Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 nokia16601

nokia16601

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 21 April 2012 - 11:42 PM

Hello, I have a Google redirect virus that I cannot remove. I have looked on several posts, but each states not to attempt ComboFix or TDSSKiller without first talking with someone. I am fairly confident in my abilities, just uneducated on how to remove this situation. I currently use Microsoft Security Essentials and MalwareBytes, but neither have found this virus. I am using Windows 7 64bit. Thank you for any help available!

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Chris at 21:30:26 on 2012-04-21
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3071.1776 [GMT -7:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\LSI SoftModem\agr64svc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Apple] RunDLL32.exe C:\Users\Chris\AppData\Local\Apple\wshdiqzr.dll,CreateTzanShell
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
mRun: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
Trusted Zone: azfcu.org\www
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{6FA04024-38A6-48E3-B229-33067AE5F812}\140707C65602E4564777F627B602533603431693 : DhcpNameServer = 10.0.1.1
TCP: Interfaces\{EFB88637-4BC9-45B4-8856-C41B98A54DFB} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{EFB88637-4BC9-45B4-8856-C41B98A54DFB}\8445340205F627471626C6560284F6473707F647 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{EFB88637-4BC9-45B4-8856-C41B98A54DFB}\B496E67616E64615575656E6D27657563747 : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll"
TB-X64: {30F9B915-B755-4826-820B-08FBA6BD249D} - No File
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
mRun-x64: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\r534o5yd.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
FF - plugin: C:\Program Files (x86)\Virtools\3D Life Player\npvirtools.dll
FF - plugin: C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\2\NP_wtapp.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Chris\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_2_202_233.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
R2 nvUpdatusService;NVIDIA Update Service Daemon;C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-11-6 2253120]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
R3 arusb_win7x;Service For TP-LINK Wireless N Adapter;C:\Windows\system32\DRIVERS\arusb_win7x.sys --> C:\Windows\system32\DRIVERS\arusb_win7x.sys [?]
S2 BBSvc;Bing Bar Update Service;C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-1 253088]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
S3 netr7364;Belkin Wireless 54G USB Network Adapter Driver for Vista;C:\Windows\system32\DRIVERS\netr7364.sys --> C:\Windows\system32\DRIVERS\netr7364.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;C:\Program Files\Zune\WMZuneComm.exe [2010-9-24 306416]
.
=============== Created Last 30 ================
.
2012-04-22 04:17:20 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-22 03:11:26 69000 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D76452DD-FBF2-41F0-9DA0-E7C5B161F3D5}\offreg.dll
2012-04-22 03:04:26 8917360 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{D76452DD-FBF2-41F0-9DA0-E7C5B161F3D5}\mpengine.dll
2012-04-22 03:01:57 -------- d-sh--w- C:\$RECYCLE.BIN
2012-04-22 00:04:43 98816 ----a-w- C:\Windows\sed.exe
2012-04-22 00:04:43 518144 ----a-w- C:\Windows\SWREG.exe
2012-04-22 00:04:43 256000 ----a-w- C:\Windows\PEV.exe
2012-04-22 00:04:43 208896 ----a-w- C:\Windows\MBR.exe
2012-04-16 16:47:07 -------- d-----w- C:\Users\Chris\AppData\Local\Mozilla
2012-04-14 09:46:03 -------- d-----w- C:\ProgramData\Recovery
2012-04-14 09:04:08 8741536 ----a-w- C:\Windows\SysWow64\FlashPlayerInstaller.exe
2012-04-11 10:00:29 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-11 10:00:29 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-11 10:00:29 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-11 10:00:28 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-11 10:00:28 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-11 10:00:28 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-11 10:00:28 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-05 16:52:33 -------- d-----w- C:\Program Files (x86)\VideoLAN
2012-04-04 01:03:22 -------- d-----w- C:\Windows\Microsoft Antimalware
2012-04-03 23:11:55 116736 ----a-w- C:\ProgramData\Microsoft\Windows\DRM\8DFE.tmp.dat
2012-04-03 19:42:06 -------- d-----w- C:\Users\Chris\AppData\Local\Zoom_Downloader
2012-04-03 19:40:37 175616 ----a-w- C:\Windows\SysWow64\unrar.dll
2012-04-02 19:50:11 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-01 08:18:27 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-01 04:38:23 -------- d-----w- C:\Program Files (x86)\BitTorrent
2012-04-01 04:37:19 -------- d-----w- C:\Users\Chris\AppData\Roaming\BitTorrent
.
==================== Find3M ====================
.
2012-04-14 10:04:28 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-04 22:56:40 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-03-06 06:53:37 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-06 05:59:47 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-06 05:59:41 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-07 18:02:40 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34:34 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-01-31 12:44:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-25 06:38:39 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-01-25 06:38:38 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-01-25 06:33:30 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
.
============= FINISH: 21:30:48.39 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:53 PM

Posted 22 April 2012 - 12:24 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 nokia16601

nokia16601
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 23 April 2012 - 01:48 PM

Scan result of Farbar Recovery Scan Tool Version: 22-04-2012
Ran by SYSTEM at 23-04-2012 11:43:03
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [PC-Doctor for Windows localizer] C:\Program Files\PC-Doctor for Windows\localizer.exe [x]
HKLM\...\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" [163568 2010-09-24] (Microsoft Corporation)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1436736 2011-06-15] (Microsoft Corporation)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM-x32\...\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM-x32\...\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [30040 2009-02-26] (Microsoft Corporation)
HKLM-x32\...\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript [981680 2012-04-04] (Malwarebytes Corporation)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2010-11-29] (Apple Inc.)
HKLM-x32\...\Run: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s [619008 2010-05-25] (Nikon Corporation)
HKLM-x32\...\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe [207424 2010-10-27] (ArcSoft Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-11-01] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-01-16] (Apple Inc.)
HKLM-x32\...\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe [90448 2011-09-01] (Research In Motion Limited)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [37296 2012-01-03] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKU\Administrator\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Chris\...\Run: [Apple] RunDLL32.exe C:\Users\Chris\AppData\Local\Apple\wshdiqzr.dll,CreateTzanShell [472360 2011-10-24] (CyberLink Corp.)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
HKU\UpdatusUser\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [x]
Tcpip\Parameters: [DhcpNameServer] 68.105.28.11 68.105.29.11 68.105.28.12

==================== Services (Whitelisted) ======

2 ACDaemon; C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe [113152 2010-03-18] (ArcSoft Inc.)
3 AdobeFlashPlayerUpdateSvc; C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [253088 2012-04-14] (Adobe Systems Incorporated)
2 BBUpdate; "C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE" [249648 2011-10-13] (Microsoft Corporation)
2 Bonjour Service; "C:\Program Files\Bonjour\mDNSResponder.exe" [462184 2011-08-30] (Apple Inc.)
3 GamesAppService; "C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe" [206072 2010-10-12] (WildTangent, Inc.)
3 IDriverT; "C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" [69632 2005-04-03] (Macrovision Corporation)
3 Microsoft Office Groove Audit Service; "C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe" [64856 2009-02-26] (Microsoft Corporation)
2 LightScribeService; "c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe" [x]
2 MsMpSvc; "c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe" [x]
3 NisSrv; "c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe" [x]
2 wlidsvc; "c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE" [x]
3 WMZuneComm; "c:\Program Files\Zune\WMZuneComm.exe" [x]
3 ZuneNetworkSvc; "c:\Program Files\Zune\ZuneNss.exe" [x]
3 ZuneWlanCfgSvc; c:\Windows\system32\ZuneWlanCfgSvc.exe [x]

========================== Drivers (Whitelisted) =============

3 arusb_win7x; C:\Windows\System32\Drivers\arusb_win7x.sys [769024 2010-06-01] (Atheros Communications, Inc.)
3 BridgeMP; C:\Windows\System32\DRIVERS\bridge.sys [95232 2009-07-13] (Microsoft Corporation)
3 netr7364; C:\Windows\System32\Drivers\netr7364.sys [575488 2010-05-28] (Ralink Technology, Corp.)
3 NVNET; C:\Windows\System32\DRIVERS\nvmf6264.sys [339744 2009-07-30] (NVIDIA Corporation)
0 nvstor64; C:\Windows\System32\Drivers\nvstor64.sys [241696 2009-08-04] (NVIDIA Corporation)
3 sscdbus; C:\Windows\System32\Drivers\sscdbus.sys [136264 2010-02-21] (MCCI Corporation)
3 sscdmdfl; C:\Windows\System32\Drivers\sscdmdfl.sys [19016 2010-02-21] (MCCI Corporation)
3 sscdmdm; C:\Windows\System32\Drivers\sscdmdm.sys [172104 2010-02-21] (MCCI Corporation)
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0; \??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [x]

========================== NetSvcs (Whitelisted) ===========

============ One Month Created Files and Folders ==============

2012-04-22 21:09 - 2012-02-16 02:23 - 0004513 ____A C:\Users\Chris\Desktop\instructions.txt
2012-04-21 20:36 - 2012-04-21 20:30 - 0018574 ____A C:\Users\Chris\Desktop\DDS.txt
2012-04-21 20:36 - - 0011341 ____A C:\Users\Chris\Desktop\Attach.txt
2012-04-21 20:30 - 2012-04-21 20:36 - 0607260 ____R (Swearware) C:\Users\Chris\Desktop\dds.scr
2012-04-21 20:28 - 2012-04-21 20:36 - 0050477 ____A C:\Users\Chris\Desktop\Defogger.exe
2012-04-21 20:28 - 2012-04-21 20:28 - 0000472 ____A C:\Users\Chris\Desktop\defogger_disable.log
2012-04-21 20:28 - 2010-05-28 16:43 - 0000000 ____A C:\Users\Chris\defogger_reenable
2012-04-21 20:17 - 2012-04-21 20:17 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-04-21 20:13 - 2012-04-21 14:55 - 0372834 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_21.13.29_log.txt
2012-04-21 20:13 - 2012-04-02 11:57 - 0000000 ____D C:\Users\Chris\Desktop\tdsskiller
2012-04-21 20:12 - 2012-04-21 20:13 - 2053340 ____A C:\Users\Chris\Desktop\tdsskiller.zip
2012-04-21 19:01 - - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-21 16:14 - 2012-04-21 19:01 - 0017033 ____A C:\ComboFix.txt
2012-04-21 16:04 - 2012-04-14 01:49 - 0000000 ____D C:\Qoobox
2012-04-21 16:04 - 2011-08-12 02:00 - 0060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-04-21 16:04 - 2011-08-02 17:27 - 0208896 ____A C:\Windows\MBR.exe
2012-04-21 16:04 - 2011-08-01 10:07 - 0518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-04-21 16:04 - 2011-08-01 09:05 - 0000000 ____D C:\Windows\ERDNT
2012-04-21 16:04 - 2009-07-13 23:50 - 0080412 ____A C:\Windows\grep.exe
2012-04-21 16:04 - 2009-07-13 21:32 - 0256000 ____A C:\Windows\PEV.exe
2012-04-21 16:04 - 2009-07-13 19:20 - 0098816 ____A C:\Windows\sed.exe
2012-04-21 16:04 - 2009-07-13 17:39 - 0068096 ____A C:\Windows\zip.exe
2012-04-21 16:04 - 2000-08-30 16:00 - 0406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-04-21 14:56 - 2010-05-28 16:43 - 0000000 ____D C:\Users\Chris\Documents\Starting Strength 3rd Edition
2012-04-20 16:12 - 2012-04-16 08:47 - 0002414 ____N C:\Users\Public\Desktop\WildTangent Games App - hp.lnk
2012-04-16 08:47 - 2012-04-20 16:12 - 0001100 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-04-16 08:47 - 2010-05-31 09:59 - 0000000 ____D C:\Users\Chris\AppData\Local\Mozilla
2012-04-16 08:46 - 2010-06-25 02:01 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-04-14 01:46 - 2012-03-07 19:09 - 0000000 ____D C:\Users\All Users\Recovery
2012-04-14 01:46 - 2012-03-07 19:09 - 0000000 ____D C:\ProgramData\Recovery
2012-04-14 01:04 - 2012-04-14 02:04 - 8741536 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-13 22:50 - 2012-04-22 21:09 - 0049478 ____A C:\Users\Chris\Desktop\maps.docx
2012-04-11 10:45 - 2012-04-21 20:12 - 0081708 ____A C:\Users\Chris\Desktop\USPS Consent Background Check.pdf
2012-04-11 02:02 - 2012-02-27 23:34 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-04-11 02:02 - 2012-02-27 22:56 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-04-11 02:02 - 2012-02-27 22:48 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-04-11 02:02 - 2012-02-27 22:45 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-04-11 02:02 - 2012-02-27 22:42 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-04-11 02:02 - 2012-02-27 17:52 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-04-11 02:02 - 2012-02-27 17:18 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-04-11 02:02 - 2012-02-27 17:09 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-04-11 02:02 - 2012-02-27 17:06 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-04-11 02:02 - 2012-02-27 17:03 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-04-11 02:02 - 2011-08-02 17:27 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-04-11 02:02 - 2011-08-02 17:27 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-04-11 02:02 - 2011-08-02 17:27 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-04-11 02:02 - 2011-08-02 17:27 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-04-11 02:02 - 2011-08-02 17:27 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-04-11 02:02 - 2011-08-02 17:27 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-04-11 02:02 - 2011-08-02 17:27 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-04-11 02:02 - 2011-08-02 17:27 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-04-11 02:02 - 2011-05-02 21:29 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-04-11 02:02 - 2011-05-02 20:30 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-04-11 02:02 - 2010-11-20 05:27 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-04-11 02:02 - 2010-11-20 04:21 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-04-11 02:02 - 2009-07-13 17:41 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-04-11 02:02 - 2009-07-13 17:41 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-04-11 02:02 - 2009-07-13 17:38 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-04-11 02:02 - 2009-07-13 17:16 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-04-11 02:02 - 2009-07-13 17:16 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-11 02:02 - 2009-07-13 17:16 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-04-11 02:02 - 2009-07-13 17:14 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-04-11 02:00 - 2009-07-13 17:47 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-04-11 02:00 - 2009-07-13 17:41 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-04-11 02:00 - 2009-07-13 17:38 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-04-11 02:00 - 2009-07-13 17:33 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-04-11 02:00 - 2009-07-13 17:16 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-04-11 02:00 - 2009-07-13 17:14 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-04-11 02:00 - 2009-07-13 17:11 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-04-08 15:01 - 2012-04-02 12:30 - 13020343 ____A C:\Users\Chris\Documents\LoaderBackup-(2012-04-08).ipd
2012-04-05 08:53 - 2011-08-21 19:45 - 0000000 ____D C:\Users\Chris\AppData\Roaming\vlc
2012-04-05 08:52 - 2009-07-13 20:57 - 0000000 ____D C:\Program Files (x86)\VideoLAN
2012-04-03 17:03 - 2009-07-13 15:06 - 0000000 ____D C:\Windows\Microsoft Antimalware
2012-04-03 11:42 - 2010-09-19 14:29 - 0000000 ____D C:\Users\Chris\AppData\Local\Zoom_Downloader
2012-04-03 11:40 - 2010-11-20 04:17 - 0175616 ____A C:\Windows\SysWOW64\unrar.dll
2012-04-02 23:53 - 2012-04-21 21:51 - 0000000 ____D C:\Users\Chris\Documents\Suzanne Collins
2012-04-02 12:30 - 2010-11-29 14:57 - 15183616 ____A C:\Users\Chris\Documents\LoaderBackup-(2012-04-02).ipd
2012-04-02 11:55 - 2012-04-13 22:50 - 0000091 ____A C:\Users\Chris\Desktop\New Text Document.txt
2012-04-02 11:50 - 2012-04-14 01:49 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-01 09:52 - 2012-02-20 22:25 - 0000000 ____D C:\Users\Chris\Documents\Chris
2012-04-01 00:18 - 2009-07-13 17:14 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-01 00:18 - - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-03-31 20:38 - 2012-04-14 01:49 - 0000000 ____D C:\Program Files (x86)\BitTorrent
2012-03-31 20:37 - 2011-08-11 15:31 - 0000000 ____D C:\Users\Chris\AppData\Roaming\BitTorrent


