Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Zero access


  • This topic is locked This topic is locked
49 replies to this topic

#1 GI-John

GI-John

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 29 April 2012 - 09:02 PM

DDS Log. Attached Gmer Zip & DDSTEXT

Issues began when my RIP program froze/locked up. I close and attemtped to open the RIP program again and got a missing .ddl error message.

Since posting the problem I have run aswbr, FSS and repoted results. I was told I have ZeroAccess. After running these I can no longer get internet access. The RIP and internet (IE) still do not work but all other programs, at least the ones I have tried, are still working.

I ran DDS & GMER. After running GMER I get a pop up that says no modifications have been found.



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Admin at 17:01:25 on 2012-04-29
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?PC=BNHP
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1209&m=lx6810-01
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1209&m=lx6810-01
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1209&m=lx6810-01
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
uRun: [cdloader] "C:\Users\Admin\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
mRun: [LchDrvKey] LchDrvKey.exe
mRun: [LedKey] CNYHKey.exe
mRun: [eRecoveryService]
mRun: [P2Go_Menu] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
StartupFolder: C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\RIPPRO~1.LNK - C:\DTGRIPProV04\Launcher.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SMARTC~1.LNK - C:\Program Files (x86)\Northstar\SmartCopy\SmartCopy.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SMARTL~1.LNK - C:\Program Files (x86)\Northstar\SmartLauncher\SmartLauncher.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\TENDAW~1.LNK - C:\Program Files (x86)\Tenda\Common\RaUI.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~2\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvLsp.dll
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: StartNow Toolbar Helper: {6E13D095-45C3-4271-9475-F3B48227DD9F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
BHO-X64: StartNow Toolbar Helper - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~2\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
TB-X64: StartNow Toolbar: {5911488E-9D1E-40ec-8CBB-06B231CC153F} - C:\Program Files (x86)\StartNow Toolbar\Toolbar32.dll
EB-X64: {182EC0BE-5110-49C8-A062-BEB1D02A220B} - No File
mRun-x64: [LchDrvKey] LchDrvKey.exe
mRun-x64: [LedKey] CNYHKey.exe
mRun-x64: [eRecoveryService]
mRun-x64: [P2Go_Menu] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
mRun-x64: [ArcSoft Connection Service] "C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe"
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~2\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4ktipeo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
============= SERVICES / DRIVERS ===============
.
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-04-25 15:09:14 -------- d-----w- C:\Program Files (x86)\Cobian Backup 11
2012-04-23 16:56:01 -------- d-----w- C:\Users\Admin\AppData\Roaming\Malwarebytes
2012-04-23 16:55:55 -------- d-----w- C:\ProgramData\Malwarebytes
2012-04-23 16:55:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-04-23 16:45:56 -------- d-----w- C:\Users\Admin\AppData\Local\Temp(7)
2012-04-23 14:26:27 -------- d-----w- C:\Users\Admin\AppData\Roaming\Avira
2012-04-23 14:21:04 97312 ----a-w- C:\Windows\System32\drivers\avgntflt.sys
2012-04-23 14:21:04 27760 ----a-w- C:\Windows\System32\drivers\avkmgr.sys
2012-04-23 14:21:03 -------- d-----w- C:\ProgramData\Avira
2012-04-23 14:21:03 -------- d-----w- C:\Program Files (x86)\Avira
2012-04-20 16:12:30 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-04-20 16:11:47 418464 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-04-20 16:11:23 -------- d-----we C:\Windows\system64
2012-04-20 06:13:29 8917360 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{A40392A3-237A-40A0-90EE-0BB90A6C69D6}\mpengine.dll
2012-04-11 07:03:29 4699520 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-11 07:02:53 78848 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-11 07:02:53 5632 ----a-w- C:\Windows\System32\wmi.dll
2012-04-11 07:02:53 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-11 07:02:53 219136 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-11 07:02:53 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-11 07:02:53 16384 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-11 07:02:53 157696 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-10 20:33:03 2409784 ----a-w- C:\Program Files\Windows Mail\OESpamFilter.dat
2012-04-10 20:33:03 2409784 ----a-w- C:\Program Files (x86)\Windows Mail\OESpamFilter.dat
.
==================== Find3M ====================
.
2012-04-29 20:13:05 900 --sha-w- C:\ProgramData\KGyGaAvL.sys
2012-04-20 16:11:47 70304 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-23 14:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-02-14 16:49:43 327680 ----a-w- C:\Windows\System32\d3d10_1core.dll
2012-02-14 16:49:43 196096 ----a-w- C:\Windows\System32\d3d10_1.dll
2012-02-14 16:09:44 1070352 ----a-w- C:\Windows\SysWow64\MSCOMCTL.OCX
2012-02-14 15:45:30 219648 ----a-w- C:\Windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45:30 160768 ----a-w- C:\Windows\SysWow64\d3d10_1.dll
2012-02-13 14:38:31 2002944 ----a-w- C:\Windows\System32\d3d10warp.dll
2012-02-13 14:12:08 1172480 ----a-w- C:\Windows\SysWow64\d3d10warp.dll
2012-02-13 14:06:48 834048 ----a-w- C:\Windows\System32\d2d1.dll
2012-02-13 14:03:11 1555968 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-13 13:47:57 683008 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-02-13 13:44:40 1068544 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-02-02 15:34:25 2765824 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 17:02:05.56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:19 PM

