Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect virus and "Data Recovery" rogue program causing havoc!


  • This topic is locked This topic is locked
17 replies to this topic

#1 devincheetah

devincheetah

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 30 April 2012 - 08:39 PM

The problem surfaced when redirected search results began occurring in regards to Google, Yahoo, and Bing searches. When I attempted to research the issue more symptoms began appearing, like blackened desktop background, hidden desktop icons, massive numbers of fake error messages, and disappearing start menu items. Then the un-exit-able "Data Recovery" program appeared and placed its files in the computer.

I went to this site, which I had used in the past to successfully fight off a virus using a self-help removal guide. This time, however, I tried the guides for both redirect and data recovery and neither resolved the problem. The RKill and Unhide programs have proven useful in treating the symptoms, but TDSSKiller and Malwarebytes' Anti-Malware have not succeeded in their respective purposes. Every time the computer reboots the virus reappears. I also ran Secunia PSI as an added measure.

I performed all the steps in the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help." DeFogger did not reboot the computer so I assume I have no CD emulation programs running, but I did leave it as having disabled them as I was instructed. Also, please note that when I ran the GMER search early on in the process my screen went blue with white text and the computer suddenly rebooted before I could read the white text. However the second time I ran GMER no such problem occurred and after a lengthy wait it succeeded. I now have all the necessary logs for this posting. Following is the DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18904
Run by Tim at 18:18:43 on 2012-04-30
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1026 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\System32\rundll32.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe
C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\DacEasy\pvsw\W3DBSMGR.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\igfxext.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\FileOpen\Services\FileOpenManagerSvc32.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Steam\SteamService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\msfeedssync.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://mail.yahoo.com/
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [????r]
uRun: [?????????] ??????????????e
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [YDdRtmhilFNORa.exe] c:\programdata\YDdRtmhilFNORa.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Acer Tour]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [eRecoveryService]
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [Conime] %windir%\system32\conime.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [EKAIO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.exe
mRun: [FileOpenBroker] c:\program files\fileopen\services\FileOpenBroker32.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\pervas~1.lnk - c:\daceasy\pvsw\W3DBSMGR.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{89A80452-5565-4EAD-9580-E60B064338F8} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
TCP: Interfaces\{CDBCE68A-D1A7-4462-8515-FA18B9D0EEB6} : DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20100826.001\IDSvix86.sys [2010-8-26 281648]
R2 FileOpenManagerSvc;FileOpen Manager Service;c:\program files\fileopen\services\FileOpenManagerSvc32.exe [2011-12-9 213888]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-12-19 394672]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-28 654408]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-10-14 994360]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-10-14 399416]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-29 102448]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-28 22344]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-8-3 38448]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-6 253088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2006-12-2 31232]
S3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2010-5-29 1251720]
.
=============== Created Last 30 ================
.
2012-04-30 02:31:02 -------- d-----w- c:\users\tim\appdata\local\Secunia PSI
2012-04-30 02:30:39 -------- d-----w- c:\program files\Secunia
2012-04-30 02:16:56 221696 ----a-w- c:\programdata\yfc3An8CQAFy2N.exe
2012-04-28 23:12:44 -------- d-----w- c:\users\tim\appdata\roaming\Malwarebytes
2012-04-28 23:12:30 -------- d-----w- c:\programdata\Malwarebytes
2012-04-28 23:12:29 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-28 23:12:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-28 21:40:51 301056 ----a-w- c:\programdata\YDdRtmhilFNORa.exe
2012-04-19 18:50:17 -------- d-----w- c:\program files\iPod
2012-04-19 18:50:03 -------- d-----w- c:\program files\iTunes
2012-04-07 19:01:48 -------- d-----w- C:\DEA4
2012-04-07 18:43:53 167936 ----a-w- c:\windows\system32\osc60as.dll
2012-04-07 18:43:53 1646592 ----a-w- c:\windows\system32\og70as.dll
2012-04-07 18:43:53 1204224 ----a-w- c:\windows\system32\ot60as.dll
2012-04-07 18:43:52 146976 ----a-w- c:\windows\system32\mfcoleui.dll
2012-04-07 18:43:08 49152 ----a-w- c:\windows\system32\INETWH32.DLL
2012-04-07 18:43:08 154624 ----a-w- c:\windows\system32\HLP25632.DLL
2012-04-07 18:43:00 131072 ----a-w- c:\windows\system32\deagnt13.exe
2012-04-07 18:42:37 -------- d-----w- C:\DacEasy
2012-04-07 18:36:52 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2012-04-07 01:52:54 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-04-24 16:41:10 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 17:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 17:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.
============= FINISH: 18:20:00.80 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:05 PM

Posted 30 April 2012 - 11:59 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 devincheetah

devincheetah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 01 May 2012 - 02:13 PM

I downloaded and ran Security Check. Nothing eventful to speak of happened. I will now perform the Combofix steps and post another reply with a more in-depth description of the computer's performance. For the moment, here is the contents of checkup.txt:

Results of screen317's Security Check version 0.99.32
Windows Vista x86 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Norton AntiVirus
Norton Internet Security (Symantec Corporation)
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Secunia PSI (2.0.0.4003)
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Empowering Technology eSettings Service capuserv.exe
``````````End of Log````````````

#4 devincheetah

devincheetah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 01 May 2012 - 06:12 PM

OK, so here's the story. I went and turned off all my security programs and ran ComboFix. There were no mishaps to report, and the computer did not even reboot. After ensuring that the program was truly done and no longer running, I saved the log file and shut the computer down. I then turned the computer back on and noticed no signs of the virus at all. No sign of 'Data Recovery' or any fake error messages, and the desktop background did not turn black nor did any icons disappear. I then reactivated my security programs and went online to Google. I did not experience any search engine redirects. Its looking like the virus might really be gone this time, but I'll probably restart the computer a few more times to make sure it doesn't resurface. Here's the log from Combofix:

ComboFix 12-05-01.02 - Tim 05/01/2012 14:48:58.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.976 [GMT -5:00]
Running from: c:\users\Tim\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\YDdRtmhilFNORa.exe
c:\programdata\yfc3An8CQAFy2N
c:\programdata\yfc3An8CQAFy2N.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-04-01 to 2012-05-01 )))))))))))))))))))))))))))))))
.
.
2012-05-01 19:57 . 2012-05-01 19:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-30 03:32 . 2012-04-30 03:32 -------- d-----w- c:\program files\Common Files\Skype
2012-04-30 02:47 . 2012-04-30 02:47 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2012-04-30 02:31 . 2012-04-30 02:31 -------- d-----w- c:\users\Tim\AppData\Local\Secunia PSI
2012-04-30 02:30 . 2012-04-30 02:30 -------- d-----w- c:\program files\Secunia
2012-04-28 23:12 . 2012-04-28 23:12 -------- d-----w- c:\users\Tim\AppData\Roaming\Malwarebytes
2012-04-28 23:12 . 2012-04-28 23:12 -------- d-----w- c:\programdata\Malwarebytes
2012-04-28 23:12 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-28 23:12 . 2012-04-29 00:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-19 18:50 . 2012-04-19 18:50 -------- d-----w- c:\program files\iPod
2012-04-19 18:50 . 2012-04-19 18:52 -------- d-----w- c:\program files\iTunes
2012-04-09 21:44 . 2012-04-09 21:44 -------- d-----w- c:\program files\Microsoft Silverlight
2012-04-07 19:01 . 2012-04-07 19:01 -------- d-----w- C:\DEA4
2012-04-07 18:43 . 2003-07-22 00:38 1204224 ----a-w- c:\windows\system32\ot60as.dll
2012-04-07 18:43 . 2003-07-22 00:38 167936 ----a-w- c:\windows\system32\osc60as.dll
2012-04-07 18:43 . 2003-07-22 00:38 1646592 ----a-w- c:\windows\system32\og70as.dll
2012-04-07 18:43 . 2003-07-22 00:38 146976 ----a-w- c:\windows\system32\mfcoleui.dll
2012-04-07 18:43 . 2003-07-22 00:28 49152 ----a-w- c:\windows\system32\INETWH32.DLL
2012-04-07 18:43 . 2003-07-22 00:28 154624 ----a-w- c:\windows\system32\HLP25632.DLL
2012-04-07 18:43 . 2003-08-05 15:11 131072 ----a-w- c:\windows\system32\deagnt13.exe
2012-04-07 18:42 . 2012-04-07 19:15 -------- d-----w- C:\DacEasy
2012-04-07 18:36 . 2000-01-04 11:39 212992 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ILog.dll
2012-04-07 01:52 . 2012-04-24 16:41 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-24 16:41 . 2011-05-20 14:42 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 17:01 . 2012-02-15 17:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 17:01 . 2012-02-15 17:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"?????????"="??????????????e" [?]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-06-03 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-29 1242448]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-22 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-22 7757824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-22 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 4186112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 107112]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-11-21 22696]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-08 614400]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-04 1261568]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-03-02 1583808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Conime"="c:\windows\system32\conime.exe" [2006-11-02 68608]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]
"FileOpenBroker"="c:\program files\FileOpen\Services\FileOpenBroker32.exe" [2011-12-10 726912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-12-2 528384]
Pervasive.SQL Workgroup Engine.lnk - c:\daceasy\pvsw\W3DBSMGR.EXE [2012-4-7 90180]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 253088]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 07702667
*NewlyCreated* - COMHOST
*Deregistered* - 07702667
*Deregistered* - axrdykod
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 16:41]
.
2012-04-21 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Tim.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-11-21 04:41]
.
2012-05-01 c:\windows\Tasks\User_Feed_Synchronization-{FFA3BA44-D6AA-44AD-B664-80E8273E9365}.job
- c:\windows\system32\msfeedssync.exe [2010-06-06 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
HKCU-Run-YDdRtmhilFNORa.exe - c:\programdata\YDdRtmhilFNORa.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
AddRemove-Circuit Construction Kit (AC+DC) - c:\windows\system32\javaws.exe
AddRemove-Circuit Construction Kit (DC Only) - c:\windows\system32\javaws.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-01 14:58
Windows 6.0.6000 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-05-01 15:02:02
ComboFix-quarantined-files.txt 2012-05-01 20:01
.
Pre-Run: 11,756,982,272 bytes free
Post-Run: 12,969,627,648 bytes free
.
