Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible MEDFOS trojan


  • This topic is locked This topic is locked
12 replies to this topic

#1 Blue Meerkat

Blue Meerkat

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 03 May 2012 - 02:47 PM

Hi,

What a great website. Hopefully one of you can kind samaritans can help me out here.

My wife's Asus Vista laptop seems to have succumbed to some form of lurgi.

First sign was around a week ago when ESET SmartSecurity detected something and quarantined a few files:

C:\Users\Gill\AppData\Local\Temp\sexcsh.dll
- Reason: "a variant of Medfos.F trojan"
C:\Users\David\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5MQ7Q2EF\setup_lib_srl[1].exe
- Reason: "probably a variant of Win32\TrojanDownloader.Agent.GFHYNLH trojan"
C:\Users\Gill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HT6J0WGM\AQG...very-long....AAA[1].htm
- Reason: "a variant of Medfos.F trojan"

I had to manually dig into the registry to stop it attempting to run sexcsh.dll (which couldn't be found due to quarantining).

I then ran MBAM which still found...

Memory Modules Detected: 1
C:\Users\Gill\AppData\Local\Temp\stcid.dll (Trojan.Medhos) -> Delete on reboot.

Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|stcid (Trojan.Medhos) -> Data: rundll32.exe "C:\Users\Gill\AppData\Local\Temp\stcid.dll",mpegSplitClose -> Quarantined and deleted successfully.

I then reran full scans of ESET, MBAM and Windows Defender to be sure it was clean... and thought I was ok again.

HOWEVER, a few days later my wife was googling and was redirected somewhere odd... we went back to google where one of the links to a safe web-site had been redirected to pagead.googledoubleclicks.com/....

So I reran the scanners and ESET found

C:\Users\Gill\AppData\Local\Temp\raplg.dll
- Reason: "a variant of Medfos.L trojan"
C:\Users\Gill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HT6J0WGM\AQG...very-long....AAA[2].htm
- Reason: "a variant of Medfos.L trojan"

I ran the scanners again thereafter and found nothing more.
However, a couple of days later, and I just spotted another google link, redirected to pagead.googledoubleclicks.com.
Just ran ESET and MBAM but nothing spotted - but I suspect something is lurking!
Unfortunately (perhaps) it only seems to happen very occasionally (once or twice a night perhaps), so not easy to check if it is fixed.

So much for my ramblings and my failed attempts to resolve this... now for some logs...

Thanks,

David


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Gill at 19:33:15 on 2012-05-03
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.919 [GMT 1:00]
.
AV: ESET Smart Security 4.0 *Enabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
SP: ESET Smart Security 4.0 *Enabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Macrium\Reflect\ReflectService.exe
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\StkCSrv.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ASUS\Net4Switch\Net4Switch.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ATKOSD2\ATKOSD2.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Windows\System32\ACEngSvr.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ASScrPro.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\ehome\ehRecvr.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.asus.com
mDefault_Page_URL = hxxp://www.asus.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
uRun: [<NO NAME>]
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [ATKMEDIA] c:\program files\asus\atk media\DMEDIA.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ASUS Camera ScreenSaver] c:\windows\ASScrProlog.exe
mRun: [ASUS Screen Saver Protector] c:\windows\ASScrPro.exe
mRun: [WinCast] c:\hauppauge\wintv cd 4.0\cdsetup\setup.exe -leng
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [NPSStartup]
mRun: [Conime] %windir%\system32\conime.exe
mRun: [EKAIO2StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKAiO2MUI.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [KodakHomeCenter] "c:\program files\kodak\aio\center\AiOHomeCenter.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\belkin\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9E1FDC5F-0A26-466F-AA5E-9F6A2CB0BED3} : DhcpNameServer = 192.168.1.254
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 192.168.1.254 bthomehub
Hosts: 192.168.1.68 buffalo
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\gill\appdata\roaming\mozilla\firefox\profiles\t8cksxjc.default\
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
.
============= SERVICES / DRIVERS ===============
.
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [2011-10-31 16024]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-9-11 108792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-9-11 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-9-11 38240]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-19 21504]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\kodak\aio\center\EKAiOHostService.exe [2011-12-19 394672]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\macrium\reflect\ReflectService.exe [2011-10-31 220824]
R2 StkSSrv;Syntek AVStream USB2.0 WebCam Service;c:\windows\system32\StkCSrv.exe [2007-2-7 24576]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-2-25 27632]
R3 StkCMini;Syntek AVStream USB2.0 1.3M WebCam;c:\windows\system32\drivers\StkCMini.sys [2007-2-13 1245056]
R3 WCPU;WCPU;c:\program files\p4g\WCPU.sys [2007-5-24 11120]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-7-2 36608]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-1-4 10976]
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\wintv\HCWTVS~1.EXE [2007-12-28 815104]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\drivers\hcw95bda.sys [2007-12-28 467456]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\system32\drivers\hcw95rc.sys [2007-12-28 15488]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 s0017bus;Sony Ericsson Device 0017 driver (WDM);c:\windows\system32\drivers\s0017bus.sys [2009-1-4 90536]
S3 s0017mdfl;Sony Ericsson Device 0017 USB WMC Modem Filter;c:\windows\system32\drivers\s0017mdfl.sys [2009-1-4 15016]
S3 s0017mdm;Sony Ericsson Device 0017 USB WMC Modem Driver;c:\windows\system32\drivers\s0017mdm.sys [2009-1-4 122152]
S3 s0017mgmt;Sony Ericsson Device 0017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0017mgmt.sys [2009-1-4 115496]
S3 s0017nd5;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (NDIS);c:\windows\system32\drivers\s0017nd5.sys [2009-1-4 25768]
S3 s0017obex;Sony Ericsson Device 0017 USB WMC OBEX Interface;c:\windows\system32\drivers\s0017obex.sys [2009-1-4 111912]
S3 s0017unic;Sony Ericsson Device 0017 USB Ethernet Emulation SEMC0017 (WDM);c:\windows\system32\drivers\s0017unic.sys [2009-1-4 117672]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 EPGService;EPGService;c:\progra~1\wintv\epg services\system\EPGService.exe [2007-12-28 374272]
.
=============== Created Last 30 ================
.
2072-04-03 13:13:14 607296 ------w- c:\program files\microsoft games\age of empires iii\deformerdllyD.dll
2071-07-25 09:13:30 203576 ------w- c:\program files\microsoft games\age of empires iii\autopatcher2.exe
2012-05-01 05:52:24 -------- d-----w- c:\users\gill\appdata\roaming\SUPERAntiSpyware.com
2012-05-01 05:51:14 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-01 05:51:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-01 05:43:09 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{8b8b6ad8-2a9f-49b7-8d90-dd267f512861}\mpengine.dll
2012-04-22 15:55:44 -------- d-----w- c:\users\gill\appdata\roaming\Malwarebytes
2012-04-22 15:54:56 -------- d-----w- c:\programdata\Malwarebytes
2012-04-22 15:54:55 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-22 15:54:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-13 13:02:34 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-13 13:02:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-04-13 13:02:33 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-13 13:02:33 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-13 13:01:45 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-13 13:01:44 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 07:21:53 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-04-08 20:18:56 -------- d-----w- c:\users\gill\appdata\local\{126967B4-81B8-11E1-826D-B8AC6F996F26}
.
==================== Find3M ====================
.
2012-05-03 16:26:14 45056 ----a-w- c:\windows\system32\acovcnt.exe
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 09:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 11:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 11:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-14 15:45:30 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-14 11:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-13 14:12:08 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47:57 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- c:\windows\system32\DWrite.dll
.
============= FINISH: 19:35:10.20 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 PM

Posted 03 May 2012 - 11:58 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Blue Meerkat

Blue Meerkat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 04 May 2012 - 01:49 PM

Thanks gringo_pr.

Ok carried ran security check, disabled antivirus and ran ComboFix as requested with no problems.
However, does the ComboFix output imply I disabled ESET antivirus, but failed to disable its firewall.
Is that an issue? Should I rerun?

How is the PC running... Answer: so far so good, but it was always a bit intermittent, so I'll not start dancing just yet. A night of surfing should give me a better idea.

Ok - log time...

Results of screen317's Security Check version 0.99.32
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