============ 3 Months Modified Files and Folders =============

2012-04-23 11:43 - 2012-04-23 11:42 - 0000000 ____D C:\FRST
2012-04-23 10:38 - 2009-07-13 21:08 - 0000006 ___AH C:\Windows\Tasks\SA.DAT
2012-04-23 10:37 - 2010-01-07 18:35 - 0000000 ____D C:\Users\All Users\NVIDIA
2012-04-23 10:37 - 2010-01-07 18:35 - 0000000 ____D C:\ProgramData\NVIDIA
2012-04-23 10:37 - 2010-01-07 18:25 - 2415370240 __ASH C:\hiberfil.sys
2012-04-23 10:37 - 2009-07-13 20:51 - 0083452 ____A C:\Windows\setupact.log
2012-04-23 10:36 - 2012-03-31 20:37 - 0000000 ____D C:\Users\Chris\AppData\Roaming\BitTorrent
2012-04-23 10:36 - 2010-04-27 02:06 - 1191528 ____A C:\Windows\WindowsUpdate.log
2012-04-23 10:35 - 2009-07-13 21:13 - 0782678 ____A C:\Windows\System32\PerfStringBackup.INI
2012-04-23 10:04 - 2012-04-01 00:18 - 0000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-04-22 21:09 - 2012-04-22 21:09 - 0004513 ____A C:\Users\Chris\Desktop\instructions.txt
2012-04-22 10:43 - 2012-04-05 08:53 - 0000000 ____D C:\Users\Chris\AppData\Roaming\vlc
2012-04-21 21:51 - 2012-04-21 14:56 - 0000000 ____D C:\Users\Chris\Documents\Starting Strength 3rd Edition
2012-04-21 20:36 - 2012-04-21 20:36 - 0018574 ____A C:\Users\Chris\Desktop\DDS.txt
2012-04-21 20:36 - 2012-04-21 20:36 - 0011341 ____A C:\Users\Chris\Desktop\Attach.txt
2012-04-21 20:30 - 2012-04-21 20:30 - 0607260 ____R (Swearware) C:\Users\Chris\Desktop\dds.scr
2012-04-21 20:28 - 2012-04-21 20:28 - 0050477 ____A C:\Users\Chris\Desktop\Defogger.exe
2012-04-21 20:28 - 2012-04-21 20:28 - 0000472 ____A C:\Users\Chris\Desktop\defogger_disable.log
2012-04-21 20:28 - 2012-04-21 20:28 - 0000000 ____A C:\Users\Chris\defogger_reenable
2012-04-21 20:28 - 2010-05-28 16:43 - 0000000 ____D C:\users\Chris
2012-04-21 20:17 - 2012-04-21 20:17 - 0000000 ____D C:\TDSSKiller_Quarantine
2012-04-21 20:17 - 2012-04-21 20:13 - 0372834 ____A C:\TDSSKiller.2.7.31.0_21.04.2012_21.13.29_log.txt
2012-04-21 20:13 - 2012-04-21 20:13 - 0000000 ____D C:\Users\Chris\Desktop\tdsskiller
2012-04-21 20:12 - 2012-04-21 20:12 - 2053340 ____A C:\Users\Chris\Desktop\tdsskiller.zip
2012-04-21 20:09 - 2012-04-03 17:03 - 0000000 ____D C:\Windows\Microsoft Antimalware
2012-04-21 19:18 - 2009-07-13 20:45 - 0015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-04-21 19:18 - 2009-07-13 20:45 - 0015792 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-04-21 19:01 - 2012-04-21 19:01 - 0000000 __SHD C:\$RECYCLE.BIN
2012-04-21 16:14 - 2012-04-21 16:14 - 0017033 ____A C:\ComboFix.txt
2012-04-21 16:14 - 2012-04-21 16:04 - 0000000 ____D C:\Qoobox
2012-04-21 16:14 - 2009-07-13 19:20 - 0000000 __RHD C:\users\Default
2012-04-21 16:14 - 2009-07-13 19:20 - 0000000 ___RD C:\users\Public
2012-04-21 16:13 - 2012-04-21 16:04 - 0000000 ____D C:\Windows\ERDNT
2012-04-21 16:11 - 2009-07-13 18:34 - 0000215 ____A C:\Windows\system.ini
2012-04-21 16:11 - 2009-07-13 18:34 - 0000027 ____A C:\Windows\System32\Drivers\etc\hosts
2012-04-21 16:10 - 2010-01-07 18:28 - 0221226 ____A C:\Windows\PFRO.log
2012-04-21 15:58 - 2010-06-28 16:48 - 0000000 ____D C:\Users\Chris\Tracing
2012-04-21 14:54 - 2010-06-13 19:29 - 0000000 ____D C:\Users\Chris\AppData\Local\AOL
2012-04-20 16:12 - 2012-04-20 16:12 - 0002414 ____N C:\Users\Public\Desktop\WildTangent Games App - hp.lnk
2012-04-20 15:04 - 2012-01-27 18:35 - 0000000 ____D C:\Users\Chris\AppData\Local\Apple
2012-04-18 20:36 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\NDF
2012-04-16 08:47 - 2012-04-16 08:47 - 0001100 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-04-16 08:47 - 2012-04-16 08:47 - 0000000 ____D C:\Users\Chris\AppData\Local\Mozilla
2012-04-16 08:47 - 2011-06-14 17:14 - 0000000 ____D C:\Users\Chris\AppData\Roaming\Mozilla
2012-04-16 08:46 - 2012-04-16 08:46 - 0000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-04-15 22:59 - 2010-09-14 21:13 - 0000000 ____D C:\Users\Chris\Documents\Jessica
2012-04-14 02:04 - 2012-04-14 01:04 - 8741536 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2012-04-14 02:04 - 2012-04-01 00:18 - 0418464 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-04-14 02:04 - 2011-08-01 10:07 - 0070304 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-04-14 01:49 - 2010-12-28 19:33 - 0000000 ____D C:\users\Administrator
2012-04-14 01:49 - 2010-05-28 19:39 - 0000000 ____D C:\Program Files (x86)\Belkin
2012-04-14 01:49 - 2010-01-07 19:03 - 0000000 ____D C:\Program Files (x86)\JunoPreloader
2012-04-14 01:49 - 2010-01-07 18:59 - 0000000 ___RD C:\Program Files (x86)\Online Services
2012-04-14 01:49 - 2010-01-07 18:36 - 0000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2012-04-14 01:49 - 2009-07-13 23:44 - 0000000 ___RD C:\Users\Public\Recorded TV
2012-04-14 01:49 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\registration
2012-04-14 01:49 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\AppCompat
2012-04-14 01:46 - 2012-04-14 01:46 - 0000000 ____D C:\Users\All Users\Recovery
2012-04-14 01:46 - 2012-04-14 01:46 - 0000000 ____D C:\ProgramData\Recovery
2012-04-14 00:52 - 2011-11-06 14:51 - 0000000 ____D C:\users\UpdatusUser
2012-04-14 00:51 - 2012-04-02 11:50 - 0000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-14 00:50 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\System32\config\TxR
2012-04-13 22:50 - 2012-04-13 22:50 - 0049478 ____A C:\Users\Chris\Desktop\maps.docx
2012-04-12 21:14 - 2012-04-01 09:52 - 0000000 ____D C:\Users\Chris\Documents\Chris
2012-04-11 10:45 - 2012-04-11 10:45 - 0081708 ____A C:\Users\Chris\Desktop\USPS Consent Background Check.pdf
2012-04-11 09:08 - 2010-06-01 08:44 - 0000000 ____D C:\Users\Chris\AppData\Local\Deployment
2012-04-11 02:21 - 2012-03-31 20:38 - 0000000 ____D C:\Program Files (x86)\BitTorrent
2012-04-11 02:03 - 2010-05-31 09:59 - 0000000 ____D C:\Users\All Users\Microsoft Help
2012-04-11 02:03 - 2010-05-31 09:59 - 0000000 ____D C:\ProgramData\Microsoft Help
2012-04-11 02:00 - 2011-01-17 20:15 - 57249312 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-04-09 22:02 - 2012-02-20 22:23 - 0000308 ____A C:\Users\Chris\AppData\Roaming\Rim.DesktopHelper.Exception.log
2012-04-09 22:02 - 2012-02-20 22:23 - 0000308 ____A C:\Users\Chris\AppData\Roaming\Rim.Desktop.Exception.log
2012-04-08 15:01 - 2012-04-08 15:01 - 13020343 ____A C:\Users\Chris\Documents\LoaderBackup-(2012-04-08).ipd
2012-04-08 14:49 - 2012-02-20 22:26 - 0008704 ____A C:\Users\Chris\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2012-04-05 08:52 - 2012-04-05 08:52 - 0000000 ____D C:\Program Files (x86)\VideoLAN
2012-04-04 14:56 - 2010-07-07 17:40 - 0024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-04-04 02:01 - 2011-08-01 09:04 - 0776402 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-04-03 15:47 - 2010-05-28 16:43 - 0000000 ____D C:\Users\Chris\AppData\LocalLow
2012-04-03 11:42 - 2012-04-03 11:42 - 0000000 ____D C:\Users\Chris\AppData\Local\Zoom_Downloader
2012-04-02 23:53 - 2012-04-02 23:53 - 0000000 ____D C:\Users\Chris\Documents\Suzanne Collins
2012-04-02 12:30 - 2012-04-02 12:30 - 15183616 ____A C:\Users\Chris\Documents\LoaderBackup-(2012-04-02).ipd
2012-04-02 11:57 - 2012-04-02 11:55 - 0000091 ____A C:\Users\Chris\Desktop\New Text Document.txt
2012-04-01 22:31 - 2012-01-27 18:36 - 0000000 ____D C:\Users\Chris\AppData\Roaming\Apple Computer
2012-03-29 12:24 - 2010-07-03 16:04 - 0000000 ____D C:\Users\All Users\Adobe
2012-03-29 12:24 - 2010-07-03 16:04 - 0000000 ____D C:\ProgramData\Adobe
2012-03-29 12:24 - 2010-07-03 16:04 - 0000000 ____D C:\Program Files (x86)\Adobe
2012-03-29 12:23 - 2010-07-03 16:03 - 0000000 ____D C:\Users\Chris\AppData\Local\Adobe
2012-03-14 02:18 - 2009-07-13 20:45 - 0430608 ____A C:\Windows\System32\FNTCACHE.DAT
2012-03-07 19:10 - 2011-08-11 15:26 - 0000020 ____H C:\Users\All Users\PKP_DLet.DAT
2012-03-07 19:10 - 2011-08-11 15:26 - 0000020 ____H C:\ProgramData\PKP_DLet.DAT
2012-03-07 19:09 - 2011-08-11 15:26 - 0000020 ____H C:\Users\All Users\PKP_DLev.DAT
2012-03-07 19:09 - 2011-08-11 15:26 - 0000020 ____H C:\ProgramData\PKP_DLev.DAT
2012-03-05 22:53 - 2012-04-11 02:02 - 5559152 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-03-05 21:59 - 2012-04-11 02:02 - 3968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-03-05 21:59 - 2012-04-11 02:02 - 3913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-02-29 22:46 - 2012-04-11 02:00 - 0023408 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\fs_rec.sys
2012-02-29 22:38 - 2012-04-11 02:00 - 0220672 ____A (Microsoft Corporation) C:\Windows\System32\wintrust.dll
2012-02-29 22:33 - 2012-04-11 02:00 - 0081408 ____A (Microsoft Corporation) C:\Windows\System32\imagehlp.dll
2012-02-29 22:28 - 2012-04-11 02:00 - 0005120 ____A (Microsoft Corporation) C:\Windows\System32\wmi.dll
2012-02-29 21:37 - 2012-04-11 02:00 - 0172544 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wintrust.dll
2012-02-29 21:33 - 2012-04-11 02:00 - 0159232 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imagehlp.dll
2012-02-29 21:29 - 2012-04-11 02:00 - 0005120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wmi.dll
2012-02-27 23:34 - 2012-04-11 02:02 - 17790976 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-02-27 23:02 - 2012-04-11 02:02 - 10888704 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-02-27 22:56 - 2012-04-11 02:02 - 2311168 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-02-27 22:50 - 2012-04-11 02:02 - 1345536 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-02-27 22:49 - 2012-04-11 02:02 - 1390080 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-02-27 22:48 - 2012-04-11 02:02 - 1493504 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-02-27 22:48 - 2012-04-11 02:02 - 0237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-02-27 22:47 - 2012-04-11 02:02 - 0085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-02-27 22:45 - 2012-04-11 02:02 - 0818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-02-27 22:43 - 2012-04-11 02:02 - 2144256 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-02-27 22:43 - 2012-04-11 02:02 - 0096256 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-02-27 22:42 - 2012-04-11 02:02 - 2382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-02-27 22:39 - 2012-04-11 02:02 - 0248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-02-27 17:52 - 2012-04-11 02:02 - 12281856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-02-27 17:27 - 2012-04-11 02:02 - 9705984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-02-27 17:18 - 2012-04-11 02:02 - 1799168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-02-27 17:12 - 2012-04-11 02:02 - 1103360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-02-27 17:11 - 2012-04-11 02:02 - 1427456 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-02-27 17:11 - 2012-04-11 02:02 - 1127424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-02-27 17:09 - 2012-04-11 02:02 - 0231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-02-27 17:08 - 2012-04-11 02:02 - 0065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-02-27 17:06 - 2012-04-11 02:02 - 0716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-02-27 17:04 - 2012-04-11 02:02 - 1792000 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-02-27 17:03 - 2012-04-11 02:02 - 2382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-02-27 17:03 - 2012-04-11 02:02 - 0072704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-02-27 16:59 - 2012-04-11 02:02 - 0176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-02-20 23:04 - 2012-02-20 23:04 - 0000000 ____D C:\Users\Chris\AppData\Roaming\Blackberry Desktop
2012-02-20 22:28 - 2010-07-20 19:25 - 0000000 ____D C:\Users\Chris\AppData\Local\Downloaded Installations
2012-02-20 22:25 - 2012-02-20 22:25 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_RimUsb_AMD64_01007.Wdf
2012-02-20 22:25 - 2012-02-20 22:25 - 0000000 ____D C:\Users\Chris\Documents\BlackBerry
2012-02-20 22:24 - 2012-02-20 22:23 - 0000000 ____D C:\Users\Chris\AppData\Roaming\Research In Motion
2012-02-20 22:23 - 2012-02-20 22:23 - 0001153 ____A C:\Users\Chris\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
2012-02-20 22:23 - 2012-02-20 22:23 - 0000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_RimSerial_AMD64_01007.Wdf
2012-02-20 22:23 - 2012-02-20 22:23 - 0000000 ____D C:\Users\Chris\AppData\Local\Research In Motion
2012-02-20 22:23 - 2009-07-13 19:20 - 0000000 ____D C:\Windows\ModemLogs
2012-02-20 22:22 - 2012-02-20 22:22 - 0000000 ____D C:\Users\All Users\Research In Motion
2012-02-20 22:22 - 2012-02-20 22:22 - 0000000 ____D C:\ProgramData\Research In Motion
2012-02-20 22:22 - 2012-02-20 22:22 - 0000000 ____D C:\Program Files (x86)\Research In Motion
2012-02-16 22:38 - 2012-03-13 15:24 - 1031680 ____A (Microsoft Corporation) C:\Windows\System32\rdpcore.dll
2012-02-16 21:34 - 2012-03-13 15:24 - 0826880 ____A (Microsoft Corporation) C:\Windows\SysWOW64\rdpcore.dll
2012-02-16 20:58 - 2012-03-13 15:24 - 0210944 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-02-16 20:57 - 2012-03-13 15:24 - 0023552 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tdtcp.sys
2012-02-16 02:23 - 2010-10-27 13:55 - 0000000 ___RD C:\Users\Chris\Podcasts
2012-02-16 02:23 - 2010-05-28 16:51 - 0000174 ___SH C:\Users\Chris\Start Menu\Programs\Startup\desktop.ini
2012-02-16 02:23 - 2010-05-28 16:51 - 0000174 ___SH C:\Users\Chris\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
2012-02-16 02:23 - 2010-01-07 19:04 - 0000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2012-02-09 22:36 - 2012-03-13 17:07 - 1544192 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-02-09 21:38 - 2012-03-13 17:07 - 1077248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\DWrite.dll
2012-02-07 10:02 - 2012-02-07 10:02 - 1070352 ____A (Microsoft Corporation) C:\Windows\SysWOW64\MSCOMCTL.OCX
2012-02-02 20:34 - 2012-03-13 17:07 - 3145728 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-01-31 04:44 - 2010-05-28 19:58 - 0279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-01-27 18:36 - 2012-01-27 18:36 - 0000000 ____D C:\Users\Chris\AppData\Local\Apple Computer
2012-01-27 18:36 - 2012-01-27 18:36 - 0000000 ____D C:\Users\All Users\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-01-27 18:36 - 2012-01-27 18:36 - 0000000 ____D C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
2012-01-27 18:36 - 2012-01-27 18:36 - 0000000 ____D C:\Program Files\iTunes
2012-01-27 18:36 - 2012-01-27 18:36 - 0000000 ____D C:\Program Files\iPod
2012-01-27 18:36 - 2012-01-27 18:36 - 0000000 ____D C:\Program Files (x86)\iTunes
2012-01-27 18:36 - 2011-08-11 15:25 - 0000000 ____D C:\Users\All Users\Apple Computer
2012-01-27 18:36 - 2011-08-11 15:25 - 0000000 ____D C:\ProgramData\Apple Computer
2012-01-27 18:35 - 2012-01-27 18:35 - 0000000 ____D C:\Program Files\Common Files\Apple
2012-01-27 18:35 - 2012-01-27 18:35 - 0000000 ____D C:\Program Files\Bonjour
2012-01-27 18:35 - 2012-01-27 18:35 - 0000000 ____D C:\Program Files (x86)\Bonjour
2012-01-27 18:35 - 2012-01-27 18:35 - 0000000 ____D C:\Program Files (x86)\Apple Software Update
2012-01-27 18:35 - 2011-08-11 15:25 - 0000000 ____D C:\Users\All Users\Apple
2012-01-27 18:35 - 2011-08-11 15:25 - 0000000 ____D C:\ProgramData\Apple