- - End Of File - - 5526C74AB2FBEA461E8217E69EF8DA85

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:05 PM

Posted 01 May 2012 - 10:30 PM

Greetings

That is good news but lets go ahead and run a couple of more checks to be sure

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 devincheetah

devincheetah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 01 May 2012 - 11:36 PM

Thanks again for stepping me through this. It looks like TDSSKiller didn't find anything but aswMBR did. Here's the TDSSKiller report:

22:37:38.0024 5916 TDSS rootkit removing tool 2.7.33.0 Apr 24 2012 18:43:43
22:37:40.0044 5916 ============================================================
22:37:40.0044 5916 Current date / time: 2012/05/01 22:37:40.0044
22:37:40.0044 5916 SystemInfo:
22:37:40.0044 5916
22:37:40.0044 5916 OS Version: 6.0.6000 ServicePack: 0.0
22:37:40.0045 5916 Product type: Workstation
22:37:40.0045 5916 ComputerName: BENNETT-LAPTOP
22:37:40.0045 5916 UserName: Tim
22:37:40.0045 5916 Windows directory: C:\Windows
22:37:40.0045 5916 System windows directory: C:\Windows
22:37:40.0045 5916 Processor architecture: Intel x86
22:37:40.0045 5916 Number of processors: 2
22:37:40.0045 5916 Page size: 0x1000
22:37:40.0045 5916 Boot type: Normal boot
22:37:40.0045 5916 ============================================================
22:37:42.0320 5916 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
22:37:42.0323 5916 ============================================================
22:37:42.0323 5916 \Device\Harddisk0\DR0:
22:37:42.0323 5916 MBR partitions:
22:37:42.0323 5916 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x6, StartLBA 0xDAA87C, BlocksNum 0x694CB99
22:37:42.0323 5916 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x76F7415, BlocksNum 0x689C3AC
22:37:42.0323 5916 ============================================================
22:37:42.0369 5916 C: <-> \Device\Harddisk0\DR0\Partition0
22:37:42.0415 5916 D: <-> \Device\Harddisk0\DR0\Partition1
22:37:42.0415 5916 ============================================================
22:37:42.0415 5916 Initialize success
22:37:42.0415 5916 ============================================================
22:37:57.0706 3828 ============================================================
22:37:57.0706 3828 Scan started
22:37:57.0706 3828 Mode: Manual;
22:37:57.0706 3828 ============================================================
22:37:59.0191 3828 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
22:37:59.0199 3828 ACPI - ok
22:37:59.0301 3828 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
22:37:59.0307 3828 AdobeFlashPlayerUpdateSvc - ok
22:37:59.0401 3828 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
22:37:59.0430 3828 adp94xx - ok
22:37:59.0487 3828 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
22:37:59.0511 3828 adpahci - ok
22:37:59.0530 3828 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
22:37:59.0550 3828 adpu160m - ok
22:37:59.0595 3828 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
22:37:59.0617 3828 adpu320 - ok
22:37:59.0660 3828 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
22:37:59.0662 3828 AeLookupSvc - ok
22:37:59.0697 3828 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
22:37:59.0716 3828 AFD - ok
22:37:59.0754 3828 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
22:37:59.0766 3828 agp440 - ok
22:37:59.0797 3828 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
22:37:59.0816 3828 aic78xx - ok
22:37:59.0874 3828 ALG (e69fb0e3112c40fdc0ef7d21a52dc951) C:\Windows\System32\alg.exe
22:37:59.0909 3828 ALG - ok
22:37:59.0926 3828 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
22:37:59.0959 3828 aliide - ok
22:37:59.0999 3828 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
22:38:00.0024 3828 amdagp - ok
22:38:00.0048 3828 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
22:38:00.0068 3828 amdide - ok
22:38:00.0097 3828 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
22:38:00.0108 3828 AmdK7 - ok
22:38:00.0129 3828 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
22:38:00.0141 3828 AmdK8 - ok
22:38:00.0273 3828 Appinfo (cfa455816879f06f1c4e5bbf9e8aef7d) C:\Windows\System32\appinfo.dll
22:38:00.0274 3828 Appinfo - ok
22:38:00.0414 3828 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
22:38:00.0450 3828 Apple Mobile Device - ok
22:38:00.0502 3828 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
22:38:00.0513 3828 arc - ok
22:38:00.0543 3828 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
22:38:00.0556 3828 arcsas - ok
22:38:00.0588 3828 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
22:38:00.0604 3828 AsyncMac - ok
22:38:00.0640 3828 atapi (b35cfcef838382ab6490b321c87edf17) C:\Windows\system32\drivers\atapi.sys
22:38:00.0641 3828 atapi - ok
22:38:00.0748 3828 AudioEndpointBuilder (e760fc1bd68f7f6f1b17eb4e8d9480b0) C:\Windows\System32\Audiosrv.dll
22:38:00.0756 3828 AudioEndpointBuilder - ok
22:38:00.0766 3828 Audiosrv (e760fc1bd68f7f6f1b17eb4e8d9480b0) C:\Windows\System32\Audiosrv.dll
22:38:00.0771 3828 Audiosrv - ok
22:38:00.0876 3828 Automatic LiveUpdate Scheduler (b5d974c1fd078a68c7536c561b031d39) C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
22:38:00.0936 3828 Automatic LiveUpdate Scheduler - ok
22:38:01.0025 3828 b57nd60x (8e287eb3a52fd30c999482c576f4a61b) C:\Windows\system32\DRIVERS\b57nd60x.sys
22:38:01.0056 3828 b57nd60x - ok
22:38:01.0116 3828 bcm4sbxp (08015d34f6fdd0b355805bad978497c3) C:\Windows\system32\DRIVERS\bcm4sbxp.sys
22:38:01.0127 3828 bcm4sbxp - ok
22:38:01.0149 3828 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
22:38:01.0158 3828 Beep - ok
22:38:01.0223 3828 BFE (98ebdffb824a7c265337d68dd480e45c) C:\Windows\System32\bfe.dll
22:38:01.0231 3828 BFE - ok
22:38:01.0320 3828 BITS (da551697e34d2b9943c8b1c8eaffe89a) C:\Windows\system32\qmgr.dll
22:38:01.0342 3828 BITS - ok
22:38:01.0349 3828 blbdrive - ok
22:38:01.0499 3828 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
22:38:01.0507 3828 Bonjour Service - ok
22:38:01.0535 3828 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
22:38:01.0558 3828 bowser - ok
22:38:01.0656 3828 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
22:38:01.0676 3828 BrFiltLo - ok
22:38:01.0720 3828 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
22:38:01.0763 3828 BrFiltUp - ok
22:38:01.0986 3828 Bridge (2ac8f5b88771c31c4211a11be6bffe14) C:\Windows\system32\DRIVERS\bridge.sys
22:38:02.0010 3828 Bridge - ok
22:38:02.0021 3828 BridgeMP (2ac8f5b88771c31c4211a11be6bffe14) C:\Windows\system32\DRIVERS\bridge.sys
22:38:02.0024 3828 BridgeMP - ok
22:38:02.0067 3828 Browser (beb6470532b7461d7bb426e3facb424f) C:\Windows\System32\browser.dll
22:38:02.0079 3828 Browser - ok
22:38:02.0103 3828 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
22:38:02.0115 3828 Brserid - ok
22:38:02.0132 3828 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
22:38:02.0143 3828 BrSerWdm - ok
22:38:02.0162 3828 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
22:38:02.0171 3828 BrUsbMdm - ok
22:38:02.0204 3828 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
22:38:02.0218 3828 BrUsbSer - ok
22:38:02.0252 3828 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
22:38:02.0269 3828 BTHMODEM - ok
22:38:02.0404 3828 catchme - ok
22:38:02.0527 3828 ccEvtMgr (e7aab1a32ac2eea4c4b735b8d034c802) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
22:38:02.0530 3828 ccEvtMgr - ok
22:38:02.0554 3828 ccSetMgr (e7aab1a32ac2eea4c4b735b8d034c802) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
22:38:02.0557 3828 ccSetMgr - ok
22:38:02.0593 3828 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
22:38:02.0606 3828 cdfs - ok
22:38:02.0641 3828 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
22:38:02.0653 3828 cdrom - ok
22:38:02.0723 3828 CertPropSvc (0600e04315fe543802a379d5d23c8be0) C:\Windows\System32\certprop.dll
22:38:02.0725 3828 CertPropSvc - ok
22:38:02.0757 3828 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
22:38:02.0768 3828 circlass - ok
22:38:02.0835 3828 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
22:38:02.0856 3828 CLFS - ok
22:38:02.0952 3828 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
22:38:03.0011 3828 clr_optimization_v2.0.50727_32 - ok
22:38:03.0032 3828 CLTNetCnService (e7aab1a32ac2eea4c4b735b8d034c802) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
22:38:03.0034 3828 CLTNetCnService - ok
22:38:03.0073 3828 CmBatt (ed97ad3df1b9005989eaf149bf06c821) C:\Windows\system32\DRIVERS\CmBatt.sys
22:38:03.0083 3828 CmBatt - ok
22:38:03.0117 3828 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
22:38:03.0131 3828 cmdide - ok
22:38:03.0182 3828 comHost (7ce352882828c12dd7632b172253a02c) C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
22:38:03.0202 3828 comHost - ok
22:38:03.0225 3828 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\DRIVERS\compbatt.sys
22:38:03.0235 3828 Compbatt - ok
22:38:03.0241 3828 COMSysApp - ok
22:38:03.0257 3828 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
22:38:03.0271 3828 crcdisk - ok
22:38:03.0310 3828 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
22:38:03.0322 3828 Crusoe - ok
22:38:03.0373 3828 CryptSvc (1c26fb097170a2a91066d1e3a24366e3) C:\Windows\system32\cryptsvc.dll
22:38:03.0375 3828 CryptSvc - ok
22:38:03.0434 3828 DcomLaunch (7b981222a257d076885bffb66f19b7ce) C:\Windows\system32\rpcss.dll
22:38:03.0448 3828 DcomLaunch - ok
22:38:03.0561 3828 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