ESET Smart Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

SUPERAntiSpyware
Adobe FlashComboFix 12-05-04.03 - Gill 04/05/2012 19:05:19.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.1077 [GMT 1:00]
Running from: c:\users\Gill\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
FW: ESET Personal firewall *Enabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
SP: ESET Smart Security 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2012-04-04 to 2012-05-04 )))))))))))))))))))))))))))))))
.
.
2072-04-03 13:13 . 2008-03-21 14:46 607296 ------w- c:\program files\Microsoft Games\Age of Empires III\deformerdllyD.dll
2071-07-25 09:13 . 2006-11-21 20:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2012-05-04 18:13 . 2012-05-04 18:20 -------- d-----w- c:\users\Gill\AppData\Local\temp
2012-05-04 18:13 . 2012-05-04 18:13 -------- d-----w- c:\users\TestABC\AppData\Local\temp
2012-05-04 17:35 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{93FA124B-9D93-42A3-B57C-8208E72BF4DF}\mpengine.dll
2012-05-04 17:35 . 2012-05-04 17:35 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-04 17:35 . 2012-05-04 17:35 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-04 17:35 . 2012-05-04 17:35 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-01 05:52 . 2012-05-01 05:52 -------- d-----w- c:\users\Gill\AppData\Roaming\SUPERAntiSpyware.com
2012-05-01 05:51 . 2012-05-01 05:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-01 05:51 . 2012-05-01 05:51 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-04-22 15:55 . 2012-04-22 15:55 -------- d-----w- c:\users\Gill\AppData\Roaming\Malwarebytes
2012-04-22 15:54 . 2012-04-22 15:54 -------- d-----w- c:\programdata\Malwarebytes
2012-04-22 15:54 . 2012-04-22 15:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-22 15:54 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-13 13:02 . 2012-02-29 15:11 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-13 13:02 . 2012-02-29 15:11 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-04-13 13:02 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-13 13:02 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-13 13:01 . 2012-03-06 06:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-13 13:01 . 2012-03-06 06:39 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 07:21 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-04-08 20:18 . 2012-04-08 20:18 -------- d-----w- c:\users\Gill\AppData\Local\{126967B4-81B8-11E1-826D-B8AC6F996F26}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-04 18:20 . 2007-08-13 11:59 45056 ----a-w- c:\windows\system32\acovcnt.exe
2012-02-23 09:18 . 2009-10-06 21:57 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 11:01 . 2012-02-15 11:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 11:01 . 2012-02-15 11:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-14 15:45 . 2012-03-14 08:10 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-14 08:10 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-14 11:09 . 2012-02-14 11:09 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-13 14:12 . 2012-03-14 08:10 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47 . 2012-03-14 08:10 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44 . 2012-03-14 08:10 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-11 10:56 . 2012-02-11 10:56 800824 ----a-w- c:\users\Default\AppData\Roaming\DPInst.exe
2012-02-11 10:56 . 2012-02-11 10:56 36352 ----a-w- c:\users\Default\AppData\Roaming\PnPutil.exe
2012-02-11 10:56 . 2012-02-11 10:56 106496 ----a-w- c:\users\Default\AppData\Roaming\gacutil.exe
2012-05-04 17:35 . 2011-05-02 14:15 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-04-20 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-22 815104]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2007-05-24 37232]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2007-05-24 33136]
"WinCast"="c:\hauppauge\WinTV CD 4.0\CDSetup\setup.exe" [2007-08-21 110653]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-11 2054360]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2011-12-12 2234288]
.
c:\users\Ross\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 22:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-03-26 18:42 1057328 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MFP Manager]
2008-06-05 16:20 712704 ----a-w- c:\program files\MFP Server Utilities\MFPAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-26 19:12 161328 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone]
2007-01-15 22:17 778240 ----a-w- c:\program files\PowerForPhone\PowerForPhone.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 14:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-11 10:04 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.asus.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Gill\AppData\Roaming\Mozilla\Firefox\Profiles\t8cksxjc.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-NPSStartup - (no file)
MSConfigStartUp-raplg - c:\users\Gill\AppData\Local\Temp\raplg.dll
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-04 19:21
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,
02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:b2,ab,d9,0f,9e,f7,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,ec,db,a5,6b,27,d5,42,a5,17,ef,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,ec,db,a5,6b,27,d5,42,a5,17,ef,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(2136)
c:\windows\system32\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ATK Hotkey\ASLDRSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ESET\ESET Smart Security\ekrn.exe
c:\program files\Kodak\AiO\Center\EKAiOHostService.exe
c:\program files\Macrium\Reflect\ReflectService.exe
c:\program files\ASUS\NB Probe\SPM\spmgr.exe
c:\windows\System32\StkCSrv.exe
c:\windows\ehome\ehRecvr.exe
c:\program files\ASUS\Net4Switch\Net4Switch.exe
c:\program files\ATK Hotkey\Hcontrol.exe
c:\program files\ATKOSD2\ATKOSD2.exe
c:\program files\Wireless Console 2\wcourier.exe
c:\program files\ASUS\Splendid\ACMON.exe
c:\program files\P4G\BatteryLife.exe
c:\program files\ATK Hotkey\ATKOSD.exe
c:\windows\System32\ACEngSvr.exe
c:\windows\RtHDVCpl.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\ehome\mcupdate.EXE
.
**************************************************************************
.
Completion time: 2012-05-04 19:25:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-04 18:25
.
Pre-Run: 22,600,904,704 bytes free
Post-Run: 24,239,173,632 bytes free
.
- - End Of File - - 9D1B343F357BB94C3A05EFA5CA6AE4E4
Player 9 Flash Player out of date!
Adobe Flash Player 10.3.183.5 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of date!
Adobe Reader X KB403742.. Adobe Reader out of Date!
Mozilla Firefox (12.0.)
Mozilla Thunderbird (x86 en-GB..)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSASCui.exe
Windows Defender MSASCui.exe
``````````End of Log````````````

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 PM

Posted 04 May 2012 - 03:03 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Blue Meerkat

Blue Meerkat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 05 May 2012 - 07:38 AM

Hi Gringo,

Thanks. So far so good. Had no google links redirected last night.

tdskiller and aswMBR logs as requested...

08:49:19.0376 1516 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
08:49:19.0407 1516 ============================================================
08:49:19.0407 1516 Current date / time: 2012/05/05 08:49:19.0407
08:49:19.0407 1516 SystemInfo:
08:49:19.0407 1516
08:49:19.0407 1516 OS Version: 6.0.6002 ServicePack: 2.0
08:49:19.0407 1516 Product type: Workstation
08:49:19.0407 1516 ComputerName: GILL-PC
08:49:19.0407 1516 UserName: Gill
08:49:19.0407 1516 Windows directory: C:\Windows
08:49:19.0407 1516 System windows directory: C:\Windows
08:49:19.0407 1516 Processor architecture: Intel x86
08:49:19.0407 1516 Number of processors: 2
08:49:19.0407 1516 Page size: 0x1000
08:49:19.0407 1516 Boot type: Normal boot
08:49:19.0407 1516 ============================================================
08:49:20.0936 1516 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x93E52, SectorsPerTrack: 0x4, TracksPerCylinder: 0x81, Type 'K0', Flags 0x00000050
08:49:20.0936 1516 ============================================================
08:49:20.0936 1516 \Device\Harddisk0\DR0:
08:49:20.0936 1516 MBR partitions:
08:49:20.0936 1516 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0xDAC800, BlocksNum 0x950C800
08:49:20.0951 1516 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xA2B9800, BlocksNum 0x875F800
08:49:20.0951 1516 ============================================================
08:49:20.0998 1516 C: <-> \Device\Harddisk0\DR0\Partition0
08:49:21.0092 1516 D: <-> \Device\Harddisk0\DR0\Partition1
08:49:21.0092 1516 ============================================================
08:49:21.0092 1516 Initialize success
08:49:21.0092 1516 ============================================================
08:49:45.0241 4084 ============================================================
08:49:45.0241 4084 Scan started
08:49:45.0241 4084 Mode: Manual;
08:49:45.0241 4084 ============================================================
08:49:46.0130 4084 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
08:49:46.0130 4084 !SASCORE - ok
08:49:46.0348 4084 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
08:49:46.0348 4084 ACPI - ok
08:49:46.0411 4084 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
08:49:46.0457 4084 adp94xx - ok
08:49:46.0520 4084 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
08:49:46.0598 4084 adpahci - ok
08:49:46.0629 4084 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
08:49:46.0676 4084 adpu160m - ok
08:49:46.0691 4084 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
08:49:46.0785 4084 adpu320 - ok
08:49:46.0832 4084 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
08:49:46.0832 4084 AeLookupSvc - ok
08:49:46.0894 4084 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
08:49:46.0941 4084 AFD - ok
08:49:47.0003 4084 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
08:49:47.0066 4084 agp440 - ok