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

========================= Memory info ======================

Percentage of memory in use: 22%
Total physical RAM: 3071.3 MB
Available physical RAM: 2387.67 MB
Total Pagefile: 3069.45 MB
Available Pagefile: 2369.21 MB
Total Virtual: 8192 MB
Available Virtual: 8191.89 MB

======================= Partitions =========================

1 Drive c: (COMPAQ) (Fixed) (Total:455.79 GB) (Free:380.78 GB) NTFS
2 Drive e: (FACTORY_IMAGE) (Fixed) (Total:9.87 GB) (Free:1.48 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive g: () (Removable) (Total:3.82 GB) (Free:3.81 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.08 GB) (Free:0.07 GB) NTFS
6 Drive y: (SYSTEM) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 465 GB 0 B
Disk 1 Online 3830 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 100 MB 1024 KB
Partition 2 Primary 455 GB 101 MB
Partition 3 Primary 9 GB 455 GB

======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y SYSTEM NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C COMPAQ NTFS Partition 455 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E FACTORY_IMA NTFS Partition 9 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3919 MB 31 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT32 Removable 3919 MB Healthy

======================================================================================================

==========================================================

Last Boot: 2012-04-18 23:53

======================= End Of Log ==============

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:53 PM

Posted 23 April 2012 - 08:51 PM

Hello

Good, what I was looking for was not in that report so I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 nokia16601

nokia16601
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 23 April 2012 - 10:03 PM

Gringo,

Thanks for the help thus far! After running ComboFix, I encountered the "Illegal Operation" error, but after restart, it was gone. I had no problems during ComboFix, but am still encountering redirections when using IE or Firefox. They are not as frequent(75% of the time before, now only 20% of the time), and instead of redirecting primarily to Happili.com, I get redirected to elsewhere. Also, since running Farbar, MSE has caught 3 separate viruses. Here is the ComboFix log:

ComboFix 12-04-23.03 - Chris 04/23/2012 19:43:38.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3071.2001 [GMT -7:00]
Running from: c:\users\Chris\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Chris\AppData\Local\myfcawly.exe
c:\users\Chris\AppData\Local\Temp\{43E57B7F-53D8-4E2D-A238-ED8599734C1F}\fpb.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-03-24 to 2012-04-24 )))))))))))))))))))))))))))))))
.
.
2012-04-24 02:47 . 2012-04-24 02:47 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-04-24 02:47 . 2012-04-24 02:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-24 02:47 . 2012-04-24 02:47 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-04-23 20:04 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4CB3E064-CC03-4819-B5DB-B0897E22C379}\mpengine.dll
2012-04-23 19:42 . 2012-04-23 19:43 -------- d-----w- C:\FRST
2012-04-22 04:17 . 2012-04-22 04:17 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-16 16:47 . 2012-04-16 16:47 -------- d-----w- c:\users\Chris\AppData\Local\Mozilla
2012-04-14 09:46 . 2012-04-14 09:46 -------- d-----w- c:\programdata\Recovery
2012-04-14 09:04 . 2012-04-14 10:04 8741536 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-11 10:00 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 10:00 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 10:00 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 10:00 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 10:00 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 10:00 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 10:00 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-05 16:53 . 2012-04-24 02:41 -------- d-----w- c:\users\Chris\AppData\Roaming\vlc
2012-04-05 16:52 . 2012-04-05 16:52 -------- d-----w- c:\program files (x86)\VideoLAN
2012-04-04 01:03 . 2012-04-22 04:09 -------- d-----w- c:\windows\Microsoft Antimalware
2012-04-03 23:11 . 2012-04-03 23:11 116736 ----a-w- c:\programdata\Microsoft\Windows\DRM\8DFE.tmp.dat
2012-04-03 19:42 . 2012-04-03 19:42 -------- d-----w- c:\users\Chris\AppData\Local\Zoom_Downloader
2012-04-03 19:40 . 2011-03-02 11:43 175616 ----a-w- c:\windows\SysWow64\unrar.dll
2012-04-02 19:50 . 2012-04-14 08:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-01 08:18 . 2012-04-14 10:04 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-01 04:38 . 2012-04-11 10:21 -------- d-----w- c:\program files (x86)\BitTorrent
2012-04-01 04:37 . 2012-04-23 18:36 -------- d-----w- c:\users\Chris\AppData\Roaming\BitTorrent
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 10:04 . 2011-08-01 18:07 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-13 08:46 . 2011-08-02 17:12 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-04 22:56 . 2010-07-08 01:40 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-21 06:29 . 2012-02-21 06:29 53248 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{12BAA98C-F8DD-4BC9-BBE6-1C8463114197}\ARPPRODUCTICON.exe
2012-02-17 06:38 . 2012-03-13 23:24 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-13 23:24 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-13 23:24 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-13 23:24 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 10:21 . 2012-02-10 10:22 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B4B1F1C9-364A-4E44-89F4-80B44F4ACE13}\gapaengine.dll
2012-02-10 06:36 . 2012-03-14 01:07 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 01:07 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-07 18:02 . 2012-02-07 18:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34 . 2012-03-14 01:07 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-05-29 03:58 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 06:38 . 2012-03-13 23:24 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-13 23:24 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-13 23:24 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-22_00.11.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-08 02:38 . 2012-04-23 21:13 43610 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-23 21:13 36266 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-05-29 00:44 . 2012-04-23 21:13 12076 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1938116021-2870551134-4047077622-1000_UserData.bin
+ 2010-05-29 00:41 . 2012-04-22 00:55 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-29 00:41 . 2012-04-16 05:16 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-29 00:41 . 2012-04-22 00:55 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-29 00:41 . 2012-04-16 05:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-16 05:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-22 00:55 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-04-22 04:09 . 2012-04-22 04:10 24576 c:\windows\Microsoft Antimalware\Support\MpWppTracing-04212012-200946-00000003-ffffffff.bin
- 2012-04-22 00:10 . 2012-04-22 00:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-24 02:48 . 2012-04-24 02:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-22 00:10 . 2012-04-22 00:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-24 02:48 . 2012-04-24 02:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-04-22 00:02 662396 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-23 21:15 662396 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-04-22 00:02 122224 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-04-23 21:15 122224 c:\windows\system32\perfc009.dat
- 2012-04-04 01:03 . 2012-04-04 01:11 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2012-04-04 01:03 . 2012-04-22 04:10 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2009-07-14 05:01 . 2012-04-22 00:10 400168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-04-24 02:48 400168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-04-04 01:03 . 2012-04-04 01:03 311296 c:\windows\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-0.bin
+ 2012-04-04 01:03 . 2012-04-22 04:09 311296 c:\windows\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-0.bin
+ 2012-04-22 04:09 . 2012-03-20 11:51 8669240 c:\windows\Microsoft Antimalware\Definition Updates\{3B02B171-F9F8-42B4-8BAA-90B5B6332413}\mpengine.dll
+ 2011-08-03 02:54 . 2012-04-24 02:48 10155355 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1938116021-2870551134-4047077622-1000-8192.dat
- 2011-08-03 02:54 . 2012-04-22 00:10 44548900 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1938116021-2870551134-4047077622-1000-4096.dat
+ 2011-08-03 02:54 . 2012-04-24 02:48 44548900 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1938116021-2870551134-4047077622-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apple"="c:\users\Chris\AppData\Local\Apple\wshdiqzr.dll" [2011-10-24 472360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"Malwarebytes Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-17 421736]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-02 90448]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 253088]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netr7364;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-28 288272]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-14 249648]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
S3 arusb_win7x;Service For TP-LINK Wireless N Adapter;c:\windows\system32\DRIVERS\arusb_win7x.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 10:04]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [BU]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: azfcu.org\www
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\r534o5yd.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
.
**************************************************************************
.
Completion time: 2012-04-23 19:52:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-24 02:52
ComboFix2.txt 2012-04-22 00:14
.
Pre-Run: 408,973,344,768 bytes free
Post-Run: 408,900,734,976 bytes free
.
- - End Of File - - 5C1CB989BF554070B3B5D3D32B91123A

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:53 PM

Posted 23 April 2012 - 10:24 PM

Greetings

I need you to uninstall FireFox and if asked about user data or settings go ahead and remove those as well.

reinstall FireFox and see if it is still redirecting


I need you to go here and click on the fixit button - http://support.microsoft.com/kb/923737

check if IE is still redirecting


run these next and send me the reports


tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 nokia16601

nokia16601
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 23 April 2012 - 11:47 PM

Gringo,

I do not seem to be experiencing the redirect in Firefox after the uninstall/reinstall, however, I still am experiencing it in IE.