22:38:03.0574 3828 DfsC - ok
22:38:03.0832 3828 DFSR (e0d584aa76c7d845ba9f3a788260528f) C:\Windows\system32\DFSR.exe
22:38:03.0852 3828 DFSR - ok
22:38:04.0095 3828 Dhcp (dc45739bc22d528d2b3e50d3f6761750) C:\Windows\System32\dhcpcsvc.dll
22:38:04.0103 3828 Dhcp - ok
22:38:04.0156 3828 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
22:38:04.0183 3828 disk - ok
22:38:04.0209 3828 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
22:38:04.0232 3828 DKbFltr - ok
22:38:04.0286 3828 Dnscache (eecba1dd142bf8693c476be8f32fe253) C:\Windows\System32\dnsrslvr.dll
22:38:04.0291 3828 Dnscache - ok
22:38:04.0322 3828 dot3svc (1f795d214820e496bf1124434a6db546) C:\Windows\System32\dot3svc.dll
22:38:04.0349 3828 dot3svc - ok
22:38:04.0411 3828 DPS (032c90ad677bf7b7a8013d6087c7a921) C:\Windows\system32\dps.dll
22:38:04.0417 3828 DPS - ok
22:38:04.0482 3828 DritekPortIO (5c918d413f5837e67a85775c9873775e) C:\PROGRA~1\LAUNCH~1\DPortIO.sys
22:38:04.0507 3828 DritekPortIO - ok
22:38:04.0518 3828 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
22:38:04.0539 3828 drmkaud - ok
22:38:04.0611 3828 DXGKrnl (334988883de69adb27e2cf9f9715bbdb) C:\Windows\System32\drivers\dxgkrnl.sys
22:38:04.0630 3828 DXGKrnl - ok
22:38:04.0687 3828 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
22:38:04.0701 3828 E1G60 - ok
22:38:04.0731 3828 EapHost (90a0a875642e18618010645311b4e89e) C:\Windows\System32\eapsvc.dll
22:38:04.0733 3828 EapHost - ok
22:38:04.0764 3828 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
22:38:04.0782 3828 Ecache - ok
22:38:04.0911 3828 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
22:38:04.0945 3828 eeCtrl - ok
22:38:05.0016 3828 ehRecvr (b4580122b0a7b263b6ee9acba69c8013) C:\Windows\ehome\ehRecvr.exe
22:38:05.0098 3828 ehRecvr - ok
22:38:05.0112 3828 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
22:38:05.0184 3828 ehSched - ok
22:38:05.0209 3828 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
22:38:05.0210 3828 ehstart - ok
22:38:05.0303 3828 eLockService (18d48ef62fb4a107cab1caa1e0ca2199) C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
22:38:05.0305 3828 eLockService - ok
22:38:05.0362 3828 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
22:38:05.0380 3828 elxstor - ok
22:38:05.0446 3828 EMDMgmt (3226fda08988526e819e364e8cce4cee) C:\Windows\system32\emdmgmt.dll
22:38:05.0458 3828 EMDMgmt - ok
22:38:05.0480 3828 EMSCR (1fa3f9df8983873746fa6b72dd7e3c2c) C:\Windows\system32\DRIVERS\EMS7SK.sys
22:38:05.0493 3828 EMSCR - ok
22:38:05.0545 3828 eNet Service (69d1a5f4857fb9941bd63d776d0b1c65) C:\Acer\Empowering Technology\eNet\eNet Service.exe
22:38:05.0549 3828 eNet Service - ok
22:38:05.0649 3828 EpsonBidirectionalService (abdd5ad016affd34ad40e944ce94bf59) C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
22:38:05.0652 3828 EpsonBidirectionalService - ok
22:38:05.0721 3828 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
22:38:05.0748 3828 EraserUtilRebootDrv - ok
22:38:05.0872 3828 eRecoveryService (9a3fca575c2c3be314f4e0a96f67534c) C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
22:38:05.0874 3828 eRecoveryService - ok
22:38:05.0917 3828 ESDCR (9c7487253aad6bf61f9bc83d50e32ccc) C:\Windows\system32\DRIVERS\ESD7SK.sys
22:38:05.0938 3828 ESDCR - ok
22:38:05.0981 3828 eSettingsService (f5e4a7ad6c9b47fabcd1a8dcae0b8ed1) C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
22:38:05.0983 3828 eSettingsService - ok
22:38:06.0004 3828 ESMCR (99589d975da04f8bd31f124428fcc797) C:\Windows\system32\DRIVERS\ESM7SK.sys
22:38:06.0049 3828 ESMCR - ok
22:38:06.0117 3828 EventSystem (7b4971c3d43525175a4ea0d143e0412e) C:\Windows\system32\es.dll
22:38:06.0126 3828 EventSystem - ok
22:38:06.0173 3828 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
22:38:06.0199 3828 fastfat - ok
22:38:06.0220 3828 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
22:38:06.0240 3828 fdc - ok
22:38:06.0267 3828 fdPHost (e43bce1a77d6fd4ed5f8e0482b9e7df1) C:\Windows\system32\fdPHost.dll
22:38:06.0268 3828 fdPHost - ok
22:38:06.0287 3828 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
22:38:06.0289 3828 FDResPub - ok
22:38:06.0322 3828 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
22:38:06.0335 3828 FileInfo - ok
22:38:06.0434 3828 FileOpenManagerSvc (54352cbde8b4adfcd900255053de8753) C:\Program Files\FileOpen\Services\FileOpenManagerSvc32.exe
22:38:06.0436 3828 FileOpenManagerSvc - ok
22:38:06.0463 3828 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
22:38:06.0475 3828 Filetrace - ok
22:38:06.0492 3828 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
22:38:06.0508 3828 flpydisk - ok
22:38:06.0525 3828 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
22:38:06.0549 3828 FltMgr - ok
22:38:06.0630 3828 FontCache3.0.0.0 (c9be08664611ddaf98e2331e9288b00b) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
22:38:06.0652 3828 FontCache3.0.0.0 - ok
22:38:06.0682 3828 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
22:38:06.0719 3828 Fs_Rec - ok
22:38:06.0761 3828 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
22:38:06.0781 3828 gagp30kx - ok
22:38:06.0833 3828 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
22:38:06.0856 3828 GEARAspiWDM - ok
22:38:06.0926 3828 gpsvc (bcf6589c42d8f6a20f33ef133ffe0524) C:\Windows\System32\gpsvc.dll
22:38:06.0938 3828 gpsvc - ok
22:38:07.0054 3828 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
22:38:07.0086 3828 HdAudAddService - ok
22:38:07.0117 3828 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
22:38:07.0120 3828 HDAudBus - ok
22:38:07.0138 3828 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
22:38:07.0160 3828 HidBth - ok
22:38:07.0193 3828 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
22:38:07.0203 3828 HidIr - ok
22:38:07.0223 3828 hidserv (8fa640195279ace21bea91396a0054fc) C:\Windows\System32\hidserv.dll
22:38:07.0226 3828 hidserv - ok
22:38:07.0236 3828 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\DRIVERS\hidusb.sys
22:38:07.0238 3828 HidUsb - ok
22:38:07.0275 3828 hkmsvc (d40aa05e29bf6ed29b139f044b461e9b) C:\Windows\system32\kmsvc.dll
22:38:07.0277 3828 hkmsvc - ok
22:38:07.0300 3828 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
22:38:07.0313 3828 HpCISSs - ok
22:38:07.0370 3828 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
22:38:07.0386 3828 HSFHWAZL - ok
22:38:07.0467 3828 HSF_DPV (53229dcf431d76434816cd29251168a0) C:\Windows\system32\DRIVERS\HSX_DPV.sys
22:38:07.0516 3828 HSF_DPV - ok
22:38:07.0565 3828 HSXHWAZL (31f949d452201f2f0af0c88d7db512cd) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
22:38:07.0586 3828 HSXHWAZL - ok
22:38:07.0650 3828 HTTP (ea24fe637d974a8a31bc650f478e3533) C:\Windows\system32\drivers\HTTP.sys
22:38:07.0681 3828 HTTP - ok
22:38:07.0714 3828 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
22:38:07.0732 3828 i2omp - ok
22:38:07.0777 3828 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
22:38:07.0809 3828 i8042prt - ok
22:38:07.0977 3828 ialm (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
22:38:08.0036 3828 ialm - ok
22:38:08.0267 3828 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
22:38:08.0296 3828 iaStorV - ok
22:38:08.0441 3828 idsvc (7b630acaed64fef0c3e1cf255cb56686) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
22:38:08.0465 3828 idsvc - ok
22:38:08.0594 3828 IDSvix86 (2eb82af0bf61f9953568d1fa4a56a097) C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20100826.001\IDSvix86.sys
22:38:08.0629 3828 IDSvix86 - ok
22:38:08.0930 3828 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
22:38:08.0968 3828 igfx - ok
22:38:09.0172 3828 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
22:38:09.0195 3828 iirsp - ok
22:38:09.0265 3828 IKEEXT (35662fe4d8622f667aa5a5568f7f1b40) C:\Windows\System32\ikeext.dll
22:38:09.0275 3828 IKEEXT - ok
22:38:09.0347 3828 int15 (4d8d5b1c895ea0f2a721b98a7ce198f1) C:\Acer\Empowering Technology\eRecovery\int15.sys
22:38:09.0378 3828 int15 - ok
22:38:09.0547 3828 IntcAzAudAddService (04bef1c4aa990e0d5851c7532fc8642c) C:\Windows\system32\drivers\RTKVHDA.sys
22:38:09.0616 3828 IntcAzAudAddService - ok
22:38:09.0809 3828 intelide (988981c840084f480ba9e3319cebde1b) C:\Windows\system32\drivers\intelide.sys
22:38:09.0831 3828 intelide - ok
22:38:09.0869 3828 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
22:38:09.0871 3828 intelppm - ok
22:38:09.0903 3828 IPBusEnum (88cf5281ed9880d74dc9011cf8b5262d) C:\Windows\system32\ipbusenum.dll
22:38:09.0906 3828 IPBusEnum - ok
22:38:09.0926 3828 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
22:38:09.0938 3828 IpFilterDriver - ok
22:38:09.0986 3828 iphlpsvc (ecc9ad72cfc4ab41cf6a9bcc11f9fef6) C:\Windows\System32\iphlpsvc.dll
22:38:09.0992 3828 iphlpsvc - ok
22:38:09.0997 3828 IpInIp - ok
22:38:10.0017 3828 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
22:38:10.0029 3828 IPMIDRV - ok
22:38:10.0048 3828 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
22:38:10.0064 3828 IPNAT - ok
22:38:10.0176 3828 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe
22:38:10.0184 3828 iPod Service - ok
22:38:10.0226 3828 irda (f11a90fb3f44f37ad10a4893bb690065) C:\Windows\system32\DRIVERS\irda.sys
22:38:10.0244 3828 irda - ok
22:38:10.0260 3828 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
22:38:10.0272 3828 IRENUM - ok
22:38:10.0295 3828 Irmon (cbb0d940221a281bcfeaea695bd1cda5) C:\Windows\System32\irmon.dll
22:38:10.0297 3828 Irmon - ok
22:38:10.0317 3828 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