08:49:47.0113 4084 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
08:49:47.0159 4084 aic78xx - ok
08:49:47.0191 4084 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
08:49:47.0191 4084 ALG - ok
08:49:47.0206 4084 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
08:49:47.0206 4084 aliide - ok
08:49:47.0222 4084 ALIWEHCD - ok
08:49:47.0237 4084 AliWGP - ok
08:49:47.0269 4084 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
08:49:47.0347 4084 amdagp - ok
08:49:47.0362 4084 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
08:49:47.0393 4084 amdide - ok
08:49:47.0440 4084 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
08:49:47.0518 4084 AmdK7 - ok
08:49:47.0534 4084 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
08:49:47.0581 4084 AmdK8 - ok
08:49:47.0627 4084 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
08:49:47.0627 4084 Appinfo - ok
08:49:47.0752 4084 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
08:49:47.0752 4084 Apple Mobile Device - ok
08:49:47.0815 4084 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
08:49:47.0861 4084 arc - ok
08:49:47.0908 4084 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
08:49:47.0971 4084 arcsas - ok
08:49:48.0017 4084 ASLDRService (66597ad6098352d11239c0c42100b176) C:\Program Files\ATK Hotkey\ASLDRSrv.exe
08:49:48.0017 4084 ASLDRService - ok
08:49:48.0064 4084 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
08:49:48.0064 4084 AsyncMac - ok
08:49:48.0111 4084 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
08:49:48.0111 4084 atapi - ok
08:49:48.0189 4084 Ati External Event Utility (86fb6b8ddbcb6e025ce8a90f77af1ff1) C:\Windows\system32\Ati2evxx.exe
08:49:48.0205 4084 Ati External Event Utility - ok
08:49:48.0751 4084 atikmdag (a23efb72057fed7128eb558866055fdf) C:\Windows\system32\DRIVERS\atikmdag.sys
08:49:48.0860 4084 atikmdag - ok
08:49:49.0047 4084 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
08:49:49.0047 4084 AudioEndpointBuilder - ok
08:49:49.0063 4084 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
08:49:49.0063 4084 Audiosrv - ok
08:49:49.0141 4084 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
08:49:49.0172 4084 Beep - ok
08:49:49.0234 4084 BFE (c789af0f724fda5852fb9a7d3a432381) C:\Windows\System32\bfe.dll
08:49:49.0234 4084 BFE - ok
08:49:49.0343 4084 BITS (93952506c6d67330367f7e7934b6a02f) C:\Windows\system32\qmgr.dll
08:49:49.0359 4084 BITS - ok
08:49:49.0359 4084 blbdrive - ok
08:49:49.0515 4084 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
08:49:49.0515 4084 Bonjour Service - ok
08:49:49.0546 4084 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
08:49:49.0546 4084 bowser - ok
08:49:49.0593 4084 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
08:49:49.0593 4084 BrFiltLo - ok
08:49:49.0624 4084 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
08:49:49.0624 4084 BrFiltUp - ok
08:49:49.0655 4084 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
08:49:49.0655 4084 Browser - ok
08:49:49.0718 4084 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
08:49:49.0718 4084 Brserid - ok
08:49:49.0733 4084 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
08:49:49.0733 4084 BrSerWdm - ok
08:49:49.0765 4084 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
08:49:49.0765 4084 BrUsbMdm - ok
08:49:49.0780 4084 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
08:49:49.0780 4084 BrUsbSer - ok
08:49:49.0843 4084 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
08:49:49.0874 4084 BthEnum - ok
08:49:49.0905 4084 BTHMODEM (9a966a8e86d1771911ae34a20d11bff3) C:\Windows\system32\DRIVERS\bthmodem.sys
08:49:49.0905 4084 BTHMODEM - ok
08:49:49.0952 4084 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
08:49:49.0952 4084 BthPan - ok
08:49:50.0014 4084 BTHPORT (611ff3f2f095c8d4a6d4cfd9dcc09793) C:\Windows\system32\Drivers\BTHport.sys
08:49:50.0030 4084 BTHPORT - ok
08:49:50.0061 4084 BthServ (a4c8377fa4a994e07075107dbe2e3dce) C:\Windows\System32\bthserv.dll
08:49:50.0061 4084 BthServ - ok
08:49:50.0092 4084 BTHUSB (d330803eab2a15caec7f011f1d4cb30e) C:\Windows\system32\Drivers\BTHUSB.sys
08:49:50.0139 4084 BTHUSB - ok
08:49:50.0201 4084 btwaudio (f064be7316889ec0a63f8a91856047a1) C:\Windows\system32\drivers\btwaudio.sys
08:49:50.0279 4084 btwaudio - ok
08:49:50.0326 4084 btwavdt (bf9256ff01b093a5d90bb7a35ec90410) C:\Windows\system32\drivers\btwavdt.sys
08:49:50.0326 4084 btwavdt - ok
08:49:50.0342 4084 btwrchid (0ab8c1ac177afb27309e1072faf34a37) C:\Windows\system32\DRIVERS\btwrchid.sys
08:49:50.0373 4084 btwrchid - ok
08:49:50.0467 4084 catchme - ok
08:49:50.0529 4084 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
08:49:50.0576 4084 cdfs - ok
08:49:50.0623 4084 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
08:49:50.0701 4084 cdrom - ok
08:49:50.0732 4084 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
08:49:50.0747 4084 CertPropSvc - ok
08:49:50.0763 4084 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
08:49:50.0841 4084 circlass - ok
08:49:50.0903 4084 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
08:49:50.0903 4084 CLFS - ok
08:49:50.0981 4084 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
08:49:50.0981 4084 clr_optimization_v2.0.50727_32 - ok
08:49:51.0075 4084 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
08:49:51.0075 4084 clr_optimization_v4.0.30319_32 - ok
08:49:51.0169 4084 CLTNetCnService - ok
08:49:51.0231 4084 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
08:49:51.0231 4084 CmBatt - ok
08:49:51.0262 4084 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
08:49:51.0293 4084 cmdide - ok
08:49:51.0309 4084 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
08:49:51.0309 4084 Compbatt - ok
08:49:51.0325 4084 COMSysApp - ok
08:49:51.0340 4084 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
08:49:51.0387 4084 crcdisk - ok
08:49:51.0403 4084 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
08:49:51.0481 4084 Crusoe - ok
08:49:51.0543 4084 CryptSvc (fb27772beaf8e1d28ccd825c09da939b) C:\Windows\system32\cryptsvc.dll
08:49:51.0543 4084 CryptSvc - ok
08:49:51.0637 4084 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
08:49:51.0652 4084 DcomLaunch - ok
08:49:51.0683 4084 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
08:49:51.0730 4084 DfsC - ok
08:49:51.0964 4084 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe
08:49:51.0995 4084 DFSR - ok
08:49:52.0183 4084 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll
08:49:52.0183 4084 Dhcp - ok
08:49:52.0245 4084 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
08:49:52.0245 4084 disk - ok
08:49:52.0292 4084 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll
08:49:52.0292 4084 Dnscache - ok
08:49:52.0339 4084 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll
08:49:52.0339 4084 dot3svc - ok
08:49:52.0417 4084 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
08:49:52.0417 4084 DPS - ok
08:49:52.0448 4084 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
08:49:52.0448 4084 drmkaud - ok
08:49:52.0526 4084 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
08:49:52.0541 4084 DXGKrnl - ok
08:49:52.0588 4084 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
08:49:52.0588 4084 E1G60 - ok
08:49:52.0651 4084 eamon (30372bcc67d63bee538cdfeca755d81c) C:\Windows\system32\DRIVERS\eamon.sys
08:49:52.0666 4084 eamon - ok
08:49:52.0697 4084 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
08:49:52.0697 4084 EapHost - ok
08:49:52.0775 4084 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
08:49:52.0775 4084 Ecache - ok
08:49:52.0838 4084 ehdrv (6504d6afb75fef830dd99e8c4235d54d) C:\Windows\system32\DRIVERS\ehdrv.sys
08:49:52.0885 4084 ehdrv - ok
08:49:52.0947 4084 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
08:49:52.0947 4084 ehRecvr - ok
08:49:52.0978 4084 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
08:49:52.0978 4084 ehSched - ok
08:49:52.0994 4084 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
08:49:52.0994 4084 ehstart - ok
08:49:53.0103 4084 EhttpSrv (7e5c9009d28fe0f2cde2b8df47472a06) C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
08:49:53.0119 4084 EhttpSrv - ok
08:49:53.0197 4084 ekrn (fddad27e9a20d0dac04facbf67afbfc1) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
08:49:53.0212 4084 ekrn - ok
08:49:53.0353 4084 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
08:49:53.0431 4084 elxstor - ok
08:49:53.0509 4084 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll
08:49:53.0524 4084 EMDMgmt - ok
08:49:53.0587 4084 epfw (86895d4413316becc2d7944d2749586c) C:\Windows\system32\DRIVERS\epfw.sys
08:49:53.0587 4084 epfw - ok
08:49:53.0618 4084 Epfwndis (3b47010b2425b69826004767e59045ba) C:\Windows\system32\DRIVERS\Epfwndis.sys
08:49:53.0696 4084 Epfwndis - ok
08:49:53.0758 4084 epfwwfp (396ce762d1650387a2fe184e245fbba1) C:\Windows\system32\DRIVERS\epfwwfp.sys
08:49:53.0758 4084 epfwwfp - ok
08:49:53.0867 4084 EPGService (47b6679d42fb6d6ca0eda5df48abb2e5) C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
08:49:53.0867 4084 EPGService - ok
08:49:53.0914 4084 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll
08:49:53.0930 4084 EventSystem - ok
08:49:53.0992 4084 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
08:49:54.0039 4084 exfat - ok
08:49:54.0070 4084 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
08:49:54.0101 4084 fastfat - ok
08:49:54.0133 4084 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
08:49:54.0179 4084 fdc - ok
08:49:54.0211 4084 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
08:49:54.0211 4084 fdPHost - ok
08:49:54.0242 4084 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
08:49:54.0257 4084 FDResPub - ok
08:49:54.0304 4084 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
08:49:54.0304 4084 FileInfo - ok
08:49:54.0335 4084 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
08:49:54.0367 4084 Filetrace - ok
08:49:54.0382 4084 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
08:49:54.0382 4084 flpydisk - ok
08:49:54.0460 4084 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
08:49:54.0523 4084 FltMgr - ok
08:49:54.0632 4084 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll
08:49:54.0647 4084 FontCache - ok