Posted 30 April 2012 - 09:46 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:19 PM

Posted 03 May 2012 - 12:16 AM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:19 PM

Posted 06 May 2012 - 03:49 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 GI-John

GI-John
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 06 May 2012 - 08:55 PM

Gringo
I have been out of town and away from infected computer.

Security Check results

Results of screen317's Security Check version 0.99.32
Windows Vista x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Avira Free Antivirus
Adobe After Effects CS3 Presets
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 29
Java™ 6 Update 5
Java version out of date!
Adobe Flash Player 10.0.42.34 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of date!
Mozilla Firefox 10.0.2 Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

``````````End of Log````````````

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:19 PM

Posted 06 May 2012 - 09:18 PM

NO problem - go ahead and send me the combofix report when it is ready


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 GI-John

GI-John
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 06 May 2012 - 10:00 PM

Combo fix has completed stage 42, taken approx 1 hour so far. I can't tell if it is still running or not, cursor is still blinking but not much else seems to be happening. Should I be patient or restart?

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:19 PM

Posted 06 May 2012 - 10:30 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 GI-John

GI-John
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 07 May 2012 - 09:03 AM

Here is the ComboFix output. It was run in normal mode, it just took a while.

The anti virus software started on re-boot and still detected the virus.

ComboFix 12-05-06.03 - Admin 05/06/2012 22:03:06.1.4 - x64
Running from: c:\users\Admin\Desktop\ComboFix.exe
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\StartNow Toolbar
c:\program files (x86)\StartNow Toolbar\ReactivateIE.exe
c:\program files (x86)\StartNow Toolbar\StartNowToolbarUninstall.exe
c:\program files (x86)\StartNow Toolbar\Toolbar32.dll
c:\program files (x86)\StartNow Toolbar\ToolbarBroker.exe
c:\program files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe
c:\users\Admin\g2mdlhlpx.exe
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\dds_trash_log.cmd
c:\windows\System64
c:\windows\TEMP\{4995B6B0-BEA9-4316-8A76-97C38DAB8E4D}\{7F811A54-5A09-4579-90E1-C93498E230D9}\_IsRes.dll
c:\windows\TEMP\{4995B6B0-BEA9-4316-8A76-97C38DAB8E4D}\{7F811A54-5A09-4579-90E1-C93498E230D9}\_ISUser.dll
c:\windows\TEMP\{4995B6B0-BEA9-4316-8A76-97C38DAB8E4D}\{7F811A54-5A09-4579-90E1-C93498E230D9}\isrt.dll
c:\windows\TEMP\{4995B6B0-BEA9-4316-8A76-97C38DAB8E4D}\ISBEW64.exe
c:\windows\TEMP\{CC3273D0-1E27-48DE-82A4-7D8266C5C165}\_Setup.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_SPService
-------\Service_Updater Service for StartNow Toolbar
-------\Service_Updater Service for StartNow Toolbar
.
.
((((((((((((((((((((((((( Files Created from 2012-04-07 to 2012-05-07 )))))))))))))))))))))))))))))))
.
.
2012-04-25 15:09 . 2012-04-25 15:10 -------- d-----w- c:\program files (x86)\Cobian Backup 11
2012-04-23 16:56 . 2012-04-23 16:56 -------- d-----w- c:\users\Admin\AppData\Roaming\Malwarebytes
2012-04-23 16:55 . 2012-04-24 12:35 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-23 16:55 . 2012-04-23 16:55 -------- d-----w- c:\programdata\Malwarebytes
2012-04-23 16:45 . 2012-04-23 17:08 -------- d-----w- c:\users\Admin\AppData\Local\Temp(7)