22:38:10.0329 3828 isapnp - ok
22:38:10.0355 3828 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
22:38:10.0359 3828 iScsiPrt - ok
22:38:10.0398 3828 ISPwdSvc (36474fde02f8422b8b1a52ead9894dbc) C:\Program Files\Norton Internet Security\isPwdSvc.exe
22:38:10.0418 3828 ISPwdSvc - ok
22:38:10.0438 3828 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
22:38:10.0449 3828 iteatapi - ok
22:38:10.0501 3828 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
22:38:10.0513 3828 iteraid - ok
22:38:10.0558 3828 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
22:38:10.0571 3828 kbdclass - ok
22:38:10.0602 3828 kbdhid (ed61dbc6603f612b7338283edbacbc4b) C:\Windows\system32\DRIVERS\kbdhid.sys
22:38:10.0619 3828 kbdhid - ok
22:38:10.0656 3828 KeyIso (c731b1fe449d4e9cea358c9d55b69be9) C:\Windows\system32\lsass.exe
22:38:10.0659 3828 KeyIso - ok
22:38:10.0755 3828 Kodak AiO Network Discovery Service (27277a11db52fefae5b01dc8fb570b28) C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
22:38:10.0760 3828 Kodak AiO Network Discovery Service - ok
22:38:10.0811 3828 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
22:38:10.0843 3828 KSecDD - ok
22:38:10.0896 3828 KtmRm (45c537fe5dde9a0146aeff76e615737d) C:\Windows\system32\msdtckrm.dll
22:38:10.0906 3828 KtmRm - ok
22:38:10.0947 3828 LanmanServer (53d1482fc1aa36ac015a85e6cf2146bd) C:\Windows\System32\srvsvc.dll
22:38:10.0954 3828 LanmanServer - ok
22:38:11.0014 3828 LanmanWorkstation (435f0f6dc87a4b5da78f1fa309884189) C:\Windows\System32\wkssvc.dll
22:38:11.0022 3828 LanmanWorkstation - ok
22:38:11.0118 3828 LightScribeService (6e5dac168d1ff9843e84a59d51d31107) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
22:38:11.0121 3828 LightScribeService - ok
22:38:11.0326 3828 LiveUpdate (a97eeb81f05bce3d7aa6c81f04ef39a4) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
22:38:11.0353 3828 LiveUpdate - ok
22:38:11.0470 3828 LiveUpdate Notice Ex (e7aab1a32ac2eea4c4b735b8d034c802) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
22:38:11.0471 3828 LiveUpdate Notice Ex - ok
22:38:11.0560 3828 LiveUpdate Notice Service (2d1389e05a807d956829f44bd4b60389) C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
22:38:11.0642 3828 LiveUpdate Notice Service - ok
22:38:11.0810 3828 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
22:38:11.0834 3828 lltdio - ok
22:38:11.0875 3828 lltdsvc (7450dbcf754391dd6363fffd5ef0e789) C:\Windows\System32\lltdsvc.dll
22:38:11.0883 3828 lltdsvc - ok
22:38:11.0906 3828 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
22:38:11.0930 3828 lmhosts - ok
22:38:11.0966 3828 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
22:38:11.0988 3828 LSI_FC - ok
22:38:12.0005 3828 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
22:38:12.0029 3828 LSI_SAS - ok
22:38:12.0151 3828 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
22:38:12.0193 3828 LSI_SCSI - ok
22:38:12.0225 3828 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
22:38:12.0251 3828 luafv - ok
22:38:12.0290 3828 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\Windows\system32\drivers\mbam.sys
22:38:12.0292 3828 MBAMProtector - ok
22:38:12.0381 3828 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
22:38:12.0398 3828 MBAMService - ok
22:38:12.0434 3828 Mcx2Svc (e93c1ad58e88a0846eaee10671c2a8f3) C:\Windows\system32\Mcx2Svc.dll
22:38:12.0440 3828 Mcx2Svc - ok
22:38:12.0481 3828 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
22:38:12.0499 3828 mdmxsdk - ok
22:38:12.0537 3828 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
22:38:12.0560 3828 megasas - ok
22:38:12.0591 3828 MMCSS (9dfa3a459af0954aa85b4f7622ad87bb) C:\Windows\system32\mmcss.dll
22:38:12.0595 3828 MMCSS - ok
22:38:12.0642 3828 MobilityService - ok
22:38:12.0654 3828 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
22:38:12.0656 3828 Modem - ok
22:38:12.0705 3828 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
22:38:12.0708 3828 monitor - ok
22:38:12.0741 3828 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
22:38:12.0755 3828 mouclass - ok
22:38:12.0794 3828 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
22:38:12.0808 3828 mouhid - ok
22:38:12.0836 3828 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
22:38:12.0856 3828 MountMgr - ok
22:38:12.0881 3828 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
22:38:12.0899 3828 mpio - ok
22:38:12.0931 3828 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
22:38:12.0947 3828 mpsdrv - ok
22:38:12.0990 3828 MpsSvc (563ed845885c6a7c09a7715d8bd0585c) C:\Windows\system32\mpssvc.dll
22:38:13.0000 3828 MpsSvc - ok
22:38:13.0033 3828 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
22:38:13.0045 3828 Mraid35x - ok
22:38:13.0086 3828 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
22:38:13.0106 3828 MRxDAV - ok
22:38:13.0171 3828 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
22:38:13.0193 3828 mrxsmb - ok
22:38:13.0219 3828 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
22:38:13.0244 3828 mrxsmb10 - ok
22:38:13.0260 3828 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
22:38:13.0278 3828 mrxsmb20 - ok
22:38:13.0296 3828 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
22:38:13.0313 3828 msahci - ok
22:38:13.0340 3828 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
22:38:13.0360 3828 msdsm - ok
22:38:13.0386 3828 MSDTC (bc64a92d821efea8bab8e8caf1b668bc) C:\Windows\System32\msdtc.exe
22:38:13.0418 3828 MSDTC - ok
22:38:13.0445 3828 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
22:38:13.0461 3828 Msfs - ok
22:38:13.0495 3828 msisadrv (5f454a16a5146cd91a176d70f0cfa3ec) C:\Windows\system32\drivers\msisadrv.sys
22:38:13.0511 3828 msisadrv - ok
22:38:13.0543 3828 MSiSCSI (8acf956d9154e893e789881430c12632) C:\Windows\system32\iscsiexe.dll
22:38:13.0548 3828 MSiSCSI - ok
22:38:13.0555 3828 msiserver - ok
22:38:13.0580 3828 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
22:38:13.0594 3828 MSKSSRV - ok
22:38:13.0613 3828 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
22:38:13.0627 3828 MSPCLOCK - ok
22:38:13.0641 3828 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
22:38:13.0653 3828 MSPQM - ok
22:38:13.0680 3828 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
22:38:13.0698 3828 MsRPC - ok
22:38:13.0717 3828 mssmbios (4385c80ede885e25492d408cad91bd6f) C:\Windows\system32\DRIVERS\mssmbios.sys
22:38:13.0720 3828 mssmbios - ok
22:38:13.0741 3828 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
22:38:13.0754 3828 MSTEE - ok
22:38:13.0776 3828 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
22:38:13.0797 3828 Mup - ok
22:38:13.0836 3828 napagent (1cdbb5d002fe2bc5300aa20550d8a52e) C:\Windows\system32\qagentRT.dll
22:38:13.0846 3828 napagent - ok
22:38:13.0892 3828 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
22:38:13.0912 3828 NativeWifiP - ok
22:38:14.0053 3828 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100826.002\NAVENG.SYS
22:38:14.0078 3828 NAVENG - ok
22:38:14.0207 3828 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100826.002\NAVEX15.SYS
22:38:14.0268 3828 NAVEX15 - ok
22:38:14.0491 3828 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys
22:38:14.0507 3828 NDIS - ok
22:38:14.0544 3828 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
22:38:14.0567 3828 NdisTapi - ok
22:38:14.0598 3828 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
22:38:14.0619 3828 Ndisuio - ok
22:38:14.0650 3828 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
22:38:14.0674 3828 NdisWan - ok
22:38:14.0710 3828 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
22:38:14.0745 3828 NDProxy - ok
22:38:14.0800 3828 Net Driver HPZ12 (51c6d8bfbd4ea5b62a1ba7f4469250d3) C:\Windows\system32\HPZinw12.dll
22:38:14.0814 3828 Net Driver HPZ12 - ok
22:38:14.0858 3828 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
22:38:14.0874 3828 NetBIOS - ok
22:38:14.0898 3828 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
22:38:14.0921 3828 netbt - ok
22:38:14.0955 3828 Netlogon (c731b1fe449d4e9cea358c9d55b69be9) C:\Windows\system32\lsass.exe
22:38:14.0958 3828 Netlogon - ok
22:38:14.0999 3828 Netman (90a4dae28b94497f83bea0f2a3b77092) C:\Windows\System32\netman.dll
22:38:15.0008 3828 Netman - ok
22:38:15.0036 3828 netprofm (7c5c3d9ceee838856b828ab6f98a2857) C:\Windows\System32\netprofm.dll
22:38:15.0044 3828 netprofm - ok
22:38:15.0137 3828 NetTcpPortSharing (0ad5876ef4e9eb77c8f93eb5b2fff386) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
22:38:15.0143 3828 NetTcpPortSharing - ok
22:38:15.0280 3828 NETw3v32 (acc6170d80c69e50145b370023b64ed3) C:\Windows\system32\DRIVERS\NETw3v32.sys
22:38:15.0331 3828 NETw3v32 - ok
22:38:15.0498 3828 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
22:38:15.0522 3828 nfrd960 - ok
22:38:15.0569 3828 NlaSvc (c424117a562f2de37a42266894c79aeb) C:\Windows\System32\nlasvc.dll
22:38:15.0578 3828 NlaSvc - ok
22:38:15.0606 3828 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
22:38:15.0628 3828 Npfs - ok
22:38:15.0669 3828 nsi (23b8201a363de0e649fc75ee9874dee2) C:\Windows\system32\nsisvc.dll
22:38:15.0674 3828 nsi - ok
22:38:15.0696 3828 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
22:38:15.0718 3828 nsiproxy - ok
22:38:15.0852 3828 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
22:38:15.0914 3828 Ntfs - ok
22:38:15.0951 3828 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
22:38:15.0969 3828 NTIDrvr - ok
22:38:15.0995 3828 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