TDSSKiller Log:

21:26:52.0072 1400 TDSS rootkit removing tool 2.7.32.0 Apr 23 2012 19:12:34
21:26:53.0083 1400 ============================================================
21:26:53.0084 1400 Current date / time: 2012/04/23 21:26:53.0083
21:26:53.0084 1400 SystemInfo:
21:26:53.0084 1400
21:26:53.0084 1400 OS Version: 6.1.7601 ServicePack: 1.0
21:26:53.0084 1400 Product type: Workstation
21:26:53.0084 1400 ComputerName: DESKTOP
21:26:53.0084 1400 UserName: Chris
21:26:53.0084 1400 Windows directory: C:\Windows
21:26:53.0084 1400 System windows directory: C:\Windows
21:26:53.0085 1400 Running under WOW64
21:26:53.0085 1400 Processor architecture: Intel x64
21:26:53.0085 1400 Number of processors: 2
21:26:53.0085 1400 Page size: 0x1000
21:26:53.0085 1400 Boot type: Normal boot
21:26:53.0085 1400 ============================================================
21:26:54.0197 1400 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
21:26:54.0200 1400 ============================================================
21:26:54.0200 1400 \Device\Harddisk0\DR0:
21:26:54.0200 1400 MBR partitions:
21:26:54.0200 1400 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
21:26:54.0200 1400 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x38F93000
21:26:54.0200 1400 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x38FC5800, BlocksNum 0x13C0000
21:26:54.0200 1400 ============================================================
21:26:54.0219 1400 C: <-> \Device\Harddisk0\DR0\Partition1
21:26:54.0250 1400 D: <-> \Device\Harddisk0\DR0\Partition2
21:26:54.0251 1400 ============================================================
21:26:54.0251 1400 Initialize success
21:26:54.0251 1400 ============================================================
21:27:09.0537 1460 ============================================================
21:27:09.0537 1460 Scan started
21:27:09.0537 1460 Mode: Manual;
21:27:09.0537 1460 ============================================================
21:27:10.0062 1460 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
21:27:10.0065 1460 1394ohci - ok
21:27:10.0127 1460 ACDaemon (adc420616c501b45d26c0fd3ef1e54e4) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
21:27:10.0129 1460 ACDaemon - ok
21:27:10.0158 1460 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
21:27:10.0165 1460 ACPI - ok
21:27:10.0179 1460 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
21:27:10.0180 1460 AcpiPmi - ok
21:27:10.0262 1460 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
21:27:10.0266 1460 AdobeFlashPlayerUpdateSvc - ok
21:27:10.0300 1460 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
21:27:10.0307 1460 adp94xx - ok
21:27:10.0329 1460 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
21:27:10.0334 1460 adpahci - ok
21:27:10.0354 1460 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
21:27:10.0357 1460 adpu320 - ok
21:27:10.0383 1460 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
21:27:10.0385 1460 AeLookupSvc - ok
21:27:10.0436 1460 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\Windows\system32\drivers\afd.sys
21:27:10.0442 1460 AFD - ok
21:27:10.0485 1460 AgereModemAudio (48008d4ea73c1058f36d323a644410d4) C:\Program Files\LSI SoftModem\agr64svc.exe
21:27:10.0486 1460 AgereModemAudio - ok
21:27:10.0523 1460 AgereSoftModem (ddf52c4c92d831a4cdb7788b37585e36) C:\Windows\system32\DRIVERS\agrsm64.sys
21:27:10.0551 1460 AgereSoftModem - ok
21:27:10.0580 1460 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
21:27:10.0582 1460 agp440 - ok
21:27:10.0604 1460 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
21:27:10.0606 1460 ALG - ok
21:27:10.0626 1460 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
21:27:10.0627 1460 aliide - ok
21:27:10.0644 1460 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
21:27:10.0645 1460 amdide - ok
21:27:10.0663 1460 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
21:27:10.0665 1460 AmdK8 - ok
21:27:10.0801 1460 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
21:27:10.0803 1460 AmdPPM - ok
21:27:10.0879 1460 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
21:27:10.0899 1460 amdsata - ok
21:27:10.0979 1460 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
21:27:10.0984 1460 amdsbs - ok
21:27:11.0002 1460 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
21:27:11.0003 1460 amdxata - ok
21:27:11.0039 1460 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
21:27:11.0040 1460 AppID - ok
21:27:11.0052 1460 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
21:27:11.0053 1460 AppIDSvc - ok
21:27:11.0083 1460 Appinfo (3977d4a871ca0d4f2ed1e7db46829731) C:\Windows\System32\appinfo.dll
21:27:11.0084 1460 Appinfo - ok
21:27:11.0151 1460 Apple Mobile Device (3debbecf665dcdde3a95d9b902010817) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
21:27:11.0153 1460 Apple Mobile Device - ok
21:27:11.0189 1460 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
21:27:11.0192 1460 arc - ok
21:27:11.0213 1460 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
21:27:11.0214 1460 arcsas - ok
21:27:11.0261 1460 arusb_win7x (ff9daef5ccdb6082c30ce151b768ea28) C:\Windows\system32\DRIVERS\arusb_win7x.sys
21:27:11.0271 1460 arusb_win7x - ok
21:27:11.0327 1460 aspnet_state (9217d874131ae6ff8f642f124f00a555) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
21:27:11.0330 1460 aspnet_state - ok
21:27:11.0357 1460 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
21:27:11.0359 1460 AsyncMac - ok
21:27:11.0385 1460 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
21:27:11.0387 1460 atapi - ok
21:27:11.0434 1460 AudioEndpointBuilder (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
21:27:11.0443 1460 AudioEndpointBuilder - ok
21:27:11.0452 1460 AudioSrv (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
21:27:11.0457 1460 AudioSrv - ok
21:27:11.0498 1460 AxInstSV (a6bf31a71b409dfa8cac83159e1e2aff) C:\Windows\System32\AxInstSV.dll
21:27:11.0500 1460 AxInstSV - ok
21:27:11.0546 1460 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
21:27:11.0556 1460 b06bdrv - ok
21:27:11.0581 1460 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
21:27:11.0585 1460 b57nd60a - ok
21:27:11.0668 1460 BBSvc (01a24b415926bb5f772dbe12459d97de) C:\Program Files (x86)\Microsoft\BingBar\BBSvc.EXE
21:27:11.0673 1460 BBSvc - ok
21:27:11.0735 1460 BBUpdate (785de7abda13309d6065305542829e76) C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE
21:27:11.0738 1460 BBUpdate - ok
21:27:11.0754 1460 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll
21:27:11.0756 1460 BDESVC - ok
21:27:11.0783 1460 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
21:27:11.0784 1460 Beep - ok
21:27:11.0841 1460 BFE (82974d6a2fd19445cc5171fc378668a4) C:\Windows\System32\bfe.dll
21:27:11.0851 1460 BFE - ok
21:27:11.0887 1460 BITS (1ea7969e3271cbc59e1730697dc74682) C:\Windows\system32\qmgr.dll
21:27:11.0896 1460 BITS - ok
21:27:11.0933 1460 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
21:27:11.0934 1460 blbdrive - ok
21:27:12.0003 1460 Bonjour Service (ebbcd5dfbb1de70e8f4af8fa59e401fd) C:\Program Files\Bonjour\mDNSResponder.exe
21:27:12.0009 1460 Bonjour Service - ok
21:27:12.0037 1460 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
21:27:12.0039 1460 bowser - ok
21:27:12.0067 1460 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
21:27:12.0069 1460 BrFiltLo - ok
21:27:12.0080 1460 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
21:27:12.0082 1460 BrFiltUp - ok
21:27:12.0119 1460 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
21:27:12.0121 1460 BridgeMP - ok
21:27:12.0149 1460 Browser (8ef0d5c41ec907751b8429162b1239ed) C:\Windows\System32\browser.dll
21:27:12.0153 1460 Browser - ok
21:27:12.0189 1460 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
21:27:12.0196 1460 Brserid - ok
21:27:12.0220 1460 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
21:27:12.0221 1460 BrSerWdm - ok
21:27:12.0246 1460 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
21:27:12.0247 1460 BrUsbMdm - ok
21:27:12.0260 1460 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
21:27:12.0261 1460 BrUsbSer - ok
21:27:12.0282 1460 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
21:27:12.0283 1460 BTHMODEM - ok
21:27:12.0316 1460 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll
21:27:12.0318 1460 bthserv - ok
21:27:12.0341 1460 catchme - ok
21:27:12.0368 1460 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
21:27:12.0370 1460 cdfs - ok
21:27:12.0406 1460 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\drivers\cdrom.sys
21:27:12.0408 1460 cdrom - ok
21:27:12.0448 1460 CertPropSvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
21:27:12.0450 1460 CertPropSvc - ok
21:27:12.0470 1460 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
21:27:12.0471 1460 circlass - ok
21:27:12.0499 1460 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
21:27:12.0504 1460 CLFS - ok
21:27:12.0558 1460 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:27:12.0559 1460 clr_optimization_v2.0.50727_32 - ok
21:27:12.0606 1460 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
21:27:12.0608 1460 clr_optimization_v2.0.50727_64 - ok
21:27:12.0656 1460 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
21:27:12.0658 1460 clr_optimization_v4.0.30319_32 - ok
21:27:12.0704 1460 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
21:27:12.0708 1460 clr_optimization_v4.0.30319_64 - ok
21:27:12.0740 1460 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
21:27:12.0741 1460 CmBatt - ok
21:27:12.0766 1460 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
21:27:12.0767 1460 cmdide - ok
21:27:12.0799 1460 CNG (c4943b6c962e4b82197542447ad599f4) C:\Windows\system32\Drivers\cng.sys
21:27:12.0804 1460 CNG - ok
21:27:12.0819 1460 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
21:27:12.0820 1460 Compbatt - ok
21:27:12.0844 1460 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
21:27:12.0845 1460 CompositeBus - ok
21:27:12.0857 1460 COMSysApp - ok
21:27:12.0874 1460 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
21:27:12.0875 1460 crcdisk - ok
21:27:12.0913 1460 CryptSvc (15597883fbe9b056f276ada3ad87d9af) C:\Windows\system32\cryptsvc.dll
21:27:12.0916 1460 CryptSvc - ok
21:27:12.0960 1460 DcomLaunch (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
21:27:12.0968 1460 DcomLaunch - ok
21:27:12.0991 1460 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll
21:27:12.0995 1460 defragsvc - ok
21:27:13.0018 1460 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
21:27:13.0020 1460 DfsC - ok
21:27:13.0042 1460 Dhcp (43d808f5d9e1a18e5eeb5ebc83969e4e) C:\Windows\system32\dhcpcore.dll
21:27:13.0045 1460 Dhcp - ok
21:27:13.0065 1460 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
21:27:13.0065 1460 discache - ok
21:27:13.0088 1460 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
21:27:13.0088 1460 Disk - ok
21:27:13.0115 1460 Dnscache (16835866aaa693c7d7fceba8fff706e4) C:\Windows\System32\dnsrslvr.dll
21:27:13.0117 1460 Dnscache - ok
21:27:13.0149 1460 dot3svc (b1fb3ddca0fdf408750d5843591afbc6) C:\Windows\System32\dot3svc.dll
21:27:13.0156 1460 dot3svc - ok
21:27:13.0186 1460 DPS (b26f4f737e8f9df4f31af6cf31d05820) C:\Windows\system32\dps.dll
21:27:13.0191 1460 DPS - ok
21:27:13.0221 1460 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
21:27:13.0222 1460 drmkaud - ok
21:27:13.0265 1460 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
21:27:13.0273 1460 DXGKrnl - ok
21:27:13.0296 1460 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll
21:27:13.0298 1460 EapHost - ok
21:27:13.0393 1460 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
21:27:13.0439 1460 ebdrv - ok
21:27:13.0532 1460 EFS (c118a82cd78818c29ab228366ebf81c3) C:\Windows\System32\lsass.exe
21:27:13.0534 1460 EFS - ok
21:27:13.0602 1460 ehRecvr (c4002b6b41975f057d98c439030cea07) C:\Windows\ehome\ehRecvr.exe
21:27:13.0616 1460 ehRecvr - ok
21:27:13.0642 1460 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe
21:27:13.0645 1460 ehSched - ok
21:27:13.0682 1460 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
21:27:13.0689 1460 elxstor - ok
21:27:13.0711 1460 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
21:27:13.0711 1460 ErrDev - ok
21:27:13.0756 1460 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll
21:27:13.0762 1460 EventSystem - ok
21:27:13.0792 1460 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
21:27:13.0795 1460 exfat - ok
21:27:13.0816 1460 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
21:27:13.0820 1460 fastfat - ok
21:27:13.0881 1460 Fax (dbefd454f8318a0ef691fdd2eaab44eb) C:\Windows\system32\fxssvc.exe
21:27:13.0896 1460 Fax - ok
21:27:13.0917 1460 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
21:27:13.0918 1460 fdc - ok
21:27:13.0947 1460 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll
21:27:13.0948 1460 fdPHost - ok
21:27:13.0956 1460 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll
21:27:13.0957 1460 FDResPub - ok
21:27:13.0971 1460 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
21:27:13.0972 1460 FileInfo - ok
21:27:13.0986 1460 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
21:27:13.0987 1460 Filetrace - ok
21:27:14.0001 1460 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
21:27:14.0001 1460 flpydisk - ok
21:27:14.0036 1460 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
21:27:14.0039 1460 FltMgr - ok
21:27:14.0076 1460 FontCache (5c4cb4086fb83115b153e47add961a0c) C:\Windows\system32\FntCache.dll
21:27:14.0100 1460 FontCache - ok
21:27:14.0175 1460 FontCache3.0.0.0 (a8b7f3818ab65695e3a0bb3279f6dce6) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
21:27:14.0177 1460 FontCache3.0.0.0 - ok
21:27:14.0325 1460 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
21:27:14.0328 1460 FsDepends - ok
21:27:14.0361 1460 Fs_Rec (6bd9295cc032dd3077c671fccf579a7b) C:\Windows\system32\drivers\Fs_Rec.sys
21:27:14.0362 1460 Fs_Rec - ok
21:27:14.0416 1460 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
21:27:14.0421 1460 fvevol - ok
21:27:14.0441 1460 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
21:27:14.0442 1460 gagp30kx - ok
21:27:14.0513 1460 GamesAppService (c403c5db49a0f9aaf4f2128edc0106d8) C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
21:27:14.0518 1460 GamesAppService - ok
21:27:14.0559 1460 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
21:27:14.0560 1460 GEARAspiWDM - ok
21:27:14.0607 1460 gpsvc (277bbc7e1aa1ee957f573a10eca7ef3a) C:\Windows\System32\gpsvc.dll
21:27:14.0618 1460 gpsvc - ok
21:27:14.0641 1460 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
21:27:14.0642 1460 hcw85cir - ok
21:27:14.0684 1460 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
21:27:14.0687 1460 HDAudBus - ok
21:27:14.0709 1460 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
21:27:14.0711 1460 HidBatt - ok
21:27:14.0731 1460 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
21:27:14.0734 1460 HidBth - ok
21:27:14.0761 1460 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
21:27:14.0763 1460 HidIr - ok
21:27:14.0788 1460 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\System32\hidserv.dll
21:27:14.0789 1460 hidserv - ok
21:27:14.0826 1460 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
21:27:14.0827 1460 HidUsb - ok
21:27:14.0850 1460 hkmsvc (387e72e739e15e3d37907a86d9ff98e2) C:\Windows\system32\kmsvc.dll
21:27:14.0852 1460 hkmsvc - ok
21:27:14.0879 1460 HomeGroupListener (efdfb3dd38a4376f93e7985173813abd) C:\Windows\system32\ListSvc.dll
21:27:14.0883 1460 HomeGroupListener - ok
21:27:14.0907 1460 HomeGroupProvider (908acb1f594274965a53926b10c81e89) C:\Windows\system32\provsvc.dll
21:27:14.0911 1460 HomeGroupProvider - ok
21:27:14.0929 1460 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
21:27:14.0931 1460 HpSAMD - ok
21:27:14.0977 1460 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
21:27:14.0986 1460 HTTP - ok
21:27:15.0000 1460 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
21:27:15.0000 1460 hwpolicy - ok
21:27:15.0026 1460 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
21:27:15.0028 1460 i8042prt - ok
21:27:15.0062 1460 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
21:27:15.0068 1460 iaStorV - ok
21:27:15.0143 1460 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
21:27:15.0145 1460 IDriverT - ok
21:27:15.0255 1460 idsvc (5988fc40f8db5b0739cd1e3a5d0d78bd) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
21:27:15.0273 1460 idsvc - ok
21:27:15.0335 1460 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
21:27:15.0337 1460 iirsp - ok