2012-04-23 14:26 . 2012-04-23 14:26 -------- d-----w- c:\users\Admin\AppData\Roaming\Avira
2012-04-23 14:21 . 2012-01-31 12:57 132320 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-04-23 14:21 . 2012-01-31 12:57 97312 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-04-23 14:21 . 2011-09-16 20:09 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-04-23 14:21 . 2012-04-23 14:21 -------- d-----w- c:\programdata\Avira
2012-04-23 14:21 . 2012-04-23 14:21 -------- d-----w- c:\program files (x86)\Avira
2012-04-20 16:11 . 2012-04-20 16:11 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-20 16:11 . 2012-04-20 16:11 -------- d-----w- c:\windows\system32\Macromed
2012-04-20 06:13 . 2012-04-13 08:46 8917360 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{A40392A3-237A-40A0-90EE-0BB90A6C69D6}\mpengine.dll
2012-04-11 07:03 . 2012-03-06 06:44 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 07:02 . 2012-02-29 15:37 5632 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 07:02 . 2012-02-29 15:37 219136 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 07:02 . 2012-02-29 15:35 78848 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 07:02 . 2012-02-29 15:11 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-11 07:02 . 2012-02-29 15:11 172032 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 07:02 . 2012-02-29 15:09 157696 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 07:02 . 2012-02-29 13:52 16384 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-10 20:33 . 2012-03-01 11:01 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2012-04-10 20:33 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-01 13:03 . 2009-12-15 15:26 900 --sha-w- c:\programdata\KGyGaAvL.sys
2012-04-20 16:11 . 2011-07-12 12:23 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 14:18 . 2011-12-08 07:15 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-14 16:49 . 2012-03-13 19:04 327680 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 16:49 . 2012-03-13 19:04 196096 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-14 16:09 . 2012-02-14 16:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-14 15:45 . 2012-03-13 19:04 219648 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-13 19:04 160768 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2012-02-13 14:38 . 2012-03-13 19:04 2002944 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 14:12 . 2012-03-13 19:04 1172480 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2012-02-13 14:06 . 2012-03-13 19:04 834048 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 14:03 . 2012-03-13 19:04 1555968 ----a-w- c:\windows\system32\DWrite.dll
2012-02-13 13:47 . 2012-03-13 19:04 683008 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-02-13 13:44 . 2012-03-13 19:04 1068544 ----a-w- c:\windows\SysWow64\DWrite.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\Admin\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"eRecoveryService"="" [BU]
"P2Go_Menu"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-01-31 258512]
.
c:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-14 24246216]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
RIP Pro AutoLauncher.lnk - c:\dtgripprov04\Launcher.exe [2010-3-9 122955]
SmartCopy.lnk - c:\program files (x86)\Northstar\SmartCopy\SmartCopy.exe [2009-12-15 319488]
SmartLauncher.lnk - c:\program files (x86)\Northstar\SmartLauncher\SmartLauncher.exe [2009-12-15 335872]
Tenda Wireless Utility.lnk - c:\program files (x86)\Tenda\Common\RaUI.exe [2011-11-9 382464]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-20 253088]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-20 16:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-19 333344]