22:38:16.0016 3828 ntrigdigi - ok
22:38:16.0025 3828 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
22:38:16.0042 3828 Null - ok
22:38:16.0389 3828 nvlddmkm (e8cf3a24d0d4478150a48f95ebd7771f) C:\Windows\system32\DRIVERS\nvlddmkm.sys
22:38:16.0528 3828 nvlddmkm - ok
22:38:16.0708 3828 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
22:38:16.0735 3828 nvraid - ok
22:38:16.0761 3828 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
22:38:16.0785 3828 nvstor - ok
22:38:16.0873 3828 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
22:38:16.0901 3828 nv_agp - ok
22:38:16.0909 3828 NwlnkFlt - ok
22:38:16.0929 3828 NwlnkFwd - ok
22:38:16.0970 3828 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\DRIVERS\ohci1394.sys
22:38:16.0982 3828 ohci1394 - ok
22:38:17.0093 3828 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
22:38:17.0113 3828 ose - ok
22:38:17.0199 3828 p2pimsvc (016d01d3b8fb976a193c7434bed8dccf) C:\Windows\system32\p2psvc.dll
22:38:17.0215 3828 p2pimsvc - ok
22:38:17.0227 3828 p2psvc (016d01d3b8fb976a193c7434bed8dccf) C:\Windows\system32\p2psvc.dll
22:38:17.0237 3828 p2psvc - ok
22:38:17.0310 3828 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
22:38:17.0324 3828 Parport - ok
22:38:17.0341 3828 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys
22:38:17.0358 3828 partmgr - ok
22:38:17.0385 3828 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
22:38:17.0398 3828 Parvdm - ok
22:38:17.0438 3828 PcaSvc (d8c5c215c932233a4f1d7f368f4e4e65) C:\Windows\System32\pcasvc.dll
22:38:17.0443 3828 PcaSvc - ok
22:38:17.0466 3828 pci (1085d75657807e0e8b32f9e19a1647c3) C:\Windows\system32\drivers\pci.sys
22:38:17.0489 3828 pci - ok
22:38:17.0505 3828 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
22:38:17.0527 3828 pciide - ok
22:38:17.0565 3828 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\DRIVERS\pcmcia.sys
22:38:17.0582 3828 pcmcia - ok
22:38:17.0664 3828 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
22:38:17.0696 3828 PEAUTH - ok
22:38:17.0830 3828 pla (cd05a38d166beade18030bafc0c0a939) C:\Windows\system32\pla.dll
22:38:17.0863 3828 pla - ok
22:38:18.0036 3828 PlugPlay (747bb4c31f3b6e8d1b5ed0ad61518cb5) C:\Windows\system32\umpnpmgr.dll
22:38:18.0046 3828 PlugPlay - ok
22:38:18.0112 3828 Pml Driver HPZ12 (79834aa2fbf9fe81eebb229024f6f7fc) C:\Windows\system32\HPZipm12.dll
22:38:18.0114 3828 Pml Driver HPZ12 - ok
22:38:18.0190 3828 PNRPAutoReg (016d01d3b8fb976a193c7434bed8dccf) C:\Windows\system32\p2psvc.dll
22:38:18.0202 3828 PNRPAutoReg - ok
22:38:18.0221 3828 PNRPsvc (016d01d3b8fb976a193c7434bed8dccf) C:\Windows\system32\p2psvc.dll
22:38:18.0237 3828 PNRPsvc - ok
22:38:18.0287 3828 PolicyAgent (5ebdec613bd377ce9a85382be5c6b83b) C:\Windows\System32\ipsecsvc.dll
22:38:18.0295 3828 PolicyAgent - ok
22:38:18.0350 3828 PptpMiniport (6c359ac71d7b550a0d41f9db4563ce05) C:\Windows\system32\DRIVERS\raspptp.sys
22:38:18.0363 3828 PptpMiniport - ok
22:38:18.0385 3828 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
22:38:18.0396 3828 Processor - ok
22:38:18.0431 3828 ProfSvc (213112e152e68f0e4705e36f052a2880) C:\Windows\system32\profsvc.dll
22:38:18.0437 3828 ProfSvc - ok
22:38:18.0478 3828 ProtectedStorage (c731b1fe449d4e9cea358c9d55b69be9) C:\Windows\system32\lsass.exe
22:38:18.0480 3828 ProtectedStorage - ok
22:38:18.0518 3828 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
22:38:18.0521 3828 PSched - ok
22:38:18.0560 3828 PSDFilter (88b72d2a800300eb05c69f3c6c3180f2) C:\Windows\system32\DRIVERS\psdfilter.sys
22:38:18.0579 3828 PSDFilter - ok
22:38:18.0631 3828 PSDNServ (9649e11fc5459bf6b2c9e8e327e45c3a) C:\Windows\system32\drivers\PSDNServ.sys
22:38:18.0649 3828 PSDNServ - ok
22:38:18.0671 3828 psdvdisk (3d0be1373b9dfe9fc7b64f090e4d59e3) C:\Windows\system32\drivers\psdvdisk.sys
22:38:18.0693 3828 psdvdisk - ok
22:38:18.0745 3828 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\Windows\system32\DRIVERS\psi_mf.sys
22:38:18.0769 3828 PSI - ok
22:38:18.0866 3828 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
22:38:18.0913 3828 ql2300 - ok
22:38:18.0952 3828 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
22:38:18.0978 3828 ql40xx - ok
22:38:19.0036 3828 QWAVE (ca61bdfd3713a7ce75f2812afc431594) C:\Windows\system32\qwave.dll
22:38:19.0044 3828 QWAVE - ok
22:38:19.0063 3828 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
22:38:19.0086 3828 QWAVEdrv - ok
22:38:19.0106 3828 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
22:38:19.0125 3828 RasAcd - ok
22:38:19.0145 3828 RasAuto (f14f4aab9f54d099fe99192bdb100ac9) C:\Windows\System32\rasauto.dll
22:38:19.0188 3828 RasAuto - ok
22:38:19.0211 3828 Rasl2tp (88587dd843e2059848995b407b67f6cf) C:\Windows\system32\DRIVERS\rasl2tp.sys
22:38:19.0223 3828 Rasl2tp - ok
22:38:19.0253 3828 RasMan (11d65e29bc9d1e4114d18fe68194394c) C:\Windows\System32\rasmans.dll
22:38:19.0274 3828 RasMan - ok
22:38:19.0293 3828 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
22:38:19.0304 3828 RasPppoe - ok
22:38:19.0331 3828 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
22:38:19.0349 3828 rdbss - ok
22:38:19.0368 3828 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
22:38:19.0378 3828 RDPCDD - ok
22:38:19.0424 3828 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
22:38:19.0442 3828 rdpdr - ok
22:38:19.0466 3828 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
22:38:19.0475 3828 RDPENCDD - ok
22:38:19.0510 3828 RDPWD (8830e790a74a96605faba74f9665bb3c) C:\Windows\system32\drivers\RDPWD.sys
22:38:19.0537 3828 RDPWD - ok
22:38:19.0599 3828 RemoteAccess (6c1a43c589ee8011a1ebfd51c01b77ce) C:\Windows\System32\mprdim.dll
22:38:19.0621 3828 RemoteAccess - ok
22:38:19.0687 3828 RemoteRegistry (9a043808667c8c1893da7275af373f0e) C:\Windows\system32\regsvc.dll
22:38:19.0717 3828 RemoteRegistry - ok
22:38:19.0845 3828 RichVideo (c1c132455200ad4704142442c89d0fa4) C:\Program Files\CyberLink\Shared Files\RichVideo.exe
22:38:19.0848 3828 RichVideo - ok
22:38:19.0889 3828 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
22:38:19.0907 3828 RpcLocator - ok
22:38:19.0967 3828 RpcSs (7b981222a257d076885bffb66f19b7ce) C:\Windows\system32\rpcss.dll
22:38:19.0974 3828 RpcSs - ok
22:38:20.0010 3828 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
22:38:20.0023 3828 rspndr - ok
22:38:20.0055 3828 SamSs (c731b1fe449d4e9cea358c9d55b69be9) C:\Windows\system32\lsass.exe
22:38:20.0057 3828 SamSs - ok
22:38:20.0082 3828 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
22:38:20.0100 3828 sbp2port - ok
22:38:20.0144 3828 SCardSvr (565b4b9e5ad2f2f18a4f8aafa6c06bbb) C:\Windows\System32\SCardSvr.dll
22:38:20.0149 3828 SCardSvr - ok
22:38:20.0230 3828 Schedule (886cec884b5be29ab9828b8ab46b11f7) C:\Windows\system32\schedsvc.dll
22:38:20.0239 3828 Schedule - ok
22:38:20.0278 3828 SCPolicySvc (0600e04315fe543802a379d5d23c8be0) C:\Windows\System32\certprop.dll
22:38:20.0279 3828 SCPolicySvc - ok
22:38:20.0312 3828 sdbus (7b3973cc28b8aa3e9e2e5d53e720e2c9) C:\Windows\system32\DRIVERS\sdbus.sys
22:38:20.0332 3828 sdbus - ok
22:38:20.0358 3828 SDRSVC (f7b6bf02240d0a764adf8c8966735552) C:\Windows\System32\SDRSVC.dll
22:38:20.0380 3828 SDRSVC - ok
22:38:20.0407 3828 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
22:38:20.0424 3828 secdrv - ok
22:38:20.0452 3828 seclogon (8388c4133ddbe62ad7bc3ec9f14271ed) C:\Windows\system32\seclogon.dll
22:38:20.0457 3828 seclogon - ok
22:38:20.0659 3828 Secunia PSI Agent (5b66db4877bbac9f7493aa8d84421e49) C:\Program Files\Secunia\PSI\PSIA.exe
22:38:20.0687 3828 Secunia PSI Agent - ok
22:38:20.0809 3828 Secunia Update Agent (0e88fdf474f2cdd370a4a6ce77d018f0) C:\Program Files\Secunia\PSI\sua.exe
22:38:20.0817 3828 Secunia Update Agent - ok
22:38:20.0986 3828 SENS (34350ae2c1d33d21c7305f861bd8dad8) C:\Windows\system32\sens.dll
22:38:20.0992 3828 SENS - ok
22:38:21.0057 3828 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
22:38:21.0080 3828 Serenum - ok
22:38:21.0100 3828 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
22:38:21.0124 3828 Serial - ok
22:38:21.0169 3828 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
22:38:21.0189 3828 sermouse - ok
22:38:21.0247 3828 SessionEnv (78878235da4df0d116e86837a0a21df8) C:\Windows\system32\sessenv.dll
22:38:21.0255 3828 SessionEnv - ok
22:38:21.0276 3828 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
22:38:21.0286 3828 sffdisk - ok
22:38:21.0301 3828 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
22:38:21.0310 3828 sffp_mmc - ok
22:38:21.0329 3828 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
22:38:21.0341 3828 sffp_sd - ok
22:38:21.0357 3828 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
22:38:21.0370 3828 sfloppy - ok
22:38:21.0414 3828 SharedAccess (9a82bf4c90b00a63150a606a1e2fd82b) C:\Windows\System32\ipnathlp.dll
22:38:21.0422 3828 SharedAccess - ok
22:38:21.0466 3828 ShellHWDetection (b264dfa21677728613267fe63802b332) C:\Windows\System32\shsvcs.dll
22:38:21.0471 3828 ShellHWDetection - ok
22:38:21.0507 3828 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
22:38:21.0520 3828 sisagp - ok
22:38:21.0545 3828 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
22:38:21.0558 3828 SiSRaid2 - ok
22:38:21.0583 3828 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
22:38:21.0595 3828 SiSRaid4 - ok
22:38:21.0707 3828 SkypeUpdate (6128e98eaaed364ed1a32708d2fd22cb) C:\Program Files\Skype\Updater\Updater.exe
22:38:21.0713 3828 SkypeUpdate - ok