08:49:54.0741 4084 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
08:49:54.0741 4084 FontCache3.0.0.0 - ok
08:49:54.0803 4084 FsUsbExDisk (790a4ca68f44be35967b3df61f3e4675) C:\Windows\system32\FsUsbExDisk.SYS
08:49:54.0835 4084 FsUsbExDisk - ok
08:49:54.0850 4084 Fs_Rec (b972a66758577e0bfd1de0f91aaa27b5) C:\Windows\system32\drivers\Fs_Rec.sys
08:49:54.0881 4084 Fs_Rec - ok
08:49:54.0928 4084 FTDIBUS (a36e8beedb3aaca09bf55a1d17904bc8) C:\Windows\system32\drivers\ftdibus.sys
08:49:54.0928 4084 FTDIBUS - ok
08:49:54.0991 4084 FTSER2K (a14a1f4bb391df9c233cb5dbd05feb70) C:\Windows\system32\drivers\ftser2k.sys
08:49:54.0991 4084 FTSER2K - ok
08:49:55.0022 4084 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
08:49:55.0053 4084 gagp30kx - ok
08:49:55.0100 4084 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
08:49:55.0100 4084 GEARAspiWDM - ok
08:49:55.0147 4084 ggflt (9ae4cd2acdf58325fd38b416c1decf1d) C:\Windows\system32\DRIVERS\ggflt.sys
08:49:55.0147 4084 ggflt - ok
08:49:55.0193 4084 ggsemc (4b0bd44af495fc5b89477328f22f36ec) C:\Windows\system32\DRIVERS\ggsemc.sys
08:49:55.0193 4084 ggsemc - ok
08:49:55.0303 4084 ghaio (ba4a798183529fe251a3dcfa650670bf) C:\Program Files\ASUS\NB Probe\SPM\ghaio.sys
08:49:55.0334 4084 ghaio - ok
08:49:55.0412 4084 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll
08:49:55.0427 4084 gpsvc - ok
08:49:55.0537 4084 HauppaugeTVServer (fc282bdb2d558b6c3bc2d848c5ca9f13) C:\PROGRA~1\WinTV\HCWTVS~1.EXE
08:49:55.0552 4084 HauppaugeTVServer - ok
08:49:55.0739 4084 hcw95bda (6d1ea2467a49a954c95aa493382b3a6d) C:\Windows\system32\Drivers\hcw95bda.sys
08:49:55.0786 4084 hcw95bda - ok
08:49:55.0849 4084 hcw95rc (7a1fa260e31c3d3ebd061265251ef0f6) C:\Windows\system32\DRIVERS\hcw95rc.sys
08:49:55.0849 4084 hcw95rc - ok
08:49:55.0880 4084 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
08:49:55.0895 4084 HdAudAddService - ok
08:49:55.0958 4084 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
08:49:56.0005 4084 HDAudBus - ok
08:49:56.0020 4084 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
08:49:56.0020 4084 HidBth - ok
08:49:56.0036 4084 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
08:49:56.0083 4084 HidIr - ok
08:49:56.0114 4084 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\System32\hidserv.dll
08:49:56.0114 4084 hidserv - ok
08:49:56.0161 4084 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
08:49:56.0161 4084 HidUsb - ok
08:49:56.0207 4084 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
08:49:56.0207 4084 hkmsvc - ok
08:49:56.0239 4084 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
08:49:56.0317 4084 HpCISSs - ok
08:49:56.0363 4084 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
08:49:56.0410 4084 HTTP - ok
08:49:56.0426 4084 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
08:49:56.0457 4084 i2omp - ok
08:49:56.0519 4084 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
08:49:56.0535 4084 i8042prt - ok
08:49:56.0566 4084 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
08:49:56.0566 4084 iaStorV - ok
08:49:56.0675 4084 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
08:49:56.0675 4084 IDriverT - ok
08:49:56.0863 4084 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
08:49:56.0894 4084 idsvc - ok
08:49:57.0003 4084 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
08:49:57.0003 4084 iirsp - ok
08:49:57.0050 4084 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll
08:49:57.0065 4084 IKEEXT - ok
08:49:57.0112 4084 InCDfs (aea4c9bb21c12e8be4078d836dd98f86) C:\Windows\system32\drivers\InCDFs.sys
08:49:57.0112 4084 InCDfs - ok
08:49:57.0128 4084 InCDPass (507ca5b34ccee17fe5af5b14a718775b) C:\Windows\system32\drivers\InCDPass.sys
08:49:57.0128 4084 InCDPass - ok
08:49:57.0143 4084 InCDrec (2e977f77a1d479cf12950fc1ed70b415) C:\Windows\system32\drivers\InCDrec.sys
08:49:57.0143 4084 InCDrec - ok
08:49:57.0159 4084 incdrm (3b98d9eb9e63f5affb532f977c09162f) C:\Windows\system32\drivers\InCDRm.sys
08:49:57.0159 4084 incdrm - ok
08:49:57.0284 4084 InCDsrv (219cd67ac3547b0b29b7cda0513e50ba) C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
08:49:57.0299 4084 InCDsrv - ok
08:49:57.0471 4084 IntcAzAudAddService (aef2fa29204056b81bc4cbf30260dee1) C:\Windows\system32\drivers\RTKVHDA.sys
08:49:57.0502 4084 IntcAzAudAddService - ok
08:49:57.0658 4084 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
08:49:57.0689 4084 intelide - ok
08:49:57.0705 4084 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
08:49:57.0705 4084 intelppm - ok
08:49:57.0736 4084 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
08:49:57.0752 4084 IPBusEnum - ok
08:49:57.0783 4084 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
08:49:57.0814 4084 IpFilterDriver - ok
08:49:57.0861 4084 iphlpsvc (1998bd97f950680bb55f55a7244679c2) C:\Windows\System32\iphlpsvc.dll
08:49:57.0861 4084 iphlpsvc - ok
08:49:57.0861 4084 IpInIp - ok
08:49:57.0892 4084 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
08:49:57.0939 4084 IPMIDRV - ok
08:49:57.0970 4084 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
08:49:58.0001 4084 IPNAT - ok
08:49:58.0142 4084 iPod Service (ce004777b92dea56fe14ec900d20baa4) C:\Program Files\iPod\bin\iPodService.exe
08:49:58.0157 4084 iPod Service - ok
08:49:58.0173 4084 ipswuio - ok
08:49:58.0204 4084 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
08:49:58.0251 4084 IRENUM - ok
08:49:58.0282 4084 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
08:49:58.0329 4084 isapnp - ok
08:49:58.0360 4084 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
08:49:58.0360 4084 iScsiPrt - ok
08:49:58.0391 4084 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
08:49:58.0469 4084 iteatapi - ok
08:49:58.0516 4084 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
08:49:58.0594 4084 iteraid - ok
08:49:58.0625 4084 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
08:49:58.0625 4084 kbdclass - ok
08:49:58.0657 4084 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
08:49:58.0657 4084 kbdhid - ok
08:49:58.0703 4084 KeyIso (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
08:49:58.0703 4084 KeyIso - ok
08:49:58.0844 4084 Kodak AiO Network Discovery Service (27277a11db52fefae5b01dc8fb570b28) C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
08:49:58.0844 4084 Kodak AiO Network Discovery Service - ok
08:49:58.0891 4084 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
08:49:58.0906 4084 KSecDD - ok
08:49:58.0969 4084 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
08:49:58.0984 4084 KtmRm - ok
08:49:59.0031 4084 LanmanServer (1bf5eebfd518dd7298434d8c862f825d) C:\Windows\System32\srvsvc.dll
08:49:59.0031 4084 LanmanServer - ok
08:49:59.0078 4084 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll
08:49:59.0078 4084 LanmanWorkstation - ok
08:49:59.0187 4084 LightScribeService (793ff718477345cd5d232c50bed1e452) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
08:49:59.0203 4084 LightScribeService - ok
08:49:59.0249 4084 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
08:49:59.0296 4084 lltdio - ok
08:49:59.0343 4084 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
08:49:59.0359 4084 lltdsvc - ok
08:49:59.0374 4084 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
08:49:59.0374 4084 lmhosts - ok
08:49:59.0421 4084 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
08:49:59.0468 4084 LSI_FC - ok
08:49:59.0483 4084 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
08:49:59.0530 4084 LSI_SAS - ok
08:49:59.0546 4084 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
08:49:59.0593 4084 LSI_SCSI - ok
08:49:59.0624 4084 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
08:49:59.0655 4084 luafv - ok
08:49:59.0717 4084 lvupdtio (714bd14e270a78ce60b8ae878f4afde5) C:\Program Files\ASUS\ASUS Live Update\SYS64\lvupdtio.sys
08:49:59.0764 4084 lvupdtio - ok
08:49:59.0795 4084 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2Svc.dll
08:49:59.0811 4084 Mcx2Svc - ok
08:49:59.0842 4084 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
08:49:59.0842 4084 megasas - ok
08:49:59.0873 4084 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
08:49:59.0873 4084 MMCSS - ok
08:49:59.0905 4084 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
08:49:59.0951 4084 Modem - ok
08:49:59.0983 4084 MODEMCSA (cbb59c41f19efea1a000793e08070a62) C:\Windows\system32\drivers\MODEMCSA.sys
08:50:00.0029 4084 MODEMCSA - ok
08:50:00.0061 4084 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
08:50:00.0061 4084 monitor - ok
08:50:00.0107 4084 motmodem (5023875a94b0766d98a62a72bc4cb055) C:\Windows\system32\DRIVERS\motmodem.sys
08:50:00.0139 4084 motmodem - ok
08:50:00.0170 4084 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
08:50:00.0170 4084 mouclass - ok
08:50:00.0185 4084 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
08:50:00.0232 4084 mouhid - ok
08:50:00.0263 4084 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
08:50:00.0263 4084 MountMgr - ok
08:50:00.0295 4084 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
08:50:00.0295 4084 MozillaMaintenance - ok
08:50:00.0341 4084 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
08:50:00.0388 4084 mpio - ok
08:50:00.0419 4084 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
08:50:00.0419 4084 mpsdrv - ok
08:50:00.0482 4084 MpsSvc (5de62c6e9108f14f6794060a9bdecaec) C:\Windows\system32\mpssvc.dll
08:50:00.0482 4084 MpsSvc - ok
08:50:00.0513 4084 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
08:50:00.0560 4084 Mraid35x - ok
08:50:00.0591 4084 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
08:50:00.0591 4084 MRxDAV - ok
08:50:00.0638 4084 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
08:50:00.0638 4084 mrxsmb - ok
08:50:00.0669 4084 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
08:50:00.0731 4084 mrxsmb10 - ok
08:50:00.0747 4084 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
08:50:00.0794 4084 mrxsmb20 - ok
08:50:00.0825 4084 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
08:50:00.0872 4084 msahci - ok
08:50:00.0887 4084 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
08:50:00.0965 4084 msdsm - ok
08:50:01.0012 4084 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