21:27:15.0392 1460 IKEEXT (fcd84c381e0140af901e58d48882d26b) C:\Windows\System32\ikeext.dll
21:27:15.0404 1460 IKEEXT - ok
21:27:15.0496 1460 IntcAzAudAddService (392d5c87f282e8e36df5154418a7bb20) C:\Windows\system32\drivers\RTKVHD64.sys
21:27:15.0510 1460 IntcAzAudAddService - ok
21:27:15.0600 1460 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
21:27:15.0601 1460 intelide - ok
21:27:15.0629 1460 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
21:27:15.0631 1460 intelppm - ok
21:27:15.0666 1460 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll
21:27:15.0670 1460 IPBusEnum - ok
21:27:15.0694 1460 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
21:27:15.0696 1460 IpFilterDriver - ok
21:27:15.0733 1460 iphlpsvc (a34a587fffd45fa649fba6d03784d257) C:\Windows\System32\iphlpsvc.dll
21:27:15.0740 1460 iphlpsvc - ok
21:27:15.0767 1460 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
21:27:15.0768 1460 IPMIDRV - ok
21:27:15.0793 1460 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
21:27:15.0795 1460 IPNAT - ok
21:27:15.0874 1460 iPod Service (ee4c2a137c7088911a8919effc9812e7) C:\Program Files\iPod\bin\iPodService.exe
21:27:15.0883 1460 iPod Service - ok
21:27:15.0909 1460 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
21:27:15.0910 1460 IRENUM - ok
21:27:15.0928 1460 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
21:27:15.0929 1460 isapnp - ok
21:27:15.0954 1460 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
21:27:15.0958 1460 iScsiPrt - ok
21:27:15.0997 1460 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
21:27:15.0998 1460 kbdclass - ok
21:27:16.0015 1460 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
21:27:16.0016 1460 kbdhid - ok
21:27:16.0045 1460 KeyIso (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
21:27:16.0047 1460 KeyIso - ok
21:27:16.0061 1460 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\Windows\system32\Drivers\ksecdd.sys
21:27:16.0063 1460 KSecDD - ok
21:27:16.0078 1460 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\Windows\system32\Drivers\ksecpkg.sys
21:27:16.0080 1460 KSecPkg - ok
21:27:16.0094 1460 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
21:27:16.0095 1460 ksthunk - ok
21:27:16.0128 1460 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll
21:27:16.0134 1460 KtmRm - ok
21:27:16.0180 1460 LanmanServer (d9f42719019740baa6d1c6d536cbdaa6) C:\Windows\System32\srvsvc.dll
21:27:16.0185 1460 LanmanServer - ok
21:27:16.0213 1460 LanmanWorkstation (851a1382eed3e3a7476db004f4ee3e1a) C:\Windows\System32\wkssvc.dll
21:27:16.0216 1460 LanmanWorkstation - ok
21:27:16.0302 1460 LightScribeService (2238b91ac1a12cc6cc4c4fed41258b2a) c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
21:27:16.0304 1460 LightScribeService - ok
21:27:16.0340 1460 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
21:27:16.0342 1460 lltdio - ok
21:27:16.0367 1460 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll
21:27:16.0372 1460 lltdsvc - ok
21:27:16.0383 1460 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll
21:27:16.0386 1460 lmhosts - ok
21:27:16.0429 1460 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
21:27:16.0432 1460 LSI_FC - ok
21:27:16.0456 1460 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
21:27:16.0458 1460 LSI_SAS - ok
21:27:16.0476 1460 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
21:27:16.0478 1460 LSI_SAS2 - ok
21:27:16.0491 1460 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
21:27:16.0494 1460 LSI_SCSI - ok
21:27:16.0518 1460 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
21:27:16.0519 1460 luafv - ok
21:27:16.0543 1460 Mcx2Svc (0be09cd858abf9df6ed259d57a1a1663) C:\Windows\system32\Mcx2Svc.dll
21:27:16.0545 1460 Mcx2Svc - ok
21:27:16.0570 1460 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
21:27:16.0572 1460 megasas - ok
21:27:16.0590 1460 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
21:27:16.0593 1460 MegaSR - ok
21:27:16.0663 1460 Microsoft Office Groove Audit Service (123271bd5237ab991dc5c21fdf8835eb) C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe
21:27:16.0666 1460 Microsoft Office Groove Audit Service - ok
21:27:16.0700 1460 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
21:27:16.0702 1460 MMCSS - ok
21:27:16.0716 1460 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
21:27:16.0717 1460 Modem - ok
21:27:16.0740 1460 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
21:27:16.0741 1460 monitor - ok
21:27:16.0767 1460 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
21:27:16.0768 1460 mouclass - ok
21:27:16.0792 1460 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
21:27:16.0793 1460 mouhid - ok
21:27:16.0821 1460 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
21:27:16.0823 1460 mountmgr - ok
21:27:16.0872 1460 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\Windows\system32\DRIVERS\MpFilter.sys
21:27:16.0875 1460 MpFilter - ok
21:27:16.0901 1460 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
21:27:16.0905 1460 mpio - ok
21:27:16.0923 1460 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\Windows\system32\DRIVERS\MpNWMon.sys
21:27:16.0925 1460 MpNWMon - ok
21:27:16.0952 1460 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
21:27:16.0953 1460 mpsdrv - ok
21:27:16.0993 1460 MpsSvc (54ffc9c8898113ace189d4aa7199d2c1) C:\Windows\system32\mpssvc.dll
21:27:17.0004 1460 MpsSvc - ok
21:27:17.0021 1460 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
21:27:17.0023 1460 MRxDAV - ok
21:27:17.0052 1460 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
21:27:17.0053 1460 mrxsmb - ok
21:27:17.0084 1460 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
21:27:17.0086 1460 mrxsmb10 - ok
21:27:17.0094 1460 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
21:27:17.0096 1460 mrxsmb20 - ok
21:27:17.0117 1460 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
21:27:17.0117 1460 msahci - ok
21:27:17.0137 1460 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
21:27:17.0138 1460 msdsm - ok
21:27:17.0162 1460 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe
21:27:17.0165 1460 MSDTC - ok
21:27:17.0191 1460 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
21:27:17.0192 1460 Msfs - ok
21:27:17.0199 1460 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
21:27:17.0200 1460 mshidkmdf - ok
21:27:17.0211 1460 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
21:27:17.0212 1460 msisadrv - ok
21:27:17.0236 1460 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll
21:27:17.0238 1460 MSiSCSI - ok
21:27:17.0241 1460 msiserver - ok
21:27:17.0266 1460 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
21:27:17.0267 1460 MSKSSRV - ok
21:27:17.0351 1460 MsMpSvc (157e9e498206a3366baa7e4697bdd947) c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
21:27:17.0352 1460 MsMpSvc - ok
21:27:17.0371 1460 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
21:27:17.0372 1460 MSPCLOCK - ok
21:27:17.0379 1460 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
21:27:17.0380 1460 MSPQM - ok
21:27:17.0416 1460 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
21:27:17.0421 1460 MsRPC - ok
21:27:17.0454 1460 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
21:27:17.0455 1460 mssmbios - ok
21:27:17.0460 1460 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
21:27:17.0461 1460 MSTEE - ok
21:27:17.0483 1460 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
21:27:17.0484 1460 MTConfig - ok
21:27:17.0507 1460 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
21:27:17.0508 1460 Mup - ok
21:27:17.0530 1460 napagent (582ac6d9873e31dfa28a4547270862dd) C:\Windows\system32\qagentRT.dll
21:27:17.0537 1460 napagent - ok
21:27:17.0564 1460 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
21:27:17.0567 1460 NativeWifiP - ok
21:27:17.0602 1460 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
21:27:17.0610 1460 NDIS - ok
21:27:17.0629 1460 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
21:27:17.0630 1460 NdisCap - ok
21:27:17.0647 1460 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
21:27:17.0647 1460 NdisTapi - ok
21:27:17.0674 1460 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
21:27:17.0675 1460 Ndisuio - ok
21:27:17.0703 1460 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
21:27:17.0705 1460 NdisWan - ok
21:27:17.0732 1460 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
21:27:17.0733 1460 NDProxy - ok
21:27:17.0745 1460 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
21:27:17.0746 1460 NetBIOS - ok
21:27:17.0775 1460 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
21:27:17.0778 1460 NetBT - ok
21:27:17.0802 1460 Netlogon (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
21:27:17.0803 1460 Netlogon - ok
21:27:17.0836 1460 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll
21:27:17.0841 1460 Netman - ok
21:27:17.0907 1460 NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
21:27:17.0911 1460 NetMsmqActivator - ok
21:27:17.0920 1460 NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
21:27:17.0922 1460 NetPipeActivator - ok
21:27:17.0953 1460 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll
21:27:17.0960 1460 netprofm - ok
21:27:18.0012 1460 netr7364 (118e9136b5b48dd5b2cc81f78431a69e) C:\Windows\system32\DRIVERS\netr7364.sys
21:27:18.0020 1460 netr7364 - ok
21:27:18.0025 1460 NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
21:27:18.0027 1460 NetTcpActivator - ok
21:27:18.0032 1460 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
21:27:18.0034 1460 NetTcpPortSharing - ok
21:27:18.0059 1460 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
21:27:18.0061 1460 nfrd960 - ok
21:27:18.0098 1460 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
21:27:18.0099 1460 NisDrv - ok
21:27:18.0165 1460 NisSrv (566ddd5d82520da01d75f81428ac4c38) c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
21:27:18.0172 1460 NisSrv - ok
21:27:18.0220 1460 NlaSvc (1ee99a89cc788ada662441d1e9830529) C:\Windows\System32\nlasvc.dll
21:27:18.0225 1460 NlaSvc - ok
21:27:18.0246 1460 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
21:27:18.0247 1460 Npfs - ok
21:27:18.0265 1460 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll
21:27:18.0267 1460 nsi - ok
21:27:18.0278 1460 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
21:27:18.0278 1460 nsiproxy - ok
21:27:18.0339 1460 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
21:27:18.0363 1460 Ntfs - ok
21:27:18.0431 1460 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
21:27:18.0431 1460 Null - ok
21:27:18.0703 1460 nvlddmkm (b15258b1f45f9571758ac6bb2f043b01) C:\Windows\system32\DRIVERS\nvlddmkm.sys
21:27:18.0767 1460 nvlddmkm - ok
21:27:18.0828 1460 NVNET (909eedcbd365bb81027d8e742e6b3416) C:\Windows\system32\DRIVERS\nvmf6264.sys
21:27:18.0830 1460 NVNET - ok
21:27:18.0863 1460 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
21:27:18.0865 1460 nvraid - ok
21:27:18.0875 1460 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
21:27:18.0877 1460 nvstor - ok
21:27:18.0896 1460 nvstor64 (1e45f96342429d63dc30e0d9117da3d8) C:\Windows\system32\DRIVERS\nvstor64.sys
21:27:18.0897 1460 nvstor64 - ok
21:27:18.0957 1460 nvsvc (2d7092fec9bd2aca199673bba2ba9277) C:\Windows\system32\nvvsvc.exe
21:27:18.0982 1460 nvsvc - ok
21:27:19.0107 1460 nvUpdatusService (7e22de30e222bfdfcec7e77032baf3cd) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
21:27:19.0139 1460 nvUpdatusService - ok
21:27:19.0218 1460 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
21:27:19.0222 1460 nv_agp - ok
21:27:19.0290 1460 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
21:27:19.0296 1460 odserv - ok
21:27:19.0315 1460 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
21:27:19.0317 1460 ohci1394 - ok
21:27:19.0368 1460 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:27:19.0374 1460 ose - ok
21:27:19.0429 1460 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
21:27:19.0434 1460 p2pimsvc - ok
21:27:19.0468 1460 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll
21:27:19.0475 1460 p2psvc - ok
21:27:19.0500 1460 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
21:27:19.0503 1460 Parport - ok
21:27:19.0533 1460 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
21:27:19.0534 1460 partmgr - ok
21:27:19.0548 1460 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll
21:27:19.0553 1460 PcaSvc - ok
21:27:19.0592 1460 PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - ok
21:27:19.0626 1460 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
21:27:19.0629 1460 pci - ok
21:27:19.0642 1460 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
21:27:19.0643 1460 pciide - ok
21:27:19.0668 1460 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
21:27:19.0671 1460 pcmcia - ok
21:27:19.0692 1460 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
21:27:19.0692 1460 pcw - ok
21:27:19.0714 1460 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
21:27:19.0720 1460 PEAUTH - ok
21:27:19.0768 1460 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe
21:27:19.0770 1460 PerfHost - ok
21:27:19.0824 1460 pla (c7cf6a6e137463219e1259e3f0f0dd6c) C:\Windows\system32\pla.dll
21:27:19.0849 1460 pla - ok
21:27:19.0885 1460 PlugPlay (25fbdef06c4d92815b353f6e792c8129) C:\Windows\system32\umpnpmgr.dll
21:27:19.0890 1460 PlugPlay - ok
21:27:19.0903 1460 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll
21:27:19.0904 1460 PNRPAutoReg - ok
21:27:19.0919 1460 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
21:27:19.0921 1460 PNRPsvc - ok
21:27:19.0966 1460 Point64 (4f0878fd62d5f7444c5f1c4c66d9d293) C:\Windows\system32\DRIVERS\point64.sys
21:27:19.0968 1460 Point64 - ok
21:27:20.0007 1460 PolicyAgent (4f15d75adf6156bf56eced6d4a55c389) C:\Windows\System32\ipsecsvc.dll
21:27:20.0014 1460 PolicyAgent - ok
21:27:20.0040 1460 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll
21:27:20.0044 1460 Power - ok
21:27:20.0083 1460 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
21:27:20.0085 1460 PptpMiniport - ok
21:27:20.0105 1460 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
21:27:20.0106 1460 Processor - ok
21:27:20.0144 1460 ProfSvc (5c78838b4d166d1a27db3a8a820c799a) C:\Windows\system32\profsvc.dll
21:27:20.0148 1460 ProfSvc - ok
21:27:20.0174 1460 ProtectedStorage (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
21:27:20.0176 1460 ProtectedStorage - ok
21:27:20.0217 1460 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
21:27:20.0220 1460 Psched - ok
21:27:20.0285 1460 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
21:27:20.0311 1460 ql2300 - ok
21:27:20.0386 1460 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
21:27:20.0390 1460 ql40xx - ok
21:27:20.0417 1460 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll
21:27:20.0421 1460 QWAVE - ok
21:27:20.0446 1460 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
21:27:20.0448 1460 QWAVEdrv - ok
21:27:20.0458 1460 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
21:27:20.0458 1460 RasAcd - ok
21:27:20.0483 1460 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
21:27:20.0485 1460 RasAgileVpn - ok
21:27:20.0494 1460 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll
21:27:20.0497 1460 RasAuto - ok
21:27:20.0523 1460 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
21:27:20.0525 1460 Rasl2tp - ok
21:27:20.0545 1460 RasMan (ee867a0870fc9e4972ba9eaad35651e2) C:\Windows\System32\rasmans.dll
21:27:20.0551 1460 RasMan - ok
21:27:20.0567 1460 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
21:27:20.0568 1460 RasPppoe - ok
21:27:20.0577 1460 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
21:27:20.0578 1460 RasSstp - ok
21:27:20.0605 1460 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
21:27:20.0608 1460 rdbss - ok
21:27:20.0629 1460 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
21:27:20.0630 1460 rdpbus - ok
21:27:20.0651 1460 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
21:27:20.0652 1460 RDPCDD - ok
21:27:20.0661 1460 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
21:27:20.0662 1460 RDPENCDD - ok
21:27:20.0673 1460 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
21:27:20.0674 1460 RDPREFMP - ok
21:27:20.0700 1460 RDPWD (6d76e6433574b058adcb0c50df834492) C:\Windows\system32\drivers\RDPWD.sys
21:27:20.0703 1460 RDPWD - ok
21:27:20.0741 1460 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
21:27:20.0745 1460 rdyboost - ok
21:27:20.0769 1460 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll
21:27:20.0774 1460 RemoteAccess - ok
21:27:20.0815 1460 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll
21:27:20.0818 1460 RemoteRegistry - ok