22:38:21.0928 3828 slsvc (a1dcd30534835cb67733ad00175125a6) C:\Windows\system32\SLsvc.exe
22:38:21.0999 3828 slsvc - ok
22:38:22.0187 3828 SLUINotify (56da296e7b376a727e7bdc5ac7fbee02) C:\Windows\system32\SLUINotify.dll
22:38:22.0219 3828 SLUINotify - ok
22:38:22.0295 3828 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
22:38:22.0323 3828 Smb - ok
22:38:22.0349 3828 SMSCIRDA (ced16c76469ba00e2ab310857cd4c767) C:\Windows\system32\DRIVERS\SMSCirda.sys
22:38:22.0372 3828 SMSCIRDA - ok
22:38:22.0426 3828 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
22:38:22.0468 3828 SNMPTRAP - ok
22:38:22.0605 3828 SPBBCDrv (905782bcf15b6e5af9905b77923c7fa2) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
22:38:22.0642 3828 SPBBCDrv - ok
22:38:22.0688 3828 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
22:38:22.0711 3828 spldr - ok
22:38:22.0759 3828 Spooler (da612ef2556776df2630b68bf2d48935) C:\Windows\System32\spoolsv.exe
22:38:22.0768 3828 Spooler - ok
22:38:22.0825 3828 SRTSP (655773f2f1a3730c6cf20280a49f4ee1) C:\Windows\system32\Drivers\SRTSP.SYS
22:38:22.0860 3828 SRTSP - ok
22:38:22.0916 3828 SRTSPL (2a0aaf370d4c6574a34ae2f4a0709cae) C:\Windows\system32\Drivers\SRTSPL.SYS
22:38:22.0951 3828 SRTSPL - ok
22:38:22.0981 3828 SRTSPX (3104bdceace2d5710776dd05e6a286c1) C:\Windows\system32\Drivers\SRTSPX.SYS
22:38:23.0008 3828 SRTSPX - ok
22:38:23.0070 3828 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
22:38:23.0089 3828 srv - ok
22:38:23.0140 3828 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
22:38:23.0154 3828 srv2 - ok
22:38:23.0167 3828 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
22:38:23.0182 3828 srvnet - ok
22:38:23.0229 3828 sscdbus (d5dffeaa1e15d4effabb9d9a3068ac5b) C:\Windows\system32\DRIVERS\sscdbus.sys
22:38:23.0244 3828 sscdbus - ok
22:38:23.0294 3828 sscdmdfl (8a1be0c347814f482f493aea619d57f6) C:\Windows\system32\DRIVERS\sscdmdfl.sys
22:38:23.0308 3828 sscdmdfl - ok
22:38:23.0487 3828 sscdmdm (5ab0b1987f682a59b15b78f84c6ad7d0) C:\Windows\system32\DRIVERS\sscdmdm.sys
22:38:23.0567 3828 sscdmdm - ok
22:38:23.0742 3828 sscdserd (751e66eb32efa80633b80f5d7ff0a1d8) C:\Windows\system32\DRIVERS\sscdserd.sys
22:38:23.0767 3828 sscdserd - ok
22:38:23.0958 3828 SSDPSRV (8d3e4baff8b3997138c38eb1b600519a) C:\Windows\System32\ssdpsrv.dll
22:38:23.0965 3828 SSDPSRV - ok
22:38:24.0177 3828 Steam Client Service - ok
22:38:24.0211 3828 StillCam (7a95b5deb594616f1693486b8161411e) C:\Windows\system32\DRIVERS\serscan.sys
22:38:24.0231 3828 StillCam - ok
22:38:24.0365 3828 stisvc (a941e099ef46e3cc12f898cbe1c39910) C:\Windows\System32\wiaservc.dll
22:38:24.0371 3828 stisvc - ok
22:38:24.0429 3828 swenum (1379bdb336f8158c176a465e30759f57) C:\Windows\system32\DRIVERS\swenum.sys
22:38:24.0455 3828 swenum - ok
22:38:24.0704 3828 swprv (749ada8d6c18a08adfede69cbf5db2e0) C:\Windows\System32\swprv.dll
22:38:24.0715 3828 swprv - ok
22:38:25.0228 3828 Symantec Core LC (fa2f6a8849219b16460bf44f9d1f3aa7) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
22:38:25.0244 3828 Symantec Core LC - ok
22:38:25.0352 3828 SymAppCore (2fe779b1a07747fed8074c433c3c4604) C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
22:38:25.0353 3828 SymAppCore - ok
22:38:25.0650 3828 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
22:38:25.0662 3828 Symc8xx - ok
22:38:25.0715 3828 SYMDNS (51b57cda977170ac608d839dbfa1d3ee) C:\Windows\System32\Drivers\SYMDNS.SYS
22:38:25.0762 3828 SYMDNS - ok
22:38:25.0789 3828 SymEvent (06b95820df51502099a8a15c93e87986) C:\Windows\system32\Drivers\SYMEVENT.SYS
22:38:25.0803 3828 SymEvent - ok
22:38:25.0824 3828 SYMFW (a131d8360b01044517aa44529e2137d6) C:\Windows\System32\Drivers\SYMFW.SYS
22:38:25.0848 3828 SYMFW - ok
22:38:25.0870 3828 SYMIDS (2b77868f02dae02103380b824431b798) C:\Windows\System32\Drivers\SYMIDS.SYS
22:38:25.0883 3828 SYMIDS - ok
22:38:25.0894 3828 SYMNDISV (7d3addfe63e5227bd2dbd5692bafb688) C:\Windows\System32\Drivers\SYMNDISV.SYS
22:38:25.0919 3828 SYMNDISV - ok
22:38:25.0926 3828 SYMREDRV (394b2368212114d538316812af60fddd) C:\Windows\System32\Drivers\SYMREDRV.SYS
22:38:25.0950 3828 SYMREDRV - ok
22:38:25.0964 3828 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\Windows\System32\Drivers\SYMTDI.SYS
22:38:25.0981 3828 SYMTDI - ok
22:38:26.0006 3828 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
22:38:26.0017 3828 Sym_hi - ok
22:38:26.0033 3828 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
22:38:26.0045 3828 Sym_u3 - ok
22:38:26.0085 3828 SynTP (f7a4250bb3e3afcd4af100e551509352) C:\Windows\system32\DRIVERS\SynTP.sys
22:38:26.0103 3828 SynTP - ok
22:38:26.0157 3828 SysMain (8f2b5fede18bd3c4c926cbf88e6f1264) C:\Windows\system32\sysmain.dll
22:38:26.0172 3828 SysMain - ok
22:38:26.0207 3828 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
22:38:26.0220 3828 TabletInputService - ok
22:38:26.0246 3828 TapiSrv (ef3dd33c740fc2f82e7e4622f1c49289) C:\Windows\System32\tapisrv.dll
22:38:26.0266 3828 TapiSrv - ok
22:38:26.0298 3828 TBS (68fa52794ae9acc61bde16fe0956b414) C:\Windows\System32\tbssvc.dll
22:38:26.0317 3828 TBS - ok
22:38:26.0388 3828 Tcpip (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\drivers\tcpip.sys
22:38:26.0421 3828 Tcpip - ok
22:38:26.0434 3828 Tcpip6 (4a82fa8f0df67aa354580c3faaf8bde3) C:\Windows\system32\DRIVERS\tcpip.sys
22:38:26.0442 3828 Tcpip6 - ok
22:38:26.0473 3828 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
22:38:26.0484 3828 tcpipreg - ok
22:38:26.0508 3828 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
22:38:26.0518 3828 TDPIPE - ok
22:38:26.0537 3828 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
22:38:26.0548 3828 TDTCP - ok
22:38:26.0560 3828 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
22:38:26.0573 3828 tdx - ok
22:38:26.0588 3828 TermDD (2c549bd9dd091fbfaa0a2a48e82ec2fb) C:\Windows\system32\DRIVERS\termdd.sys
22:38:26.0599 3828 TermDD - ok
22:38:26.0649 3828 TermService (fad71c1e8e4047b154e899ae31eb8caa) C:\Windows\System32\termsrv.dll
22:38:26.0658 3828 TermService - ok
22:38:26.0701 3828 Themes (b264dfa21677728613267fe63802b332) C:\Windows\system32\shsvcs.dll
22:38:26.0705 3828 Themes - ok
22:38:26.0747 3828 THREADORDER (9dfa3a459af0954aa85b4f7622ad87bb) C:\Windows\system32\mmcss.dll
22:38:26.0750 3828 THREADORDER - ok
22:38:26.0769 3828 TrkWks (6bba0582c0025d43729a1112d3b57897) C:\Windows\System32\trkwks.dll
22:38:26.0774 3828 TrkWks - ok
22:38:26.0840 3828 TrustedInstaller (34e388a395fedba1d0511ed39bbf4074) C:\Windows\servicing\TrustedInstaller.exe
22:38:26.0842 3828 TrustedInstaller - ok
22:38:26.0866 3828 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
22:38:26.0883 3828 tssecsrv - ok
22:38:26.0917 3828 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
22:38:26.0937 3828 tunmp - ok
22:38:26.0959 3828 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
22:38:26.0981 3828 tunnel - ok
22:38:27.0011 3828 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
22:38:27.0037 3828 uagp35 - ok
22:38:27.0057 3828 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\Windows\system32\drivers\UBHelper.sys
22:38:27.0077 3828 UBHelper - ok
22:38:27.0118 3828 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
22:38:27.0148 3828 udfs - ok
22:38:27.0213 3828 UI0Detect (24a333f4f14dcfb6ff6d5a1b9e5d79dd) C:\Windows\system32\UI0Detect.exe
22:38:27.0261 3828 UI0Detect - ok
22:38:27.0270 3828 UIUSys - ok
22:38:27.0301 3828 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
22:38:27.0342 3828 uliagpkx - ok
22:38:27.0378 3828 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
22:38:27.0393 3828 uliahci - ok
22:38:27.0412 3828 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
22:38:27.0425 3828 UlSata - ok
22:38:27.0453 3828 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
22:38:27.0467 3828 ulsata2 - ok
22:38:27.0502 3828 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
22:38:27.0513 3828 umbus - ok
22:38:27.0536 3828 upnphost (8eb871a3deb6b3d5a85eb6ddfc390b59) C:\Windows\System32\upnphost.dll
22:38:27.0541 3828 upnphost - ok
22:38:27.0603 3828 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\Windows\system32\Drivers\usbaapl.sys
22:38:27.0615 3828 USBAAPL - ok
22:38:27.0678 3828 usbaudio (f6bf998ae33e3fb6c7d27f0560f1173f) C:\Windows\system32\drivers\usbaudio.sys
22:38:27.0690 3828 usbaudio - ok
22:38:27.0734 3828 usbccgp (8bd3ae150d97ba4e633c6c5c51b41ae1) C:\Windows\system32\DRIVERS\usbccgp.sys
22:38:27.0747 3828 usbccgp - ok
22:38:27.0771 3828 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
22:38:27.0784 3828 usbcir - ok
22:38:27.0811 3828 usbehci (63fe924d8a1113c3ba6750693fbec7d3) C:\Windows\system32\DRIVERS\usbehci.sys
22:38:27.0822 3828 usbehci - ok
22:38:27.0859 3828 usbhub (5edec5510592c905e91817707dce62a2) C:\Windows\system32\DRIVERS\usbhub.sys
22:38:27.0874 3828 usbhub - ok
22:38:28.0042 3828 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
22:38:28.0053 3828 usbohci - ok
22:38:28.0070 3828 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
22:38:28.0082 3828 usbprint - ok
22:38:28.0128 3828 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
22:38:28.0144 3828 USBSTOR - ok
22:38:28.0182 3828 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
22:38:28.0212 3828 usbuhci - ok
22:38:28.0299 3828 usbvideo (0a6b81f01bc86399482e27e6fda7b33b) C:\Windows\system32\Drivers\usbvideo.sys
22:38:28.0321 3828 usbvideo - ok
22:38:28.0374 3828 UxSms (f79d0d7c9004474cb42746d9b2c30a2b) C:\Windows\System32\uxsms.dll
22:38:28.0379 3828 UxSms - ok