"Skytel"="Skytel.exe" [2008-09-18 1833504]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
"combofix"="c:\combofix\CF31364.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Subsonic
tomcatcws3
LVVI500A
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?PC=BNHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1209&m=lx6810-01
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
LSP: %SYSTEMROOT%\system32\nvLsp.dll
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4ktipeo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Avira\AntiVir Desktop\sched.exe
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files\GATEWAY\Gateway Recovery Management\eRecovery\HidChk.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Tenda\Common\RaRegistry.exe
c:\program files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
c:\program files (x86)\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
c:\windows\MHotKey.exe
c:\windows\CNYHKey.exe
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\windows\SysWOW64\ping.exe
.
**************************************************************************
.
Completion time: 2012-05-07 09:18:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-07 13:18
ComboFix2.txt 2012-04-23 16:45
.
Pre-Run: 466,221,813,760 bytes free
Post-Run: 465,037,422,592 bytes free
.
- - End Of File - - CCECF3CF590B93E587925C455311EB3A

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:19 PM

Posted 07 May 2012 - 09:23 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 GI-John

GI-John
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 07 May 2012 - 02:53 PM

TDS ran without issue. Avira software detects three items 1) consrv.dll TR/ATRAPS.GEN2 2)L:chDrvKey.exe TR/PATCHED.GEN 3) Desktopini.vir TR/ATRAPS.GEN2

Internet explorer is working again.

aswMBR to follow



15:38:47.0947 10476 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
15:38:48.0228 10476 ============================================================
15:38:48.0228 10476 Current date / time: 2012/05/07 15:38:48.0228
15:38:48.0228 10476 SystemInfo:
15:38:48.0228 10476
15:38:48.0228 10476 OS Version: 6.0.6002 ServicePack: 2.0
15:38:48.0228 10476 Product type: Workstation
15:38:48.0228 10476 ComputerName: ART-PC
15:38:48.0228 10476 UserName: Admin
15:38:48.0228 10476 Windows directory: C:\Windows
15:38:48.0228 10476 System windows directory: C:\Windows
15:38:48.0228 10476 Running under WOW64
15:38:48.0228 10476 Processor architecture: Intel x64
15:38:48.0228 10476 Number of processors: 4
15:38:48.0228 10476 Page size: 0x1000
15:38:48.0228 10476 Boot type: Normal boot
15:38:48.0228 10476 ============================================================
15:38:48.0696 10476 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
15:38:48.0712 10476 Drive \Device\Harddisk5\DR6 - Size: 0x3B80000 (0.06 Gb), SectorSize: 0x200, Cylinders: 0x7, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:38:48.0727 10476 ============================================================
15:38:48.0727 10476 \Device\Harddisk0\DR0:
15:38:48.0727 10476 MBR partitions:
15:38:48.0727 10476 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1D4F800, BlocksNum 0x48B08000
15:38:48.0727 10476 \Device\Harddisk5\DR6:
15:38:48.0727 10476 MBR partitions:
15:38:48.0727 10476 \Device\Harddisk5\DR6\Partition0: MBR, Type 0x6, StartLBA 0x8, BlocksNum 0x1DBF8
15:38:48.0727 10476 ============================================================
15:38:48.0743 10476 C: <-> \Device\Harddisk0\DR0\Partition0
15:38:48.0743 10476 ============================================================