21:27:20.0851 1460 RimUsb (ad42432d22940b4215177be113e4919c) C:\Windows\system32\Drivers\RimUsb_AMD64.sys
21:27:20.0852 1460 RimUsb - ok
21:27:20.0885 1460 RimVSerPort (4aafffa67ac4dfa3d9985d78573887e2) C:\Windows\system32\DRIVERS\RimSerial_AMD64.sys
21:27:20.0886 1460 RimVSerPort - ok
21:27:20.0898 1460 ROOTMODEM (388d3dd1a6457280f3badba9f3acd6b1) C:\Windows\system32\Drivers\RootMdm.sys
21:27:20.0898 1460 ROOTMODEM - ok
21:27:20.0921 1460 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll
21:27:20.0924 1460 RpcEptMapper - ok
21:27:20.0941 1460 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe
21:27:20.0942 1460 RpcLocator - ok
21:27:20.0989 1460 RpcSs (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
21:27:20.0999 1460 RpcSs - ok
21:27:21.0023 1460 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
21:27:21.0024 1460 rspndr - ok
21:27:21.0049 1460 SamSs (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
21:27:21.0050 1460 SamSs - ok
21:27:21.0079 1460 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
21:27:21.0081 1460 sbp2port - ok
21:27:21.0094 1460 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll
21:27:21.0098 1460 SCardSvr - ok
21:27:21.0124 1460 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
21:27:21.0126 1460 scfilter - ok
21:27:21.0181 1460 Schedule (262f6592c3299c005fd6bec90fc4463a) C:\Windows\system32\schedsvc.dll
21:27:21.0203 1460 Schedule - ok
21:27:21.0230 1460 SCPolicySvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
21:27:21.0231 1460 SCPolicySvc - ok
21:27:21.0247 1460 SDRSVC (6ea4234dc55346e0709560fe7c2c1972) C:\Windows\System32\SDRSVC.dll
21:27:21.0250 1460 SDRSVC - ok
21:27:21.0292 1460 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
21:27:21.0293 1460 secdrv - ok
21:27:21.0324 1460 seclogon (bc617a4e1b4fa8df523a061739a0bd87) C:\Windows\system32\seclogon.dll
21:27:21.0328 1460 seclogon - ok
21:27:21.0341 1460 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\system32\sens.dll
21:27:21.0343 1460 SENS - ok
21:27:21.0356 1460 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll
21:27:21.0358 1460 SensrSvc - ok
21:27:21.0379 1460 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
21:27:21.0380 1460 Serenum - ok
21:27:21.0400 1460 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
21:27:21.0401 1460 Serial - ok
21:27:21.0431 1460 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
21:27:21.0432 1460 sermouse - ok
21:27:21.0465 1460 SessionEnv (0b6231bf38174a1628c4ac812cc75804) C:\Windows\system32\sessenv.dll
21:27:21.0468 1460 SessionEnv - ok
21:27:21.0480 1460 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
21:27:21.0481 1460 sffdisk - ok
21:27:21.0494 1460 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
21:27:21.0495 1460 sffp_mmc - ok
21:27:21.0507 1460 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
21:27:21.0509 1460 sffp_sd - ok
21:27:21.0522 1460 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
21:27:21.0523 1460 sfloppy - ok
21:27:21.0552 1460 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\Windows\System32\ipnathlp.dll
21:27:21.0557 1460 SharedAccess - ok
21:27:21.0588 1460 ShellHWDetection (aaf932b4011d14052955d4b212a4da8d) C:\Windows\System32\shsvcs.dll
21:27:21.0594 1460 ShellHWDetection - ok
21:27:21.0612 1460 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
21:27:21.0613 1460 SiSRaid2 - ok
21:27:21.0624 1460 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
21:27:21.0626 1460 SiSRaid4 - ok
21:27:21.0646 1460 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
21:27:21.0648 1460 Smb - ok
21:27:21.0684 1460 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe
21:27:21.0686 1460 SNMPTRAP - ok
21:27:21.0698 1460 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
21:27:21.0699 1460 spldr - ok
21:27:21.0718 1460 Spooler (b96c17b5dc1424d56eea3a99e97428cd) C:\Windows\System32\spoolsv.exe
21:27:21.0725 1460 Spooler - ok
21:27:21.0821 1460 sppsvc (e17e0188bb90fae42d83e98707efa59c) C:\Windows\system32\sppsvc.exe
21:27:21.0869 1460 sppsvc - ok
21:27:21.0942 1460 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll
21:27:21.0945 1460 sppuinotify - ok
21:27:21.0984 1460 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
21:27:21.0990 1460 srv - ok
21:27:22.0018 1460 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
21:27:22.0023 1460 srv2 - ok
21:27:22.0038 1460 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
21:27:22.0040 1460 srvnet - ok
21:27:22.0081 1460 sscdbus (f4f1e1ff6986fe8914525af751ea3eac) C:\Windows\system32\DRIVERS\sscdbus.sys
21:27:22.0084 1460 sscdbus - ok
21:27:22.0101 1460 sscdmdfl (5447690d2cfe1bde1be3a5a5a3e2f796) C:\Windows\system32\DRIVERS\sscdmdfl.sys
21:27:22.0102 1460 sscdmdfl - ok
21:27:22.0116 1460 sscdmdm (bfda292053aeb76a0c1d63b2279d5138) C:\Windows\system32\DRIVERS\sscdmdm.sys
21:27:22.0119 1460 sscdmdm - ok
21:27:22.0156 1460 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll
21:27:22.0161 1460 SSDPSRV - ok
21:27:22.0170 1460 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll
21:27:22.0173 1460 SstpSvc - ok
21:27:22.0251 1460 Stereo Service (9e1222c417291bc836210743624a8e5e) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
21:27:22.0258 1460 Stereo Service - ok
21:27:22.0274 1460 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
21:27:22.0275 1460 stexstor - ok
21:27:22.0318 1460 stisvc (8dd52e8e6128f4b2da92ce27402871c1) C:\Windows\System32\wiaservc.dll
21:27:22.0327 1460 stisvc - ok
21:27:22.0360 1460 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
21:27:22.0360 1460 swenum - ok
21:27:22.0390 1460 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll
21:27:22.0398 1460 swprv - ok
21:27:22.0470 1460 SysMain (bf9ccc0bf39b418c8d0ae8b05cf95b7d) C:\Windows\system32\sysmain.dll
21:27:22.0502 1460 SysMain - ok
21:27:22.0576 1460 TabletInputService (e3c61fd7b7c2557e1f1b0b4cec713585) C:\Windows\System32\TabSvc.dll
21:27:22.0582 1460 TabletInputService - ok
21:27:22.0604 1460 TapiSrv (40f0849f65d13ee87b9a9ae3c1dd6823) C:\Windows\System32\tapisrv.dll
21:27:22.0610 1460 TapiSrv - ok
21:27:22.0626 1460 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll
21:27:22.0629 1460 TBS - ok
21:27:22.0707 1460 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
21:27:22.0733 1460 Tcpip - ok
21:27:22.0829 1460 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
21:27:22.0839 1460 TCPIP6 - ok
21:27:22.0905 1460 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
21:27:22.0906 1460 tcpipreg - ok
21:27:22.0925 1460 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
21:27:22.0926 1460 TDPIPE - ok
21:27:22.0949 1460 TDTCP (51c5eceb1cdee2468a1748be550cfbc8) C:\Windows\system32\drivers\tdtcp.sys
21:27:22.0950 1460 TDTCP - ok
21:27:22.0976 1460 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
21:27:22.0978 1460 tdx - ok
21:27:23.0007 1460 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
21:27:23.0008 1460 TermDD - ok
21:27:23.0031 1460 TermService (2e648163254233755035b46dd7b89123) C:\Windows\System32\termsrv.dll
21:27:23.0039 1460 TermService - ok
21:27:23.0054 1460 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll
21:27:23.0056 1460 Themes - ok
21:27:23.0076 1460 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
21:27:23.0077 1460 THREADORDER - ok
21:27:23.0089 1460 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll
21:27:23.0091 1460 TrkWks - ok
21:27:23.0132 1460 TrustedInstaller (773212b2aaa24c1e31f10246b15b276c) C:\Windows\servicing\TrustedInstaller.exe
21:27:23.0133 1460 TrustedInstaller - ok
21:27:23.0165 1460 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
21:27:23.0166 1460 tssecsrv - ok
21:27:23.0206 1460 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
21:27:23.0207 1460 TsUsbFlt - ok
21:27:23.0247 1460 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
21:27:23.0251 1460 tunnel - ok
21:27:23.0283 1460 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
21:27:23.0286 1460 uagp35 - ok
21:27:23.0316 1460 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
21:27:23.0321 1460 udfs - ok
21:27:23.0345 1460 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe
21:27:23.0347 1460 UI0Detect - ok
21:27:23.0371 1460 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
21:27:23.0372 1460 uliagpkx - ok
21:27:23.0391 1460 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\drivers\umbus.sys
21:27:23.0392 1460 umbus - ok
21:27:23.0408 1460 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
21:27:23.0409 1460 UmPass - ok
21:27:23.0422 1460 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll
21:27:23.0426 1460 upnphost - ok
21:27:23.0454 1460 USBAAPL64 (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows\system32\Drivers\usbaapl64.sys
21:27:23.0455 1460 USBAAPL64 - ok
21:27:23.0466 1460 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
21:27:23.0467 1460 usbccgp - ok
21:27:23.0490 1460 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
21:27:23.0491 1460 usbcir - ok
21:27:23.0507 1460 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
21:27:23.0508 1460 usbehci - ok
21:27:23.0521 1460 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
21:27:23.0525 1460 usbhub - ok
21:27:23.0531 1460 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\DRIVERS\usbohci.sys
21:27:23.0531 1460 usbohci - ok
21:27:23.0553 1460 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
21:27:23.0554 1460 usbprint - ok
21:27:23.0563 1460 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
21:27:23.0564 1460 USBSTOR - ok
21:27:23.0574 1460 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\drivers\usbuhci.sys
21:27:23.0575 1460 usbuhci - ok
21:27:23.0599 1460 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll
21:27:23.0601 1460 UxSms - ok
21:27:23.0629 1460 VaultSvc (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
21:27:23.0630 1460 VaultSvc - ok
21:27:23.0640 1460 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
21:27:23.0641 1460 vdrvroot - ok
21:27:23.0679 1460 vds (8d6b481601d01a456e75c3210f1830be) C:\Windows\System32\vds.exe
21:27:23.0686 1460 vds - ok
21:27:23.0707 1460 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
21:27:23.0708 1460 vga - ok
21:27:23.0713 1460 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
21:27:23.0714 1460 VgaSave - ok
21:27:23.0733 1460 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
21:27:23.0735 1460 vhdmp - ok
21:27:23.0747 1460 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
21:27:23.0748 1460 viaide - ok
21:27:23.0760 1460 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
21:27:23.0761 1460 volmgr - ok
21:27:23.0781 1460 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
21:27:23.0784 1460 volmgrx - ok
21:27:23.0796 1460 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
21:27:23.0798 1460 volsnap - ok
21:27:23.0825 1460 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
21:27:23.0827 1460 vsmraid - ok
21:27:23.0883 1460 VSS (b60ba0bc31b0cb414593e169f6f21cc2) C:\Windows\system32\vssvc.exe
21:27:23.0909 1460 VSS - ok
21:27:23.0977 1460 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
21:27:23.0978 1460 vwifibus - ok
21:27:24.0004 1460 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
21:27:24.0006 1460 vwififlt - ok
21:27:24.0044 1460 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll
21:27:24.0054 1460 W32Time - ok
21:27:24.0076 1460 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
21:27:24.0077 1460 WacomPen - ok
21:27:24.0118 1460 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
21:27:24.0119 1460 WANARP - ok
21:27:24.0123 1460 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
21:27:24.0125 1460 Wanarpv6 - ok
21:27:24.0192 1460 WatAdminSvc (3cec96de223e49eaae3651fcf8faea6c) C:\Windows\system32\Wat\WatAdminSvc.exe
21:27:24.0216 1460 WatAdminSvc - ok
21:27:24.0280 1460 wbengine (78f4e7f5c56cb9716238eb57da4b6a75) C:\Windows\system32\wbengine.exe
21:27:24.0310 1460 wbengine - ok
21:27:24.0377 1460 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll
21:27:24.0382 1460 WbioSrvc - ok
21:27:24.0418 1460 wcncsvc (7368a2afd46e5a4481d1de9d14848edd) C:\Windows\System32\wcncsvc.dll
21:27:24.0424 1460 wcncsvc - ok
21:27:24.0439 1460 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
21:27:24.0441 1460 WcsPlugInService - ok
21:27:24.0478 1460 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
21:27:24.0479 1460 Wd - ok
21:27:24.0508 1460 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
21:27:24.0514 1460 Wdf01000 - ok
21:27:24.0523 1460 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
21:27:24.0525 1460 WdiServiceHost - ok
21:27:24.0528 1460 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
21:27:24.0530 1460 WdiSystemHost - ok
21:27:24.0557 1460 WebClient (3db6d04e1c64272f8b14eb8bc4616280) C:\Windows\System32\webclnt.dll
21:27:24.0561 1460 WebClient - ok
21:27:24.0571 1460 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
21:27:24.0574 1460 Wecsvc - ok
21:27:24.0584 1460 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
21:27:24.0586 1460 wercplsupport - ok
21:27:24.0609 1460 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
21:27:24.0610 1460 WerSvc - ok
21:27:24.0645 1460 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
21:27:24.0646 1460 WfpLwf - ok
21:27:24.0666 1460 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
21:27:24.0668 1460 WIMMount - ok
21:27:24.0690 1460 WinDefend - ok
21:27:24.0707 1460 WinHttpAutoProxySvc - ok
21:27:24.0764 1460 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
21:27:24.0770 1460 Winmgmt - ok
21:27:24.0865 1460 WinRM (bcb1310604aa415c4508708975b3931e) C:\Windows\system32\WsmSvc.dll
21:27:24.0902 1460 WinRM - ok
21:27:24.0999 1460 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUsb.sys
21:27:25.0001 1460 WinUsb - ok
21:27:25.0048 1460 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
21:27:25.0059 1460 Wlansvc - ok
21:27:25.0170 1460 wlidsvc (98f138897ef4246381d197cb81846d62) c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
21:27:25.0201 1460 wlidsvc - ok
21:27:25.0247 1460 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
21:27:25.0248 1460 WmiAcpi - ok
21:27:25.0308 1460 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
21:27:25.0314 1460 wmiApSrv - ok
21:27:25.0339 1460 WMPNetworkSvc - ok
21:27:25.0442 1460 WMZuneComm (45de51db0950a4b8595520ef0bafcff1) c:\Program Files\Zune\WMZuneComm.exe
21:27:25.0448 1460 WMZuneComm - ok
21:27:25.0477 1460 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
21:27:25.0479 1460 WPCSvc - ok
21:27:25.0512 1460 WPDBusEnum (93221146d4ebbf314c29b23cd6cc391d) C:\Windows\system32\wpdbusenum.dll
21:27:25.0515 1460 WPDBusEnum - ok
21:27:25.0531 1460 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
21:27:25.0532 1460 ws2ifsl - ok
21:27:25.0545 1460 wscsvc (e8b1fe6669397d1772d8196df0e57a9e) C:\Windows\system32\wscsvc.dll
21:27:25.0548 1460 wscsvc - ok
21:27:25.0553 1460 WSearch - ok
21:27:25.0626 1460 wuauserv (9df12edbc698b0bc353b3ef84861e430) C:\Windows\system32\wuaueng.dll
21:27:25.0684 1460 wuauserv - ok
21:27:25.0765 1460 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
21:27:25.0767 1460 WudfPf - ok
21:27:25.0790 1460 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
21:27:25.0793 1460 WUDFRd - ok
21:27:25.0825 1460 wudfsvc (7a95c95b6c4cf292d689106bcae49543) C:\Windows\System32\WUDFSvc.dll
21:27:25.0828 1460 wudfsvc - ok
21:27:25.0857 1460 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
21:27:25.0861 1460 WwanSvc - ok
21:27:26.0121 1460 ZuneNetworkSvc (b79c2ce5340a5eca38ca1f74aa445d2b) c:\Program Files\Zune\ZuneNss.exe
21:27:26.0260 1460 ZuneNetworkSvc - ok
21:27:26.0352 1460 ZuneWlanCfgSvc (e2859aea054422fe40517179ae867c2d) c:\Windows\system32\ZuneWlanCfgSvc.exe
21:27:26.0365 1460 ZuneWlanCfgSvc - ok
21:27:26.0406 1460 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:27:26.0537 1460 \Device\Harddisk0\DR0 - ok
21:27:26.0541 1460 Boot (0x1200) (103d677b09f8c37bde4663badcc817c9) \Device\Harddisk0\DR0\Partition0
21:27:26.0542 1460 \Device\Harddisk0\DR0\Partition0 - ok
21:27:26.0576 1460 Boot (0x1200) (c77a69a047fc4126bd62d316db8b3d52) \Device\Harddisk0\DR0\Partition1
21:27:26.0578 1460 \Device\Harddisk0\DR0\Partition1 - ok
21:27:26.0608 1460 Boot (0x1200) (9bc3ec1739a3ca7c1f93f261b743a54e) \Device\Harddisk0\DR0\Partition2
21:27:26.0609 1460 \Device\Harddisk0\DR0\Partition2 - ok
21:27:26.0610 1460 ============================================================
21:27:26.0610 1460 Scan finished
21:27:26.0610 1460 ============================================================
21:27:26.0620 4036 Detected object count: 0
21:27:26.0620 4036 Actual detected object count: 0