22:38:28.0478 3828 vds (c9d0bafee0d0a2681f048ca61bc0da96) C:\Windows\System32\vds.exe
22:38:28.0552 3828 vds - ok
22:38:28.0579 3828 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
22:38:28.0597 3828 vga - ok
22:38:28.0624 3828 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
22:38:28.0641 3828 VgaSave - ok
22:38:28.0688 3828 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
22:38:28.0704 3828 viaagp - ok
22:38:28.0726 3828 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
22:38:28.0737 3828 ViaC7 - ok
22:38:28.0762 3828 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
22:38:28.0774 3828 viaide - ok
22:38:28.0805 3828 volmgr (103e84c95832d0ed93507997cc7b54e8) C:\Windows\system32\drivers\volmgr.sys
22:38:28.0819 3828 volmgr - ok
22:38:28.0890 3828 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
22:38:28.0941 3828 volmgrx - ok
22:38:29.0030 3828 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys
22:38:29.0052 3828 volsnap - ok
22:38:29.0108 3828 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
22:38:29.0126 3828 vsmraid - ok
22:38:29.0423 3828 VSS (e0e29d9ef2524abd11749c7c2fd7f607) C:\Windows\system32\vssvc.exe
22:38:29.0440 3828 VSS - ok
22:38:29.0522 3828 W32Time (62b0d0f6f5580d9d0dfa5e0b466ff2ed) C:\Windows\system32\w32time.dll
22:38:29.0528 3828 W32Time - ok
22:38:29.0565 3828 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
22:38:29.0576 3828 WacomPen - ok
22:38:29.0621 3828 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
22:38:29.0637 3828 Wanarp - ok
22:38:29.0647 3828 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
22:38:29.0649 3828 Wanarpv6 - ok
22:38:29.0702 3828 wcncsvc (c1b19162e0509ceab4cdf664e139d956) C:\Windows\System32\wcncsvc.dll
22:38:29.0711 3828 wcncsvc - ok
22:38:29.0732 3828 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
22:38:29.0751 3828 WcsPlugInService - ok
22:38:29.0781 3828 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
22:38:29.0799 3828 Wd - ok
22:38:29.0880 3828 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
22:38:29.0959 3828 Wdf01000 - ok
22:38:30.0021 3828 WdiServiceHost (2a424b89b14ef17a3d06bcb5a8f79601) C:\Windows\system32\wdi.dll
22:38:30.0029 3828 WdiServiceHost - ok
22:38:30.0059 3828 WdiSystemHost (2a424b89b14ef17a3d06bcb5a8f79601) C:\Windows\system32\wdi.dll
22:38:30.0067 3828 WdiSystemHost - ok
22:38:30.0111 3828 WebClient (01e41c264eedcb827820a1909162579f) C:\Windows\System32\webclnt.dll
22:38:30.0118 3828 WebClient - ok
22:38:30.0317 3828 Wecsvc (9cf67ff7f8d34cbf115d0c278b9f74aa) C:\Windows\system32\wecsvc.dll
22:38:30.0323 3828 Wecsvc - ok
22:38:30.0341 3828 wercplsupport (b68cab45db1dab59d92acadfad6364a8) C:\Windows\System32\wercplsupport.dll
22:38:30.0346 3828 wercplsupport - ok
22:38:30.0378 3828 WerSvc (36ba0707680ef4236fd752bee982cc25) C:\Windows\System32\WerSvc.dll
22:38:30.0383 3828 WerSvc - ok
22:38:30.0451 3828 winachsf (6d2350bb6e77e800fc4be4e5b7a2e89a) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
22:38:30.0476 3828 winachsf - ok
22:38:30.0641 3828 WinDefend (0d5ad0e71ff5ddac5dd2f443b499abd0) C:\Program Files\Windows Defender\mpsvc.dll
22:38:30.0698 3828 WinDefend - ok
22:38:30.0710 3828 WinHttpAutoProxySvc - ok
22:38:30.0785 3828 Winmgmt (38a7b89de4e3417c122317949667fdd8) C:\Windows\system32\wbem\WMIsvc.dll
22:38:30.0804 3828 Winmgmt - ok
22:38:30.0853 3828 WinRM (3f6823040030c3e4da1cf11cd40b7534) C:\Windows\system32\WsmSvc.dll
22:38:30.0859 3828 WinRM - ok
22:38:30.0926 3828 Wlansvc (7640acea41348bfef34b76e245501261) C:\Windows\System32\wlansvc.dll
22:38:30.0943 3828 Wlansvc - ok
22:38:31.0169 3828 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
22:38:31.0421 3828 wlidsvc - ok
22:38:31.0635 3828 WmiAcpi (17eac0d023a65fa9b02114cc2baacad5) C:\Windows\system32\DRIVERS\wmiacpi.sys
22:38:31.0645 3828 WmiAcpi - ok
22:38:31.0729 3828 wmiApSrv (a279323bee5fffafda222910bce92132) C:\Windows\system32\wbem\WmiApSrv.exe
22:38:31.0777 3828 wmiApSrv - ok
22:38:31.0854 3828 WMIService (66658d1f28d113c3c189433ab9698c68) C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
22:38:31.0856 3828 WMIService - ok
22:38:31.0997 3828 WMPNetworkSvc (acb2e63d50157e3ea7140f29d9e76a48) C:\Program Files\Windows Media Player\wmpnetwk.exe
22:38:32.0012 3828 WMPNetworkSvc - ok
22:38:32.0064 3828 WPCSvc (3d3b3b80c12abe506f56930c46422c28) C:\Windows\System32\wpcsvc.dll
22:38:32.0098 3828 WPCSvc - ok
22:38:32.0139 3828 WPDBusEnum (c24844a1d0d9528b19d5bc266b8cd572) C:\Windows\system32\wpdbusenum.dll
22:38:32.0150 3828 WPDBusEnum - ok
22:38:32.0242 3828 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
22:38:32.0267 3828 WpdUsb - ok
22:38:32.0308 3828 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
22:38:32.0335 3828 ws2ifsl - ok
22:38:32.0371 3828 wscsvc (f97cbb919af6d0a6643d1a59c15014d1) C:\Windows\system32\wscsvc.dll
22:38:32.0376 3828 wscsvc - ok
22:38:32.0384 3828 WSearch - ok
22:38:32.0524 3828 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
22:38:32.0567 3828 wuauserv - ok
22:38:32.0790 3828 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
22:38:32.0806 3828 WUDFRd - ok
22:38:32.0829 3828 wudfsvc (db5bf5aab72b1b99b5331231d09ebb26) C:\Windows\System32\WUDFSvc.dll
22:38:32.0834 3828 wudfsvc - ok
22:38:32.0853 3828 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
22:38:32.0865 3828 XAudio - ok
22:38:32.0911 3828 XAudioService (28dc5d626e036a75a572556f0a6eb1f6) C:\Windows\system32\DRIVERS\xaudio.exe
22:38:32.0920 3828 XAudioService - ok
22:38:32.0998 3828 MBR (0x1B8) (a863475757cc50891aa8458c415e4b25) \Device\Harddisk0\DR0
22:38:36.0843 3828 \Device\Harddisk0\DR0 - ok
22:38:36.0873 3828 Boot (0x1200) (e203eb6bc7bed965f09488555f9843d3) \Device\Harddisk0\DR0\Partition0
22:38:36.0874 3828 \Device\Harddisk0\DR0\Partition0 - ok
22:38:36.0894 3828 Boot (0x1200) (28ececc4849fe176818df073b0eda9e2) \Device\Harddisk0\DR0\Partition1
22:38:36.0896 3828 \Device\Harddisk0\DR0\Partition1 - ok
22:38:36.0901 3828 ============================================================
22:38:36.0901 3828 Scan finished
22:38:36.0901 3828 ============================================================
22:38:36.0923 5400 Detected object count: 0
22:38:36.0923 5400 Actual detected object count: 0



And here's the aswMBR log:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-01 22:45:10
-----------------------------
22:45:10.687 OS Version: Windows 6.0.6000
22:45:10.687 Number of processors: 2 586 0xE08
22:45:10.690 ComputerName: BENNETT-LAPTOP UserName: Tim
22:45:32.949 Initialize success
22:53:49.735 AVAST engine defs: 12050101
22:54:00.309 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
22:54:00.316 Disk 0 Vendor: Hitachi_HTS541612J9SA00 SBDOC70P Size: 114473MB BusType: 3
22:54:00.341 Disk 0 MBR read successfully
22:54:00.347 Disk 0 MBR scan
22:54:00.410 Disk 0 unknown MBR code
22:54:00.417 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 6997 MB offset 63
22:54:00.471 Disk 0 Partition 2 80 (A) 06 FAT16 NTFS 53913 MB offset 14329980
22:54:00.513 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 53560 MB offset 124744725
22:54:00.534 Disk 0 scanning sectors +234436545
22:54:00.625 Disk 0 scanning C:\Windows\system32\drivers
22:54:20.322 Service scanning
22:55:06.305 Modules scanning
22:55:16.246 Disk 0 trace - called modules:
22:55:16.626 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
22:55:16.632 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8517aa88]
22:55:16.639 3 ntkrnlpa.exe[81cb07e2] -> nt!IofCallDriver -> [0x847de8e0]
22:55:16.647 5 acpi.sys[8066932a] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8484cb58]
22:55:17.773 AVAST engine scan C:\Windows
22:55:25.899 AVAST engine scan C:\Windows\system32
23:00:44.877 AVAST engine scan C:\Windows\system32\drivers
23:01:08.404 AVAST engine scan C:\Users\Tim
23:04:00.772 File: C:\Users\Tim\AppData\Local\msWIclass\ClipMainSched.dll **INFECTED** Win32:MalOb-GX [Cryp]
23:16:05.184 AVAST engine scan C:\ProgramData
23:18:49.344 Scan finished successfully
23:27:12.017 Disk 0 MBR has been saved successfully to "C:\Users\Tim\Desktop\MBR.dat"
23:27:12.030 The log file has been saved successfully to "C:\Users\Tim\Desktop\aswMBR.txt"

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:05 PM

Posted 01 May 2012 - 11:49 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::

File::
C:\Users\Tim\AppData\Local\msWIclass\ClipMainSched.dll

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 devincheetah

devincheetah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 03 May 2012 - 01:21 PM

So I deactivated my security programs and ran the script, but when I attempted to ComboFix said it had updates available, which I allowed it to perform. Then it attempted to continue, and the computer stalled. After about an hour I killed the power. When I turned the computer back on I didn't notice any problems so I just made a new .txt file and tried again. The scan went flawlessly, but Combofix did reboot the computer and then produced the log which I saved to the desktop. Not too long after that though the error "Illegal operation attempted on a registery key that has been marked for deletion" appeared so I restarted the computer again. I then reactivated my security programs. The computer seems to be running just fine now. Here's the log:

ComboFix 12-05-02.04 - Tim 05/02/2012 23:30:19.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2038.1160 [GMT -5:00]
Running from: c:\users\Tim\Desktop\ComboFix.exe
Command switches used :: c:\users\Tim\Desktop\CFScript.txt
.