15:38:48.0743 10476 Initialize success
15:38:48.0743 10476 ============================================================
15:38:50.0038 10248 ============================================================
15:38:50.0038 10248 Scan started
15:38:50.0038 10248 Mode: Manual;
15:38:50.0038 10248 ============================================================
15:38:51.0145 10248 ACDaemon (adc420616c501b45d26c0fd3ef1e54e4) C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
15:38:51.0145 10248 ACDaemon - ok
15:38:51.0270 10248 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys
15:38:51.0270 10248 ACPI - ok
15:38:51.0379 10248 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
15:38:51.0395 10248 AdobeFlashPlayerUpdateSvc - ok
15:38:51.0457 10248 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
15:38:51.0473 10248 adp94xx - ok
15:38:51.0520 10248 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
15:38:51.0535 10248 adpahci - ok
15:38:51.0566 10248 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
15:38:51.0566 10248 adpu160m - ok
15:38:51.0598 10248 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
15:38:51.0613 10248 adpu320 - ok
15:38:51.0691 10248 AeLookupSvc (0f421175574bfe0bf2f4d8e910a253bb) C:\Windows\System32\aelupsvc.dll
15:38:51.0691 10248 AeLookupSvc - ok
15:38:51.0769 10248 AFD (c4f6ce6087760ad70960c9eb130e7943) C:\Windows\system32\drivers\afd.sys
15:38:51.0769 10248 AFD - ok
15:38:51.0832 10248 AgereModemAudio (8b0d8b5bafd4c9d57b41426bc68b32f9) C:\Windows\system32\agr64svc.exe
15:38:51.0832 10248 AgereModemAudio - ok
15:38:51.0925 10248 AgereSoftModem (a6ab6f0ace87da76b4c401813d18be95) C:\Windows\system32\DRIVERS\agrsm64.sys
15:38:51.0956 10248 AgereSoftModem - ok
15:38:52.0003 10248 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
15:38:52.0003 10248 agp440 - ok
15:38:52.0034 10248 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
15:38:52.0034 10248 aic78xx - ok
15:38:52.0097 10248 aksdf (bc569a6c209d94f6643ee35710aec1f6) C:\Windows\system32\DRIVERS\aksdf.sys
15:38:52.0097 10248 aksdf - ok
15:38:52.0144 10248 ALG (5922f4f59b7868f3d74bbbbeb7b825a3) C:\Windows\System32\alg.exe
15:38:52.0144 10248 ALG - ok
15:38:52.0175 10248 aliide (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys
15:38:52.0190 10248 aliide - ok
15:38:52.0190 10248 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
15:38:52.0190 10248 amdide - ok
15:38:52.0222 10248 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
15:38:52.0237 10248 AmdK8 - ok
15:38:52.0315 10248 AntiVirSchedulerService (72709089a54bdc1c5b16bc4a4b926567) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
15:38:52.0315 10248 AntiVirSchedulerService - ok
15:38:52.0331 10248 AntiVirService (42f88bfbb76f7a63e381829479b18518) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
15:38:52.0346 10248 AntiVirService - ok
15:38:52.0409 10248 Appinfo (9c37b3fd5615477cb9a0cd116cf43f5c) C:\Windows\System32\appinfo.dll
15:38:52.0409 10248 Appinfo - ok
15:38:52.0440 10248 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
15:38:52.0456 10248 arc - ok
15:38:52.0502 10248 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
15:38:52.0502 10248 arcsas - ok
15:38:52.0549 10248 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
15:38:52.0549 10248 AsyncMac - ok
15:38:52.0596 10248 atapi (1898fae8e07d97f2f6c2d5326c633fac) C:\Windows\system32\drivers\atapi.sys
15:38:52.0596 10248 atapi - ok
15:38:52.0658 10248 AudioEndpointBuilder (79318c744693ec983d20e9337a2f8196) C:\Windows\System32\Audiosrv.dll
15:38:52.0674 10248 AudioEndpointBuilder - ok
15:38:52.0674 10248 AudioSrv (79318c744693ec983d20e9337a2f8196) C:\Windows\System32\Audiosrv.dll