08:50:01.0012 4084 MSDTC - ok
08:50:01.0059 4084 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
08:50:01.0075 4084 Msfs - ok
08:50:01.0121 4084 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
08:50:01.0153 4084 msisadrv - ok
08:50:01.0184 4084 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
08:50:01.0184 4084 MSiSCSI - ok
08:50:01.0199 4084 msiserver - ok
08:50:01.0246 4084 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
08:50:01.0262 4084 MSKSSRV - ok
08:50:01.0277 4084 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
08:50:01.0277 4084 MSPCLOCK - ok
08:50:01.0293 4084 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
08:50:01.0293 4084 MSPQM - ok
08:50:01.0340 4084 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
08:50:01.0340 4084 MsRPC - ok
08:50:01.0355 4084 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
08:50:01.0355 4084 mssmbios - ok
08:50:01.0371 4084 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
08:50:01.0402 4084 MSTEE - ok
08:50:01.0433 4084 MTsensor (97affa9d95ffe20eee6229bc6be166cf) C:\Windows\system32\DRIVERS\ATKACPI.sys
08:50:01.0465 4084 MTsensor - ok
08:50:01.0480 4084 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
08:50:01.0511 4084 Mup - ok
08:50:01.0558 4084 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll
08:50:01.0558 4084 napagent - ok
08:50:01.0621 4084 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
08:50:01.0652 4084 NativeWifiP - ok
08:50:01.0761 4084 NBService (8f3357621d24ed31d98f96e18147fdaf) C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
08:50:01.0839 4084 NBService - ok
08:50:01.0917 4084 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
08:50:01.0933 4084 NDIS - ok
08:50:01.0964 4084 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
08:50:01.0964 4084 NdisTapi - ok
08:50:02.0011 4084 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
08:50:02.0057 4084 Ndisuio - ok
08:50:02.0089 4084 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
08:50:02.0151 4084 NdisWan - ok
08:50:02.0182 4084 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
08:50:02.0229 4084 NDProxy - ok
08:50:02.0245 4084 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
08:50:02.0276 4084 NetBIOS - ok
08:50:02.0323 4084 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
08:50:02.0338 4084 netbt - ok
08:50:02.0369 4084 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
08:50:02.0369 4084 Netlogon - ok
08:50:02.0416 4084 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
08:50:02.0432 4084 Netman - ok
08:50:02.0463 4084 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
08:50:02.0463 4084 netprofm - ok
08:50:02.0525 4084 NetTcpPortSharing (d6c4e4a39a36029ac0813d476fbd0248) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
08:50:02.0525 4084 NetTcpPortSharing - ok
08:50:02.0681 4084 NETw3v32 (ea30bd026a7d1b745a37516880c4ac1b) C:\Windows\system32\DRIVERS\NETw3v32.sys
08:50:02.0728 4084 NETw3v32 - ok
08:50:02.0869 4084 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
08:50:02.0915 4084 nfrd960 - ok
08:50:02.0962 4084 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
08:50:02.0962 4084 NlaSvc - ok
08:50:03.0087 4084 NMIndexingService (ffd209ea219a2599f2f551b80ae6b0bf) C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
08:50:03.0087 4084 NMIndexingService - ok
08:50:03.0118 4084 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
08:50:03.0165 4084 Npfs - ok
08:50:03.0181 4084 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
08:50:03.0181 4084 nsi - ok
08:50:03.0227 4084 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
08:50:03.0259 4084 nsiproxy - ok
08:50:03.0368 4084 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
08:50:03.0430 4084 Ntfs - ok
08:50:03.0461 4084 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
08:50:03.0461 4084 ntrigdigi - ok
08:50:03.0493 4084 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
08:50:03.0539 4084 Null - ok
08:50:03.0851 4084 nvlddmkm (cfddedc1151839dd71f78472645214a5) C:\Windows\system32\DRIVERS\nvlddmkm.sys
08:50:03.0945 4084 nvlddmkm - ok
08:50:04.0101 4084 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
08:50:04.0148 4084 nvraid - ok
08:50:04.0163 4084 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
08:50:04.0163 4084 nvstor - ok
08:50:04.0195 4084 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
08:50:04.0226 4084 nv_agp - ok
08:50:04.0241 4084 NwlnkFlt - ok
08:50:04.0241 4084 NwlnkFwd - ok
08:50:04.0304 4084 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
08:50:04.0304 4084 ohci1394 - ok
08:50:04.0444 4084 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
08:50:04.0460 4084 ose - ok
08:50:04.0834 4084 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
08:50:04.0943 4084 osppsvc - ok
08:50:05.0115 4084 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
08:50:05.0131 4084 p2pimsvc - ok
08:50:05.0146 4084 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
08:50:05.0146 4084 p2psvc - ok
08:50:05.0193 4084 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
08:50:05.0209 4084 Parport - ok
08:50:05.0255 4084 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
08:50:05.0287 4084 partmgr - ok
08:50:05.0302 4084 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
08:50:05.0349 4084 Parvdm - ok
08:50:05.0380 4084 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
08:50:05.0380 4084 PcaSvc - ok
08:50:05.0427 4084 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
08:50:05.0427 4084 pci - ok
08:50:05.0443 4084 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
08:50:05.0489 4084 pciide - ok
08:50:05.0521 4084 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
08:50:05.0552 4084 pcmcia - ok
08:50:05.0661 4084 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
08:50:05.0677 4084 PEAUTH - ok
08:50:05.0817 4084 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
08:50:05.0848 4084 pla - ok
08:50:05.0989 4084 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll
08:50:06.0004 4084 PlugPlay - ok
08:50:06.0082 4084 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
08:50:06.0082 4084 PNRPAutoReg - ok
08:50:06.0098 4084 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
08:50:06.0113 4084 PNRPsvc - ok
08:50:06.0145 4084 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll
08:50:06.0160 4084 PolicyAgent - ok
08:50:06.0207 4084 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
08:50:06.0254 4084 PptpMiniport - ok
08:50:06.0269 4084 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
08:50:06.0316 4084 Processor - ok
08:50:06.0347 4084 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll
08:50:06.0347 4084 ProfSvc - ok
08:50:06.0379 4084 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
08:50:06.0379 4084 ProtectedStorage - ok
08:50:06.0410 4084 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
08:50:06.0410 4084 PSched - ok
08:50:06.0441 4084 pssnap (5781359e8be73e8962e94f015a8df404) C:\Windows\system32\DRIVERS\pssnap.sys
08:50:06.0441 4084 pssnap - ok
08:50:06.0535 4084 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
08:50:06.0597 4084 ql2300 - ok
08:50:06.0613 4084 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
08:50:06.0613 4084 ql40xx - ok
08:50:06.0659 4084 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
08:50:06.0675 4084 QWAVE - ok
08:50:06.0706 4084 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
08:50:06.0706 4084 QWAVEdrv - ok
08:50:07.0034 4084 R300 (a23efb72057fed7128eb558866055fdf) C:\Windows\system32\DRIVERS\atikmdag.sys
08:50:07.0065 4084 R300 - ok
08:50:07.0205 4084 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
08:50:07.0205 4084 RasAcd - ok
08:50:07.0237 4084 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
08:50:07.0252 4084 RasAuto - ok
08:50:07.0299 4084 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
08:50:07.0346 4084 Rasl2tp - ok
08:50:07.0393 4084 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll
08:50:07.0393 4084 RasMan - ok
08:50:07.0439 4084 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
08:50:07.0439 4084 RasPppoe - ok
08:50:07.0455 4084 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
08:50:07.0486 4084 RasSstp - ok
08:50:07.0533 4084 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
08:50:07.0533 4084 rdbss - ok
08:50:07.0564 4084 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
08:50:07.0611 4084 RDPCDD - ok
08:50:07.0658 4084 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
08:50:07.0720 4084 rdpdr - ok
08:50:07.0720 4084 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
08:50:07.0720 4084 RDPENCDD - ok
08:50:07.0767 4084 RDPWD (79c6df8477250f5c54f7c5ae1d6b814e) C:\Windows\system32\drivers\RDPWD.sys
08:50:07.0798 4084 RDPWD - ok
08:50:07.0907 4084 ReflectService (d796656998df2f4aa0dc20beb410ed3c) C:\Program Files\Macrium\Reflect\ReflectService.exe
08:50:07.0907 4084 ReflectService - ok
08:50:07.0954 4084 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
08:50:07.0970 4084 RemoteAccess - ok
08:50:08.0001 4084 RemoteRegistry (9e6894ea18daff37b63e1005f83ae4ab) C:\Windows\system32\regsvc.dll
08:50:08.0001 4084 RemoteRegistry - ok
08:50:08.0048 4084 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
08:50:08.0079 4084 RFCOMM - ok
08:50:08.0126 4084 rimmptsk (b39f1bd472e4992382875baf0b645c6d) C:\Windows\system32\DRIVERS\rimmptsk.sys
08:50:08.0173 4084 rimmptsk - ok
08:50:08.0188 4084 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\Windows\system32\DRIVERS\rimsptsk.sys
08:50:08.0188 4084 rimsptsk - ok
08:50:08.0219 4084 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
08:50:08.0219 4084 RpcLocator - ok
08:50:08.0297 4084 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
08:50:08.0297 4084 RpcSs - ok
08:50:08.0344 4084 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
08:50:08.0391 4084 rspndr - ok
08:50:08.0422 4084 RTL8169 (2d19a7469ea19993d0c12e627f4530bc) C:\Windows\system32\DRIVERS\Rtlh86.sys
08:50:08.0500 4084 RTL8169 - ok
08:50:08.0547 4084 s0017bus (6381d7fac6ce956f37aa76031939f8cc) C:\Windows\system32\DRIVERS\s0017bus.sys
08:50:08.0594 4084 s0017bus - ok
08:50:08.0641 4084 s0017mdfl (3a0b4fc02d9d79a4f7ee9c13e287c5eb) C:\Windows\system32\DRIVERS\s0017mdfl.sys