FILE ::
"c:\users\Tim\AppData\Local\msWIclass\ClipMainSched.dll"
.
.
((((((((((((((((((((((((( Files Created from 2012-04-03 to 2012-05-03 )))))))))))))))))))))))))))))))
.
.
2012-05-03 04:37 . 2012-05-03 04:43 -------- d-----w- c:\users\Tim\AppData\Local\temp
2012-05-03 04:37 . 2012-05-03 04:37 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2012-05-03 04:37 . 2012-05-03 04:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-04-30 03:32 . 2012-04-30 03:32 -------- d-----w- c:\program files\Common Files\Skype
2012-04-30 02:47 . 2012-04-30 02:47 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2012-04-30 02:31 . 2012-04-30 02:31 -------- d-----w- c:\users\Tim\AppData\Local\Secunia PSI
2012-04-30 02:30 . 2012-04-30 02:30 -------- d-----w- c:\program files\Secunia
2012-04-28 23:12 . 2012-04-28 23:12 -------- d-----w- c:\users\Tim\AppData\Roaming\Malwarebytes
2012-04-28 23:12 . 2012-04-28 23:12 -------- d-----w- c:\programdata\Malwarebytes
2012-04-28 23:12 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-28 23:12 . 2012-04-29 00:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-19 18:50 . 2012-04-19 18:50 -------- d-----w- c:\program files\iPod
2012-04-19 18:50 . 2012-04-19 18:52 -------- d-----w- c:\program files\iTunes
2012-04-09 21:44 . 2012-04-09 21:44 -------- d-----w- c:\program files\Microsoft Silverlight
2012-04-07 19:01 . 2012-04-07 19:01 -------- d-----w- C:\DEA4
2012-04-07 18:43 . 2003-07-22 00:38 1204224 ----a-w- c:\windows\system32\ot60as.dll
2012-04-07 18:43 . 2003-07-22 00:38 167936 ----a-w- c:\windows\system32\osc60as.dll
2012-04-07 18:43 . 2003-07-22 00:38 1646592 ----a-w- c:\windows\system32\og70as.dll
2012-04-07 18:43 . 2003-07-22 00:38 146976 ----a-w- c:\windows\system32\mfcoleui.dll
2012-04-07 18:43 . 2003-07-22 00:28 49152 ----a-w- c:\windows\system32\INETWH32.DLL
2012-04-07 18:43 . 2003-07-22 00:28 154624 ----a-w- c:\windows\system32\HLP25632.DLL
2012-04-07 18:43 . 2003-08-05 15:11 131072 ----a-w- c:\windows\system32\deagnt13.exe
2012-04-07 18:42 . 2012-04-07 19:15 -------- d-----w- C:\DacEasy
2012-04-07 18:36 . 2000-01-04 11:39 212992 ----a-w- c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ILog.dll
2012-04-07 01:52 . 2012-04-24 16:41 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-24 16:41 . 2011-05-20 14:42 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-15 17:01 . 2012-02-15 17:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 17:01 . 2012-02-15 17:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"?????????"="??????????????e" [?]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-06-03 1232896]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
"Logitech Vid"="c:\program files\Logitech\Vid HD\Vid.exe" [2010-10-29 5915480]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"Steam"="c:\program files\Steam\Steam.exe" [2011-08-29 1242448]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 201728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2006-11-22 90191]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-22 7757824]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-11-22 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 4186112]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 107112]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-11-21 22696]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-08 614400]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2006-12-13 3166208]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2006-12-04 1261568]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2006-11-17 453120]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-03-02 1583808]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2010-05-10 439568]
"Conime"="c:\windows\system32\conime.exe" [2006-11-02 68608]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]
"FileOpenBroker"="c:\program files\FileOpen\Services\FileOpenBroker32.exe" [2011-12-10 726912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2006-12-2 528384]
Pervasive.SQL Workgroup Engine.lnk - c:\daceasy\pvsw\W3DBSMGR.EXE [2012-4-7 90180]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-10-14 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-24 253088]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
*Deregistered* - FileOpenWebPublisherScreenHookDriver
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-02 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-07 16:41]
.
2012-04-21 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Tim.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-11-21 04:41]
.
2012-05-03 c:\windows\Tasks\User_Feed_Synchronization-{FFA3BA44-D6AA-44AD-B664-80E8273E9365}.job
- c:\windows\system32\msfeedssync.exe [2010-06-06 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5188)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\ShowErrMsg.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\FileOpen\Services\FileOpenManagerSvc32.exe
c:\program files\Kodak\AiO\Center\EKAiOHostService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Secunia\PSI\PSIA.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Secunia\PSI\sua.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\LManager.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
c:\windows\system32\igfxext.exe
c:\acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
c:\acer\Empowering Technology\eRecovery\ERAGENT.EXE
.
**************************************************************************
.
Completion time: 2012-05-02 23:48:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-03 04:48
ComboFix2.txt 2012-05-01 20:02
.
Pre-Run: 13,279,653,888 bytes free
Post-Run: 13,256,990,720 bytes free
.
- - End Of File - - 55BB39E1CE51E8199FCA0E3AF6EC6323

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:05 PM

Posted 03 May 2012 - 01:40 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.5.1
Bing Rewards Client Installer
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 devincheetah

devincheetah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 03 May 2012 - 10:22 PM

I removed Adobe Reader 9.5.1, but couldn't find Bing Rewards Client Installer. I installed Java and ran CCleaner. Computer is running fine. Here's the MBAM log:

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.03.08

Windows Vista x86 NTFS
Internet Explorer 8.0.6001.18904
Tim :: BENNETT-LAPTOP [administrator]

Protection: Enabled

5/3/2012 9:48:23 PM
mbam-log-2012-05-03 (21-48-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 194577
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Here's the report from Hijackthis:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:12:41 PM, on 5/3/2012
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe
C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Users\Tim\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\DacEasy\pvsw\W3DBSMGR.EXE
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxext.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [LTCM Client] C:\Program Files\LTCM Client\ltcmClient.exe /startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [EKAIO2StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe
O4 - HKLM\..\Run: [FileOpenBroker] C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\DacEasy\pvsw\W3DBSMGR.EXE
O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: FileOpen Manager Service (FileOpenManagerSvc) - FileOpen Systems Inc. - C:\Program Files\FileOpen\Services\FileOpenManagerSvc32.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Secunia PSI Agent - Secunia - C:\Program Files\Secunia\PSI\PSIA.exe
O23 - Service: Secunia Update Agent - Secunia - C:\Program Files\Secunia\PSI\sua.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11334 bytes

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:05 PM

Posted 03 May 2012 - 10:45 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer Registration\ACE1.exe" /startup
      O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
      O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [FileOpenBroker] C:\Program Files\FileOpen\Services\FileOpenBroker32.exe
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [Logitech Vid] "C:\Program Files\Logitech\Vid HD\Vid.exe" -bootmode
      O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
      O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - Global Startup: Empowering Technology Launcher.lnk = ?
      O4 - Global Startup: Secunia PSI Tray.lnk = C:\Program Files\Secunia\PSI\psi_tray.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 devincheetah

devincheetah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 04 May 2012 - 11:26 PM

I decided to keep a few of the start-ups but I removed the rest of the list from your post using HijackThis. Here is the log from Eset:

C:\Qoobox\Quarantine\C\ProgramData\YDdRtmhilFNORa.exe.vir a variant of Win32/Kryptik.AEWT trojan
C:\Qoobox\Quarantine\C\ProgramData\yfc3An8CQAFy2N.exe.vir a variant of Win32/Kryptik.AEWT trojan
C:\Users\Tim\AppData\Local\msWIclass\ClipMainSched.dll probably a variant of Win32/Sefnit.CD trojan

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:05 PM

Posted 04 May 2012 - 11:33 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Users\Tim\AppData\Local\msWIclass\ClipMainSched.dll"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)


    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 devincheetah

devincheetah
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 06 May 2012 - 12:05 AM

I finished cleaning up the computer. I do have two more questions:

1) Is it safe to reinstall adobe reader? I sort of need it back.
2) This article: http://www.bleepingcomputer.com/virus-removal/remove-data-recovery mentioned a program called Unhide.exe which I had used and is still on my computer. Is it safe/unsafe/useful/pointless to run it now?

And really, thanks for everything!

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:05 PM

Posted 06 May 2012 - 12:23 AM

Hello


1. yes you can install it - sorry for not telling you before

2. do you have any hidden files? if so you can run it



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users