15:38:52.0690 10248 AudioSrv - ok
15:38:52.0752 10248 AVer88xHD (5e76debba4311ac1c44de83d59a9584e) C:\Windows\system32\drivers\AVer88xHD64.sys
15:38:52.0768 10248 AVer88xHD - ok
15:38:52.0799 10248 avgntflt (aa8f79a1bdfc03b3bc70c44ab00589b4) C:\Windows\system32\DRIVERS\avgntflt.sys
15:38:52.0814 10248 avgntflt - ok
15:38:52.0861 10248 avipbb (852e3c0a60d368c487949e55ad52a47f) C:\Windows\system32\DRIVERS\avipbb.sys
15:38:52.0861 10248 avipbb - ok
15:38:52.0877 10248 avkmgr (248db59fc86de44d2779f4c7fb1a567d) C:\Windows\system32\DRIVERS\avkmgr.sys
15:38:52.0877 10248 avkmgr - ok
15:38:52.0908 10248 Beep - ok
15:38:52.0986 10248 BFE (ffb96c2589ffa60473ead78b39fbde29) C:\Windows\System32\bfe.dll
15:38:53.0002 10248 BFE - ok
15:38:53.0126 10248 BITS (6d316f4859634071cc25c4fd4589ad2c) C:\Windows\system32\qmgr.dll
15:38:53.0142 10248 BITS - ok
15:38:53.0282 10248 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
15:38:53.0282 10248 blbdrive - ok
15:38:53.0376 10248 Bonjour Service (73686fe0b2e0469f89fd2075be724704) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
15:38:53.0376 10248 Bonjour Service - ok
15:38:53.0407 10248 bowser (2348447a80920b2493a9b582a23e81e1) C:\Windows\system32\DRIVERS\bowser.sys
15:38:53.0407 10248 bowser - ok
15:38:53.0438 10248 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
15:38:53.0454 10248 BrFiltLo - ok
15:38:53.0454 10248 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
15:38:53.0454 10248 BrFiltUp - ok
15:38:53.0516 10248 Browser (a1b39de453433b115b4ea69ee0343816) C:\Windows\System32\browser.dll
15:38:53.0516 10248 Browser - ok
15:38:53.0563 10248 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
15:38:53.0563 10248 Brserid - ok
15:38:53.0610 10248 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
15:38:53.0610 10248 BrSerWdm - ok
15:38:53.0626 10248 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
15:38:53.0626 10248 BrUsbMdm - ok
15:38:53.0641 10248 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
15:38:53.0641 10248 BrUsbSer - ok
15:38:53.0672 10248 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
15:38:53.0672 10248 BTHMODEM - ok
15:38:53.0704 10248 catchme - ok
15:38:53.0704 10248 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
15:38:53.0704 10248 cdfs - ok
15:38:53.0735 10248 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys
15:38:53.0750 10248 cdrom - ok
15:38:53.0782 10248 CertPropSvc (5a268127633c7ee2a7fb87f39d748d56) C:\Windows\System32\certprop.dll
15:38:53.0782 10248 CertPropSvc - ok
15:38:53.0797 10248 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\DRIVERS\circlass.sys
15:38:53.0813 10248 circlass - ok
15:38:53.0844 10248 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys
15:38:53.0844 10248 CLFS - ok
15:38:53.0938 10248 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:38:53.0938 10248 clr_optimization_v2.0.50727_32 - ok
15:38:53.0984 10248 clr_optimization_v2.0.50727_64 (ce07a466201096f021cd09d631b21540) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
15:38:53.0984 10248 clr_optimization_v2.0.50727_64 - ok
15:38:54.0094 10248 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15:38:54.0094 10248 clr_optimization_v4.0.30319_32 - ok
15:38:54.0140 10248 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
15:38:54.0140 10248 clr_optimization_v4.0.30319_64 - ok
15:38:54.0172 10248 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
15:38:54.0172 10248 cmdide - ok
15:38:54.0172 10248 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\drivers\compbatt.sys
15:38:54.0187 10248 Compbatt - ok
15:38:54.0187 10248 COMSysApp - ok