08:50:08.0672 4084 s0017mdfl - ok
08:50:08.0703 4084 s0017mdm (aa689c79d62caf565357520cae065f17) C:\Windows\system32\DRIVERS\s0017mdm.sys
08:50:08.0719 4084 s0017mdm - ok
08:50:08.0750 4084 s0017mgmt (547b1a09017a4c4ce6b535ba810523da) C:\Windows\system32\DRIVERS\s0017mgmt.sys
08:50:08.0750 4084 s0017mgmt - ok
08:50:08.0781 4084 s0017nd5 (6db4820821e819cf61546e1f991a298d) C:\Windows\system32\DRIVERS\s0017nd5.sys
08:50:08.0797 4084 s0017nd5 - ok
08:50:08.0812 4084 s0017obex (d623bf6f04f7603ee1c4b59c737b69a7) C:\Windows\system32\DRIVERS\s0017obex.sys
08:50:08.0812 4084 s0017obex - ok
08:50:08.0843 4084 s0017unic (0c970a53fc43815e948628442f8983ad) C:\Windows\system32\DRIVERS\s0017unic.sys
08:50:08.0890 4084 s0017unic - ok
08:50:08.0906 4084 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
08:50:08.0906 4084 SamSs - ok
08:50:08.0968 4084 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
08:50:08.0999 4084 SASDIFSV - ok
08:50:09.0015 4084 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
08:50:09.0015 4084 SASKUTIL - ok
08:50:09.0046 4084 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
08:50:09.0046 4084 sbp2port - ok
08:50:09.0109 4084 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll
08:50:09.0109 4084 SCardSvr - ok
08:50:09.0187 4084 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll
08:50:09.0202 4084 Schedule - ok
08:50:09.0233 4084 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
08:50:09.0233 4084 SCPolicySvc - ok
08:50:09.0265 4084 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
08:50:09.0296 4084 sdbus - ok
08:50:09.0327 4084 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
08:50:09.0327 4084 SDRSVC - ok
08:50:09.0358 4084 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
08:50:09.0374 4084 secdrv - ok
08:50:09.0405 4084 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
08:50:09.0421 4084 seclogon - ok
08:50:09.0452 4084 seehcri (e5b56569a9f79b70314fede6c953641e) C:\Windows\system32\DRIVERS\seehcri.sys
08:50:09.0483 4084 seehcri - ok
08:50:09.0499 4084 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll
08:50:09.0499 4084 SENS - ok
08:50:09.0514 4084 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
08:50:09.0545 4084 Serenum - ok
08:50:09.0561 4084 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
08:50:09.0592 4084 Serial - ok
08:50:09.0623 4084 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
08:50:09.0623 4084 sermouse - ok
08:50:09.0686 4084 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
08:50:09.0686 4084 SessionEnv - ok
08:50:09.0717 4084 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
08:50:09.0748 4084 sffdisk - ok
08:50:09.0779 4084 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
08:50:09.0811 4084 sffp_mmc - ok
08:50:09.0857 4084 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
08:50:09.0889 4084 sffp_sd - ok
08:50:09.0904 4084 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\DRIVERS\sfloppy.sys
08:50:09.0904 4084 sfloppy - ok
08:50:09.0935 4084 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
08:50:09.0951 4084 SharedAccess - ok
08:50:09.0998 4084 ShellHWDetection (c7230fbee14437716701c15be02c27b8) C:\Windows\System32\shsvcs.dll
08:50:09.0998 4084 ShellHWDetection - ok
08:50:10.0013 4084 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
08:50:10.0091 4084 sisagp - ok
08:50:10.0107 4084 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
08:50:10.0185 4084 SiSRaid2 - ok
08:50:10.0185 4084 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
08:50:10.0216 4084 SiSRaid4 - ok
08:50:10.0450 4084 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe
08:50:10.0513 4084 slsvc - ok
08:50:10.0684 4084 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll
08:50:10.0684 4084 SLUINotify - ok
08:50:10.0731 4084 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
08:50:10.0762 4084 Smb - ok
08:50:10.0840 4084 smserial (859e3adc59d1c89a66aa6492c14d379e) C:\Windows\system32\DRIVERS\smserial.sys
08:50:10.0871 4084 smserial - ok
08:50:10.0903 4084 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
08:50:10.0903 4084 SNMPTRAP - ok
08:50:10.0949 4084 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
08:50:10.0981 4084 spldr - ok
08:50:11.0043 4084 spmgr (d1e30eea74ed4c65a72afde5b6fa36ee) C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
08:50:11.0059 4084 spmgr - ok
08:50:11.0090 4084 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe
08:50:11.0105 4084 Spooler - ok
08:50:11.0152 4084 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
08:50:11.0152 4084 srv - ok
08:50:11.0183 4084 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
08:50:11.0199 4084 srv2 - ok
08:50:11.0215 4084 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
08:50:11.0261 4084 srvnet - ok
08:50:11.0308 4084 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
08:50:11.0308 4084 SSDPSRV - ok
08:50:11.0386 4084 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
08:50:11.0386 4084 SstpSvc - ok
08:50:11.0417 4084 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
08:50:11.0417 4084 StillCam - ok
08:50:11.0511 4084 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll
08:50:11.0527 4084 stisvc - ok
08:50:11.0651 4084 StkCMini (8181a2ecc2b5eccd26b05f6dad1a8736) C:\Windows\system32\Drivers\StkCMini.sys
08:50:11.0683 4084 StkCMini - ok
08:50:11.0901 4084 StkSSrv (54fb71d9645ae6754ba3390813280dbd) C:\Windows\System32\StkCSrv.exe
08:50:11.0901 4084 StkSSrv - ok
08:50:11.0979 4084 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
08:50:11.0979 4084 swenum - ok
08:50:12.0026 4084 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll
08:50:12.0026 4084 swprv - ok
08:50:12.0057 4084 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
08:50:12.0057 4084 Symc8xx - ok
08:50:12.0073 4084 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
08:50:12.0119 4084 Sym_hi - ok
08:50:12.0135 4084 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
08:50:12.0166 4084 Sym_u3 - ok
08:50:12.0213 4084 SynTP (24b43e9a3e6cacf9afc69f48e9deb690) C:\Windows\system32\DRIVERS\SynTP.sys
08:50:12.0213 4084 SynTP - ok
08:50:12.0291 4084 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll
08:50:12.0291 4084 SysMain - ok
08:50:12.0322 4084 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
08:50:12.0338 4084 TabletInputService - ok
08:50:12.0385 4084 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll
08:50:12.0400 4084 TapiSrv - ok
08:50:12.0431 4084 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
08:50:12.0431 4084 TBS - ok
08:50:12.0525 4084 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
08:50:12.0541 4084 Tcpip - ok
08:50:12.0587 4084 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
08:50:12.0587 4084 Tcpip6 - ok
08:50:12.0619 4084 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
08:50:12.0650 4084 tcpipreg - ok
08:50:12.0697 4084 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
08:50:12.0728 4084 TDPIPE - ok
08:50:12.0743 4084 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
08:50:12.0790 4084 TDTCP - ok
08:50:12.0821 4084 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
08:50:12.0853 4084 tdx - ok
08:50:12.0884 4084 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
08:50:12.0884 4084 TermDD - ok
08:50:12.0962 4084 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll
08:50:12.0962 4084 TermService - ok
08:50:13.0009 4084 Themes (c7230fbee14437716701c15be02c27b8) C:\Windows\system32\shsvcs.dll
08:50:13.0024 4084 Themes - ok
08:50:13.0055 4084 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
08:50:13.0055 4084 THREADORDER - ok
08:50:13.0149 4084 TOSHIBA Bluetooth Service (76148c3159718b701252f87b067904a6) C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
08:50:13.0149 4084 TOSHIBA Bluetooth Service - ok
08:50:13.0196 4084 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\Windows\system32\Drivers\tosrfcom.sys
08:50:13.0196 4084 Tosrfcom - ok
08:50:13.0227 4084 TPM (6d9ad3534a9cf7e4b86c6eae8bc335f6) C:\Windows\system32\drivers\tpm.sys
08:50:13.0258 4084 TPM - ok
08:50:13.0274 4084 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
08:50:13.0274 4084 TrkWks - ok
08:50:13.0336 4084 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe
08:50:13.0336 4084 TrustedInstaller - ok
08:50:13.0383 4084 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
08:50:13.0414 4084 tssecsrv - ok
08:50:13.0445 4084 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
08:50:13.0477 4084 tunmp - ok
08:50:13.0508 4084 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
08:50:13.0508 4084 tunnel - ok
08:50:13.0539 4084 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
08:50:13.0586 4084 uagp35 - ok
08:50:13.0617 4084 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
08:50:13.0664 4084 udfs - ok
08:50:13.0695 4084 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
08:50:13.0711 4084 UI0Detect - ok
08:50:13.0726 4084 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
08:50:13.0773 4084 uliagpkx - ok
08:50:13.0804 4084 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
08:50:13.0804 4084 uliahci - ok
08:50:13.0820 4084 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
08:50:13.0835 4084 UlSata - ok
08:50:13.0851 4084 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
08:50:13.0898 4084 ulsata2 - ok
08:50:13.0929 4084 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
08:50:13.0929 4084 umbus - ok
08:50:13.0976 4084 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
08:50:13.0991 4084 upnphost - ok
08:50:14.0038 4084 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\Windows\system32\Drivers\usbaapl.sys
08:50:14.0085 4084 USBAAPL - ok
08:50:14.0163 4084 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
08:50:14.0163 4084 usbaudio - ok
08:50:14.0210 4084 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
08:50:14.0210 4084 usbccgp - ok
08:50:14.0257 4084 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
08:50:14.0288 4084 usbcir - ok
08:50:14.0319 4084 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
08:50:14.0366 4084 usbehci - ok
08:50:14.0397 4084 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
