuiteTray] "C:\Program Files (x86)\EgisTec MyWinLockerSuite\x86\SuiteTray.exe"
      O4 - HKLM\..\Run: [EgisTecPMMUpdate] "C:\Program Files (x86)\EgisTec IPS\PmmUpdate.exe"
      O4 - HKLM\..\Run: [EgisUpdate] "C:\Program Files (x86)\EgisTec IPS\EgisUpdate.exe" -d
      O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [ArcadeMovieService] "C:\Program Files (x86)\Acer\clear.fi\Movie\clear.fiMovieService.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKUS\S-1-5-18\..\RunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid} (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\RunOnce: [IsMyWinLockerReboot] msiexec.exe /qn /x{voidguid} (User 'Default user')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 NataleAnne

NataleAnne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Upstate New York
  • Local time:08:23 AM

Posted 13 April 2012 - 10:45 PM

Uh oh... it says there are 8 infected files still :(


C:\TDSSKiller_Quarantine\12.04.2012_04.08.36\mbr0000\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\12.04.2012_04.08.36\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\12.04.2012_04.08.36\mbr0000\tdlfs0000\tsk0002.dta Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\12.04.2012_04.08.36\mbr0000\tdlfs0000\tsk0003.dta Win64/Olmarik.AG trojan
C:\TDSSKiller_Quarantine\12.04.2012_04.08.36\mbr0000\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.KS trojan
C:\TDSSKiller_Quarantine\12.04.2012_04.08.36\mbr0000\tdlfs0000\tsk0005.dta Win64/Olmarik.AF trojan
C:\TDSSKiller_Quarantine\12.04.2012_04.08.36\mbr0000\tdlfs0000\tsk0009.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\12.04.2012_04.08.36\mbr0000\tdlfs0000\tsk0010.dta Win64/Olmarik.X trojan




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users