MBR Log

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-23 21:30:05
-----------------------------
21:30:05.773 OS Version: Windows x64 6.1.7601 Service Pack 1
21:30:05.773 Number of processors: 2 586 0x602
21:30:05.774 ComputerName: DESKTOP UserName: Chris
21:30:08.798 Initialize success
21:32:53.602 AVAST engine defs: 12042301
21:35:09.325 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000059
21:35:09.329 Disk 0 Vendor: ST350041 HP34 Size: 476940MB BusType: 3
21:35:09.343 Disk 0 MBR read successfully
21:35:09.346 Disk 0 MBR scan
21:35:09.351 Disk 0 Windows XP default MBR code
21:35:09.358 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:35:09.371 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 466726 MB offset 206848
21:35:09.403 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10112 MB offset 956061696
21:35:09.439 Disk 0 scanning C:\Windows\system32\drivers
21:35:20.044 Service scanning
21:35:37.925 Modules scanning
21:35:37.942 Disk 0 trace - called modules:
21:35:37.963 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
21:35:37.968 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80035cf4e0]
21:35:37.973 3 CLASSPNP.SYS[fffff8800195a43f] -> nt!IofCallDriver -> [0xfffffa800338ae40]
21:35:37.977 5 ACPI.sys[fffff88000eaa7a1] -> nt!IofCallDriver -> \Device\00000059[0xfffffa8002f7a9c0]
21:35:43.015 AVAST engine scan C:\Windows
21:35:45.599 AVAST engine scan C:\Windows\system32
21:38:25.425 AVAST engine scan C:\Windows\system32\drivers
21:38:38.103 AVAST engine scan C:\Users\Chris
21:40:09.863 File: C:\Users\Chris\AppData\Roaming\Apple Computer\Apple Computer\tceskqa.dll **INFECTED** Win32:Trojan-gen
21:41:35.628 AVAST engine scan C:\ProgramData
21:42:06.633 File: C:\ProgramData\Microsoft\Windows\DRM\8DFE.tmp.dat **INFECTED** Win32:MalOb-HP [Cryp]
21:42:21.655 Scan finished successfully
21:43:37.644 Disk 0 MBR has been saved successfully to "C:\Users\Chris\Desktop\MBR.dat"
21:43:37.648 The log file has been saved successfully to "C:\Users\Chris\Desktop\aswMBR.txt"


MBR is still open on my system, as I was not sure how to proceed.

Chris

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:53 PM

Posted 23 April 2012 - 11:57 PM

Hello


Did you click on the fixit button I link to above?