08:50:14.0444 4084 usbhub - ok
08:50:14.0459 4084 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
08:50:14.0459 4084 usbohci - ok
08:50:14.0491 4084 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
08:50:14.0537 4084 usbprint - ok
08:50:14.0584 4084 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
08:50:14.0584 4084 usbscan - ok
08:50:14.0631 4084 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
08:50:14.0678 4084 USBSTOR - ok
08:50:14.0709 4084 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
08:50:14.0756 4084 usbuhci - ok
08:50:14.0787 4084 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll
08:50:14.0787 4084 UxSms - ok
08:50:14.0865 4084 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe
08:50:14.0865 4084 vds - ok
08:50:14.0912 4084 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
08:50:14.0943 4084 vga - ok
08:50:14.0974 4084 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
08:50:15.0052 4084 VgaSave - ok
08:50:15.0083 4084 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
08:50:15.0115 4084 viaagp - ok
08:50:15.0146 4084 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
08:50:15.0177 4084 ViaC7 - ok
08:50:15.0193 4084 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
08:50:15.0239 4084 viaide - ok
08:50:15.0271 4084 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
08:50:15.0286 4084 volmgr - ok
08:50:15.0333 4084 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
08:50:15.0380 4084 volmgrx - ok
08:50:15.0427 4084 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
08:50:15.0473 4084 volsnap - ok
08:50:15.0505 4084 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
08:50:15.0551 4084 vsmraid - ok
08:50:15.0661 4084 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe
08:50:15.0692 4084 VSS - ok
08:50:15.0739 4084 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll
08:50:15.0754 4084 W32Time - ok
08:50:15.0817 4084 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
08:50:15.0817 4084 WacomPen - ok
08:50:15.0848 4084 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
08:50:15.0926 4084 Wanarp - ok
08:50:15.0926 4084 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
08:50:15.0926 4084 Wanarpv6 - ok
08:50:15.0973 4084 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll
08:50:15.0988 4084 wcncsvc - ok
08:50:16.0066 4084 WCPU (50e66d10f4593962495958bce4e7386c) C:\Program Files\P4G\WCPU.sys
08:50:16.0097 4084 WCPU - ok
08:50:16.0129 4084 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
08:50:16.0129 4084 WcsPlugInService - ok
08:50:16.0175 4084 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
08:50:16.0207 4084 Wd - ok
08:50:16.0285 4084 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
08:50:16.0285 4084 Wdf01000 - ok
08:50:16.0331 4084 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
08:50:16.0347 4084 WdiServiceHost - ok
08:50:16.0347 4084 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
08:50:16.0363 4084 WdiSystemHost - ok
08:50:16.0409 4084 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll
08:50:16.0409 4084 WebClient - ok
08:50:16.0456 4084 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
08:50:16.0456 4084 Wecsvc - ok
08:50:16.0487 4084 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
08:50:16.0503 4084 wercplsupport - ok
08:50:16.0534 4084 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll
08:50:16.0550 4084 WerSvc - ok
08:50:16.0643 4084 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
08:50:16.0659 4084 WinDefend - ok
08:50:16.0659 4084 WinHttpAutoProxySvc - ok
08:50:16.0737 4084 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll
08:50:16.0753 4084 Winmgmt - ok
08:50:16.0924 4084 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
08:50:16.0971 4084 WinRM - ok
08:50:17.0049 4084 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll
08:50:17.0065 4084 Wlansvc - ok
08:50:17.0143 4084 WLSetupSvc (94a85e956a065e23e0010a6a7826243b) C:\Program Files\Windows Live\installer\WLSetupSvc.exe
08:50:17.0158 4084 WLSetupSvc - ok
08:50:17.0221 4084 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
08:50:17.0252 4084 WmiAcpi - ok
08:50:17.0330 4084 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe
08:50:17.0330 4084 wmiApSrv - ok
08:50:17.0455 4084 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
08:50:17.0470 4084 WMPNetworkSvc - ok
08:50:17.0501 4084 WPCSvc (cfc5a04558f5070cee3e3a7809f3ff52) C:\Windows\System32\wpcsvc.dll
08:50:17.0517 4084 WPCSvc - ok
08:50:17.0548 4084 WPDBusEnum (801fbdb89d472b3c467eb112a0fc9246) C:\Windows\system32\wpdbusenum.dll
08:50:17.0564 4084 WPDBusEnum - ok
08:50:17.0626 4084 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
08:50:17.0673 4084 WpdUsb - ok
08:50:17.0829 4084 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
08:50:17.0845 4084 WPFFontCache_v0400 - ok
08:50:17.0876 4084 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
08:50:17.0923 4084 ws2ifsl - ok
08:50:17.0954 4084 wscsvc (1ca6c40261ddc0425987980d0cd2aaab) C:\Windows\system32\wscsvc.dll
08:50:17.0969 4084 wscsvc - ok
08:50:17.0969 4084 WSearch - ok
08:50:18.0141 4084 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
08:50:18.0188 4084 wuauserv - ok
08:50:18.0344 4084 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
08:50:18.0359 4084 WUDFRd - ok
08:50:18.0391 4084 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
08:50:18.0391 4084 wudfsvc - ok
08:50:18.0422 4084 WUSBVBus - ok
08:50:18.0484 4084 MBR (0x1B8) (64b1e91c5c6c2157642651010728f90f) \Device\Harddisk0\DR0
08:50:18.0531 4084 \Device\Harddisk0\DR0 - ok
08:50:18.0531 4084 Boot (0x1200) (001be4a1259ef09bcc01daf3327825e4) \Device\Harddisk0\DR0\Partition0
08:50:18.0547 4084 \Device\Harddisk0\DR0\Partition0 - ok
08:50:18.0562 4084 Boot (0x1200) (9335093c85664b235a006c51049b0a1d) \Device\Harddisk0\DR0\Partition1
08:50:18.0562 4084 \Device\Harddisk0\DR0\Partition1 - ok
08:50:18.0562 4084 ============================================================
08:50:18.0562 4084 Scan finished
08:50:18.0562 4084 ============================================================
08:50:18.0578 0900 Detected object count: 0
08:50:18.0578 0900 Actual detected object count: 0


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-05 08:57:04
-----------------------------
08:57:04.581 OS Version: Windows 6.0.6002 Service Pack 2
08:57:04.581 Number of processors: 2 586 0xF06
08:57:04.581 ComputerName: GILL-PC UserName: Gill
08:57:33.692 Initialize success
09:00:08.467 AVAST engine defs: 12050401
09:04:50.890 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
09:04:50.890 Disk 0 Vendor: Hitachi_HTS541616J9SA00 SB4OC70P Size: 152627MB BusType: 3
09:04:50.921 Disk 0 MBR read successfully
09:04:50.921 Disk 0 MBR scan
09:04:50.952 Disk 0 unknown MBR code
09:04:50.968 Disk 0 Partition 1 00 1C Hidd FAT32 LBA MSDOS5.0 7000 MB offset 2048
09:04:50.983 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76313 MB offset 14338048
09:04:50.983 Disk 0 Partition - 00 0F Extended LBA 69312 MB offset 170627072
09:04:51.015 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 69311 MB offset 170629120
09:04:51.030 Disk 0 scanning sectors +312578048
09:04:51.108 Disk 0 scanning C:\Windows\system32\drivers
09:05:15.085 Service scanning
09:05:59.155 Modules scanning
09:06:09.420 Disk 0 trace - called modules:
09:06:09.451 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys tcpip.sys NETIO.SYS
09:06:09.467 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85209520]
09:06:09.467 3 CLASSPNP.SYS[885ad8b3] -> nt!IofCallDriver -> [0x85018918]
09:06:09.483 5 acpi.sys[806976bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84277528]
09:06:10.200 AVAST engine scan C:\Windows
09:06:19.467 AVAST engine scan C:\Windows\system32
09:10:45.014 AVAST engine scan C:\Windows\system32\drivers
09:11:09.412 AVAST engine scan C:\Users\Gill
09:25:37.630 AVAST engine scan C:\ProgramData
09:26:55.303 Scan finished successfully
09:30:09.772 Disk 0 MBR has been saved successfully to "C:\Users\Gill\Desktop\MBR.dat"
09:30:09.788 The log file has been saved successfully to "C:\Users\Gill\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 PM

Posted 05 May 2012 - 03:00 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Blue Meerkat

Blue Meerkat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 05 May 2012 - 04:29 PM

Hi again,

No problems running this. Note: You didn't say this time around, but I decided to disable my antivirus again, before running combofix.
Again, laptop seems fine at the moment. Not seen anything for 28 hours now - although it was an irregular issue.

Here's the log...

ComboFix 12-05-04.03 - Gill 05/05/2012 22:03:59.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2047.1143 [GMT 1:00]
Running from: c:\users\Gill\Desktop\ComboFix.exe
Command switches used :: c:\users\Gill\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *Disabled/Updated* {CB0F8167-5331-BA19-698E-64816B6801A5}
FW: ESET Personal firewall *Enabled* {F3340042-195E-BB41-42D1-CDB495BB46DE}
SP: ESET Smart Security 4.0 *Disabled/Updated* {706E6083-750B-B597-533E-5FF310EF4B18}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-05 to 2012-05-05 )))))))))))))))))))))))))))))))
.
.
2072-04-03 13:13 . 2008-03-21 14:46 607296 ------w- c:\program files\Microsoft Games\Age of Empires III\deformerdllyD.dll
2071-07-25 09:13 . 2006-11-21 20:48 203576 ------w- c:\program files\Microsoft Games\Age of Empires III\autopatcher2.exe
2012-05-05 21:13 . 2012-05-05 21:13 -------- d-----w- c:\users\Gill\AppData\Local\temp
2012-05-05 21:13 . 2012-05-05 21:13 -------- d-----w- c:\users\TestABC\AppData\Local\temp
2012-05-05 21:13 . 2012-05-05 21:13 -------- d-----w- c:\users\Ross\AppData\Local\temp
2012-05-05 21:13 . 2012-05-05 21:13 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-05 21:13 . 2012-05-05 21:13 -------- d-----w- c:\users\David\AppData\Local\temp
2012-05-04 17:35 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{93FA124B-9D93-42A3-B57C-8208E72BF4DF}\mpengine.dll
2012-05-04 17:35 . 2012-05-04 17:35 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-05-04 17:35 . 2012-05-04 17:35 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-05-04 17:35 . 2012-05-04 17:35 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
2012-05-01 05:52 . 2012-05-01 05:52 -------- d-----w- c:\users\Gill\AppData\Roaming\SUPERAntiSpyware.com
2012-05-01 05:51 . 2012-05-01 05:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-01 05:51 . 2012-05-01 05:51 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-04-22 15:55 . 2012-04-22 15:55 -------- d-----w- c:\users\Gill\AppData\Roaming\Malwarebytes
2012-04-22 15:54 . 2012-04-22 15:54 -------- d-----w- c:\programdata\Malwarebytes
2012-04-22 15:54 . 2012-04-22 15:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-22 15:54 . 2012-04-04 14:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-13 13:02 . 2012-02-29 15:11 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-13 13:02 . 2012-02-29 15:11 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-04-13 13:02 . 2012-02-29 15:09 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-13 13:02 . 2012-02-29 13:32 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-13 13:01 . 2012-03-06 06:39 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-13 13:01 . 2012-03-06 06:39 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 07:21 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-04-08 20:18 . 2012-04-08 20:18 -------- d-----w- c:\users\Gill\AppData\Local\{126967B4-81B8-11E1-826D-B8AC6F996F26}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 09:11 . 2007-08-13 11:59 45056 ----a-w- c:\windows\system32\acovcnt.exe
2012-02-23 09:18 . 2009-10-06 21:57 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-15 11:01 . 2012-02-15 11:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 11:01 . 2012-02-15 11:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-14 15:45 . 2012-03-14 08:10 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-14 08:10 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-14 11:09 . 2012-02-14 11:09 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-13 14:12 . 2012-03-14 08:10 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 13:47 . 2012-03-14 08:10 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 13:44 . 2012-03-14 08:10 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-02-11 10:56 . 2012-02-11 10:56 800824 ----a-w- c:\users\Default\AppData\Roaming\DPInst.exe
2012-02-11 10:56 . 2012-02-11 10:56 36352 ----a-w- c:\users\Default\AppData\Roaming\PnPutil.exe
2012-02-11 10:56 . 2012-02-11 10:56 106496 ----a-w- c:\users\Default\AppData\Roaming\gacutil.exe
2012-05-04 17:35 . 2011-05-02 14:15 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-04-20 3905920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-02-15 4390912]
"ATKMEDIA"="c:\program files\ASUS\ATK Media\DMEDIA.EXE" [2006-11-02 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-22 815104]
"ASUS Camera ScreenSaver"="c:\windows\ASScrProlog.exe" [2007-05-24 37232]
"ASUS Screen Saver Protector"="c:\windows\ASScrPro.exe" [2007-05-24 33136]
"WinCast"="c:\hauppauge\WinTV CD 4.0\CDSetup\setup.exe" [2007-08-21 110653]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-11 2054360]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"EKAIO2StatusMonitor"="c:\windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe" [2011-12-10 2756608]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-06 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"KodakHomeCenter"="c:\program files\Kodak\AiO\Center\AiOHomeCenter.exe" [2011-12-12 2234288]
.
c:\users\Ross\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-11 22:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2007-03-26 18:42 1057328 ----a-w- c:\program files\Nero\Nero 7\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MFP Manager]
2008-06-05 16:20 712704 ----a-w- c:\program files\MFP Server Utilities\MFPAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-26 19:12 161328 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerForPhone]
2007-01-15 22:17 778240 ----a-w- c:\program files\PowerForPhone\PowerForPhone.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 14:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-11 10:04 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.asus.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
LSP: c:\windows\system32\wpclsp.dll
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Gill\AppData\Roaming\Mozilla\Firefox\Profiles\t8cksxjc.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-05 22:13
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"=hex:51,66,7a,6c,4c,1d,38,12,f1,9d,97,
02,e5,86,37,08,c7,6b,3b,0b,78,35,a4,a7
"{3049C3E9-B461-4BC5-8870-4C09146192CA}"=hex:51,66,7a,6c,4c,1d,38,12,87,c0,5a,
34,53,fa,ab,0e,f7,66,0f,49,11,3f,d6,de
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:b2,ab,d9,0f,9e,f7,cc,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,ec,db,a5,6b,27,d5,42,a5,17,ef,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,ec,db,a5,6b,27,d5,42,a5,17,ef,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-05-05 22:16:53
ComboFix-quarantined-files.txt 2012-05-05 21:16
ComboFix2.txt 2012-05-04 18:25
.
Pre-Run: 24,749,953,024 bytes free
Post-Run: 24,849,469,440 bytes free
.
- - End Of File - - 1CFCD512E3C9E1ACDAB331C06815D257

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 PM

Posted 05 May 2012 - 08:12 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 8.1.2 [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Blue Meerkat

Blue Meerkat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 06 May 2012 - 04:18 PM

Hi Gringo,

Logs are below as requested.
No issues whilst running.
And laptop seems to be running fine.

Cheers,

David


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.03.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Gill :: GILL-PC [administrator]

06/05/2012 14:29:06
mbam-log-2012-05-06 (14-29-06).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 256672
Time elapsed: 8 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:04:46, on 06/05/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\Net4Switch\Net4Switch.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\ASUS\ATK Media\DMedia.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ASScrPro.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\System32\spool\drivers\w32x86\3\EKAiO2MUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe
O4 - HKLM\..\Run: [ASUS Screen Saver Protector] C:\Windows\ASScrPro.exe
O4 - HKLM\..\Run: [WinCast] C:\Hauppauge\WinTV CD 4.0\CDSetup\setup.exe -leng
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKAIO2StatusMonitor] C:\Windows\system32\spool\DRIVERS\W32X86\3\EKAiO2MUI.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [KodakHomeCenter] "C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [KodakHomeCenter] "C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak AiO Network Discovery Service - Eastman Kodak Company - C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Program Files\Macrium\Reflect\ReflectService.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Syntek AVStream USB2.0 WebCam Service (StkSSrv) - Syntek America Inc. - C:\Windows\System32\StkCSrv.exe

--
End of file - 8195 bytes

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 PM

Posted 06 May 2012 - 09:32 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [ATKMEDIA] C:\Program Files\ASUS\ATK Media\DMEDIA.EXE
      O4 - HKLM\..\Run: [ASUS Camera ScreenSaver] C:\Windows\ASScrProlog.exe
      O4 - HKLM\..\Run: [WinCast] C:\Hauppauge\WinTV CD 4.0\CDSetup\setup.exe -leng
      O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKUS\S-1-5-18\..\RunOnce: [KodakHomeCenter] "C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe" (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\RunOnce: [KodakHomeCenter] "C:\Program Files\Kodak\AiO\Center\AiOHomeCenter.exe" (User 'Default user')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Blue Meerkat

Blue Meerkat
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 08 May 2012 - 12:04 PM

Hi Gringo,

Thanks again. The PC certainly boots a lot faster with that lot disabled.

I was wondering about the Java updater (jusched.exe). With that disabled I'm liable to forget to update Java regularly - is jusched.exe that bad? Or is there a better way in practice of getting things like java to update when needed? (What do you do?)

So I ran the ESET online scanner. Strangely, there was no log file as such that I can paste here. So I tried again in case I was blind. But still no log. However, the GUI window showed the following on both occasions (give or take a few seconds):
Scan results
No threats found
Scanned files: 244113
Infected files: 0
Cleaned files: 0
Total scan time: 1:49:14
Scan status: Finished

Looking good... Have not seen any symptoms of the problem since you began looking into this.

Cheers,

David

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 PM

Posted 08 May 2012 - 12:45 PM

Hello


I was wondering about the Java updater (jusched.exe). With that disabled I'm liable to forget to update Java regularly - is jusched.exe that bad? Or is there a better way in practice of getting things like java to update when needed? (What do you do?)

it is not bad just not needed - if you are one that forgets to do your updates then that can be left on

Restore HijackThis entries
The HijackThis log backup contains all entries that have been deleted...both good and bad entries.
Let's restore the deleted entries, that we need.
  • Run HijackThis.
    If using Vista, you must right click (hijackthis.exe) and choose "Run As Administrator".
    • If you are on the "scan & fix stuff" page... Press the Main Menu...button.
  • On the Main Menu, press the "View the list of backups" button.
  • Place a check in the box of the entries below..

    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

  • With entries checked...press the "Restore"...button, then reply Yes at the prompt.



Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wrong time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standard today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.


  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:09 PM

Posted 11 May 2012 - 01:20 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users