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
Folder::
C:\ProgramData\Microsoft\Windows\DRM

File::
C:\Users\Chris\AppData\Roaming\Apple Computer\Apple Computer\tceskqa.dll

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 nokia16601

nokia16601
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 24 April 2012 - 01:07 AM

Gringo,

I did use the FixIt link that you posted and still experienced Happili redirect in IE. I don't seem to have the problem in Firefox anymore, but even after running the CFScript you just posted, I am still experiencing the redirect in IE. Here is the ComboFix report:

ComboFix 12-04-23.03 - Chris 04/23/2012 22:08:44.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3071.1540 [GMT -7:00]
Running from: c:\users\Chris\Desktop\ComboFix.exe
Command switches used :: c:\users\Chris\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Chris\AppData\Roaming\Apple Computer\Apple Computer\tceskqa.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\DRM
c:\programdata\Microsoft\Windows\DRM\8DFE.tmp.dat
c:\programdata\Microsoft\Windows\DRM\blackbox.bin
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv_SID_S-1-5-20\Indiv01_64.key
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv_SID_S-1-5-21-1938116021-2870551134-4047077622-1000\Indiv01.key
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01.bla
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01.key
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01.tmp
c:\programdata\Microsoft\Windows\DRM\Cache\Indiv01_64.key
c:\programdata\Microsoft\Windows\DRM\drmstore.hds
c:\programdata\Microsoft\Windows\DRM\IndivBox.key
c:\programdata\Microsoft\Windows\DRM\IndivBox_64.key
c:\programdata\Microsoft\Windows\DRM\v2ksndv.bla
c:\programdata\Microsoft\Windows\DRM\v3ks.bla
c:\programdata\Microsoft\Windows\DRM\v3ks.sec
c:\users\Chris\AppData\Roaming\Apple Computer\Apple Computer\tceskqa.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-03-24 to 2012-04-24 )))))))))))))))))))))))))))))))
.
.
2012-04-24 05:12 . 2012-04-24 05:12 -------- d-----w- c:\users\UpdatusUser\AppData\Local\temp
2012-04-24 05:12 . 2012-04-24 05:12 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-24 05:12 . 2012-04-24 05:12 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2012-04-23 20:04 . 2012-04-13 08:46 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4CB3E064-CC03-4819-B5DB-B0897E22C379}\mpengine.dll
2012-04-23 19:42 . 2012-04-23 19:43 -------- d-----w- C:\FRST
2012-04-22 04:17 . 2012-04-22 04:17 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-16 16:47 . 2012-04-16 16:47 -------- d-----w- c:\users\Chris\AppData\Local\Mozilla
2012-04-14 09:46 . 2012-04-14 09:46 -------- d-----w- c:\programdata\Recovery
2012-04-14 09:04 . 2012-04-14 10:04 8741536 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-04-11 10:00 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-11 10:00 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 10:00 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 10:00 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 10:00 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 10:00 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 10:00 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-05 16:53 . 2012-04-24 02:41 -------- d-----w- c:\users\Chris\AppData\Roaming\vlc
2012-04-05 16:52 . 2012-04-05 16:52 -------- d-----w- c:\program files (x86)\VideoLAN
2012-04-04 01:03 . 2012-04-22 04:09 -------- d-----w- c:\windows\Microsoft Antimalware
2012-04-03 19:42 . 2012-04-03 19:42 -------- d-----w- c:\users\Chris\AppData\Local\Zoom_Downloader
2012-04-03 19:40 . 2011-03-02 11:43 175616 ----a-w- c:\windows\SysWow64\unrar.dll
2012-04-02 19:50 . 2012-04-14 08:51 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-01 08:18 . 2012-04-14 10:04 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-01 04:38 . 2012-04-11 10:21 -------- d-----w- c:\program files (x86)\BitTorrent
2012-04-01 04:37 . 2012-04-23 18:36 -------- d-----w- c:\users\Chris\AppData\Roaming\BitTorrent
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-14 10:04 . 2011-08-01 18:07 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-13 08:46 . 2011-08-02 17:12 8917360 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-04-04 22:56 . 2010-07-08 01:40 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-21 06:29 . 2012-02-21 06:29 53248 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{12BAA98C-F8DD-4BC9-BBE6-1C8463114197}\ARPPRODUCTICON.exe
2012-02-17 06:38 . 2012-03-13 23:24 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 05:34 . 2012-03-13 23:24 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-02-17 04:58 . 2012-03-13 23:24 210944 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:57 . 2012-03-13 23:24 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-10 10:21 . 2012-02-10 10:22 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B4B1F1C9-364A-4E44-89F4-80B44F4ACE13}\gapaengine.dll
2012-02-10 06:36 . 2012-03-14 01:07 1544192 ----a-w- c:\windows\system32\DWrite.dll
2012-02-10 05:38 . 2012-03-14 01:07 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-02-07 18:02 . 2012-02-07 18:02 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-03 04:34 . 2012-03-14 01:07 3145728 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-05-29 03:58 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 06:38 . 2012-03-13 23:24 77312 ----a-w- c:\windows\system32\rdpwsx.dll
2012-01-25 06:38 . 2012-03-13 23:24 149504 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-01-25 06:33 . 2012-03-13 23:24 9216 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-22_00.11.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-08 02:38 . 2012-04-24 02:55 43920 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-04-24 02:55 36330 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-05-29 00:44 . 2012-04-24 02:55 12304 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1938116021-2870551134-4047077622-1000_UserData.bin
+ 2010-05-29 00:41 . 2012-04-24 04:19 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-29 00:41 . 2012-04-16 05:16 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-29 00:41 . 2012-04-24 04:19 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-29 00:41 . 2012-04-16 05:16 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-04-16 05:16 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-04-24 04:19 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-04-22 04:09 . 2012-04-22 04:10 24576 c:\windows\Microsoft Antimalware\Support\MpWppTracing-04212012-200946-00000003-ffffffff.bin
+ 2010-05-29 10:15 . 2012-04-24 02:53 1604 c:\windows\system32\wdi\ERCQueuedResolutions.dat
- 2012-04-22 00:10 . 2012-04-22 00:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-04-24 05:13 . 2012-04-24 05:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-04-22 00:10 . 2012-04-22 00:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-04-24 05:13 . 2012-04-24 05:13 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-04-22 00:02 662396 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-24 02:58 662396 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-04-24 02:58 122224 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-04-22 00:02 122224 c:\windows\system32\perfc009.dat
- 2012-04-04 01:03 . 2012-04-04 01:11 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2012-04-04 01:03 . 2012-04-22 04:10 262144 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\UsrClass.dat
+ 2009-07-14 05:01 . 2012-04-24 05:12 400168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-04-22 00:10 400168 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2012-04-04 01:03 . 2012-04-04 01:03 311296 c:\windows\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-0.bin
+ 2012-04-04 01:03 . 2012-04-22 04:09 311296 c:\windows\Microsoft Antimalware\Scans\History\CacheManager\MpScanCache-0.bin
+ 2012-04-22 04:09 . 2012-03-20 11:51 8669240 c:\windows\Microsoft Antimalware\Definition Updates\{3B02B171-F9F8-42B4-8BAA-90B5B6332413}\mpengine.dll
+ 2011-08-03 02:54 . 2012-04-24 05:12 10959656 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1938116021-2870551134-4047077622-1000-8192.dat
- 2011-08-03 02:54 . 2012-04-22 00:10 44548900 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1938116021-2870551134-4047077622-1000-4096.dat
+ 2011-08-03 02:54 . 2012-04-24 05:12 44548900 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1938116021-2870551134-4047077622-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apple"="c:\users\Chris\AppData\Local\Apple\wshdiqzr.dll" [2011-10-24 472360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-27 30040]
"Malwarebytes Anti-Malware (reboot)"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbam.exe" [2012-04-04 981680]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-30 421888]
"Nikon Message Center 2"="c:\program files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe" [2010-05-26 619008]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-01-17 421736]
"RIMBBLaunchAgent.exe"="c:\program files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe" [2011-09-02 90448]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-14 253088]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 netr7364;Belkin Wireless 54G USB Network Adapter Driver for Vista;c:\windows\system32\DRIVERS\netr7364.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-28 288272]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [2010-09-24 306416]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [2011-10-14 249648]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-10-15 381248]
S3 arusb_win7x;Service For TP-LINK Wireless N Adapter;c:\windows\system32\DRIVERS\arusb_win7x.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 10:04]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [BU]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-09-24 163568]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
Trusted Zone: azfcu.org\www
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\b8pbuec4.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{30F9B915-B755-4826-820B-08FBA6BD249D} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
.
**************************************************************************
.
Completion time: 2012-04-23 22:16:57 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-24 05:16
ComboFix2.txt 2012-04-24 02:52
ComboFix3.txt 2012-04-22 00:14
.
Pre-Run: 408,725,422,080 bytes free
Post-Run: 408,461,447,168 bytes free
.
- - End Of File - - 422A57E1896CD9EE6A39567A9EC4F5F6

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:53 PM

Posted 24 April 2012 - 02:08 AM

Hello


I would like you to go to this page to see how to run IE without addons - http://blogs.msdn.com/b/ie/archive/2006/07/25/678113.aspx


if you do not have the redirects after doing this then continue with the instructions to find out which addon is giving the problems


let me know what you find


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 nokia16601

nokia16601
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 24 April 2012 - 02:27 PM

Hi Gringo,

I'm not sure how to proceed. I have not experienced a redirect at all today with IE or Mozilla and I have tried 75+ times. I attempted to follow the instructions you posted about running IE without addons, but when I opened the program through system tools and went into "Manage Add-Ons", there were already some enabled like Adobe, Java, and Microsoft. Are these still enabled, despite IE telling me addons are disabled? Even running IE normally, I am not experiencing the redirect, but am not sure how to tell if the virus is completely removed. Thanks so much for your help so far!

Chris

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:53 PM

Posted 24 April 2012 - 09:01 PM

Hello

If it is not redirecting lets leave it alone for now


:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.5.0
Bing Bar
BitTorrent
Java™ 6 Update 29
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 nokia16601

nokia16601
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 24 April 2012 - 10:43 PM

Gringo,

Again, thanks for all of the help!

Here is the MBAM log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.25.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Chris :: DESKTOP [administrator]

4/24/2012 8:15:38 PM
mbam-log-2012-04-24 (20-15-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243695
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:27:12 PM, on 4/24/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files (x86)\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files (x86)\Research In Motion\BlackBerry Desktop\Rim.Desktop.AutoUpdate.exe
C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQDSK/1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/CQDSK/1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKUS\S-1-5-21-1938116021-2870551134-4047077622-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1938116021-2870551134-4047077622-1001\..\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1938116021-2870551134-4047077622-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
O4 - Global Startup: McAfee Security Scan Plus.lnk = C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/3DVIA_player_installer.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - LSI Corporation - C:\Program Files\LSI SoftModem\agr64svc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GamesAppService - WildTangent, Inc. - C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files (x86)\McAfee Security Scan\3.0.207\McCHSvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: Zune Wireless Configuration Service (ZuneWlanCfgSvc) - Unknown owner - c:\Windows\system32\ZuneWlanCfgSvc.exe (file missing)

--
End of file - 11775 bytes


When I tried to run Hijackthis the first time, it gave me an error about the hosts file, but went smooth after running as admin. Adobe did not give me the option to install Photoshop, but installed McAfee security scan without prompting me. I have never been a fan of McAfee, is this something I need, or am I OK to delete this program. Both IE and Firefox seem to be running well now, although IE is stalling on some sites, but I have not encountered a redirection yet. I read the articles about P2P and torrenting, and have removed BitTorrent from my system, as I am sure that is what has initiated all of this trouble.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:53 PM

Posted 24 April 2012 - 11:15 PM

Greetings

yes the McAfee program can be removed

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
      O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [Nikon Message Center 2] C:\Program Files (x86)\Nikon\Nikon Message Center 2\NkMC2.exe -s
      O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKUS\S-1-5-21-1938116021-2870551134-4047077622-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'UpdatusUser')
      O4 - HKUS\S-1-5-21-1938116021-2870551134-4047077622-1001\..\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN (User 'UpdatusUser')
      O4 - HKUS\S-1-5-21-1938116021-2870551134-4047077622-1001\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'UpdatusUser')
      O4 - Global Startup: McAfee Security Scan Plus.lnk = C:\Program Files (x86)\McAfee Security Scan\3.0.207\SSScheduler.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 nokia16601

nokia16601
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 25 April 2012 - 12:46 AM

Gringo,

I'm not sure if this is what you were asking for, but these are the infected files ESET found:


C:\Program Files (x86)\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application
C:\Program Files (x86)\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\DRM\8DFE.tmp.dat.vir a variant of Win32/Kryptik.AEFD trojan
C:\Qoobox\Quarantine\C\Users\Chris\AppData\Local\myfcawly.exe.vir a variant of Win32/Kryptik.AEPW trojan
C:\TDSSKiller_Quarantine\21.04.2012_21.13.29\tdlfs0000\tsk0000.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\21.04.2012_21.13.29\tdlfs0000\tsk0001.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\21.04.2012_21.13.29\tdlfs0000\tsk0002.dta Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\21.04.2012_21.13.29\tdlfs0000\tsk0003.dta Win64/Olmarik.AG trojan
C:\TDSSKiller_Quarantine\21.04.2012_21.13.29\tdlfs0000\tsk0004.dta a variant of Win32/Rootkit.Kryptik.KS trojan
C:\TDSSKiller_Quarantine\21.04.2012_21.13.29\tdlfs0000\tsk0005.dta Win64/Olmarik.AF trojan
C:\TDSSKiller_Quarantine\21.04.2012_21.13.29\tdlfs0000\tsk0009.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\21.04.2012_21.13.29\tdlfs0000\tsk0010.dta Win64/Olmarik.X trojan
C:\Users\Chris\AppData\Local\Apple\wshdiqzr.dll a variant of Win32/Boaxxe.D trojan
C:\Users\Chris\AppData\LocalLow\FunWebProducts\Installr\Cache\3ACB1327.exe a variant of Win32/Toolbar.MyWebSearch.O application



Also, I still have the ESET window open. I did not click "finish" or "uninstall on exit".

Edited by nokia16601, 25 April 2012 - 12:47 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users