15:38:54.0203 10248 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
15:38:54.0203 10248 crcdisk - ok
15:38:54.0250 10248 CryptSvc (18918613e63f387cde4d95ca7d49dcf7) C:\Windows\system32\cryptsvc.dll
15:38:54.0250 10248 CryptSvc - ok
15:38:54.0328 10248 DcomLaunch (cf8b9a3a5e7dc57724a89d0c3e8cf9ef) C:\Windows\system32\rpcss.dll
15:38:54.0328 10248 DcomLaunch - ok
15:38:54.0374 10248 DfsC (8b722ba35205c71e7951cdc4cdbade19) C:\Windows\system32\Drivers\dfsc.sys
15:38:54.0374 10248 DfsC - ok
15:38:54.0577 10248 DFSR (c647f468f7de343df8c143655c5557d4) C:\Windows\system32\DFSR.exe
15:38:54.0624 10248 DFSR - ok
15:38:54.0780 10248 Dhcp (3ed0321127ce70acdaabbf77e157c2a7) C:\Windows\System32\dhcpcsvc.dll
15:38:54.0780 10248 Dhcp - ok
15:38:54.0827 10248 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys
15:38:54.0827 10248 disk - ok
15:38:54.0874 10248 Dnscache (06230f1b721494a6df8d47fd395bb1b0) C:\Windows\System32\dnsrslvr.dll
15:38:54.0874 10248 Dnscache - ok
15:38:54.0920 10248 dot3svc (1a7156dd1e850e9914e5e991e3225b94) C:\Windows\System32\dot3svc.dll
15:38:54.0920 10248 dot3svc - ok
15:38:54.0983 10248 DPS (1583b39790db3eaec7edb0cb0140c708) C:\Windows\system32\dps.dll
15:38:54.0983 10248 DPS - ok
15:38:55.0030 10248 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
15:38:55.0030 10248 drmkaud - ok
15:38:55.0108 10248 DXGKrnl (b8e554e502d5123bc111f99d6a2181b4) C:\Windows\System32\drivers\dxgkrnl.sys
15:38:55.0123 10248 DXGKrnl - ok
15:38:55.0170 10248 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
15:38:55.0170 10248 E1G60 - ok
15:38:55.0217 10248 EapHost (c2303883fd9be49dc36a6400643002ea) C:\Windows\System32\eapsvc.dll
15:38:55.0217 10248 EapHost - ok
15:38:55.0248 10248 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys
15:38:55.0264 10248 Ecache - ok
15:38:55.0326 10248 ehRecvr (14ce384d2e27b64c256bda4dc39c312d) C:\Windows\ehome\ehRecvr.exe
15:38:55.0326 10248 ehRecvr - ok
15:38:55.0342 10248 ehSched (b93159c1313d66fdfbbe876f5189cd52) C:\Windows\ehome\ehsched.exe
15:38:55.0342 10248 ehSched - ok
15:38:55.0388 10248 ehstart (f5ee2527d74449868e3c3227a59bcd28) C:\Windows\ehome\ehstart.dll
15:38:55.0388 10248 ehstart - ok
15:38:55.0420 10248 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
15:38:55.0451 10248 elxstor - ok
15:38:55.0482 10248 EMDMgmt (a9b18b63a4fd6baab83326706d857fab) C:\Windows\system32\emdmgmt.dll
15:38:55.0498 10248 EMDMgmt - ok
15:38:55.0513 10248 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys
15:38:55.0513 10248 ErrDev - ok
15:38:55.0622 10248 ETService (4d06d9a26227ac485305133916888df1) C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
15:38:55.0638 10248 ETService - ok
15:38:55.0669 10248 EventSystem (e12f22b73f153dece721cd45ec05b4af) C:\Windows\system32\es.dll
15:38:55.0685 10248 EventSystem - ok
15:38:55.0732 10248 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys
15:38:55.0747 10248 exfat - ok
15:38:55.0794 10248 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys
15:38:55.0794 10248 fastfat - ok
15:38:55.0825 10248 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
15:38:55.0841 10248 fdc - ok
15:38:55.0872 10248 fdPHost (bb9267acacd8b7533dd936c34a0cba5e) C:\Windows\system32\fdPHost.dll
15:38:55.0872 10248 fdPHost - ok
15:38:55.0888 10248 FDResPub (300c80931eabbe1db7591c516efe8d0f) C:\Windows\system32\fdrespub.dll
15:38:55.0888 10248 FDResPub - ok
15:38:55.0903 10248 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
15:38:55.0903 10248 FileInfo - ok
15:38:55.0934 10248 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
15:38:55.0934 10248 Filetrace - ok
15:38:56.0012 10248 FLEXnet Licensing Service (227846995afeefa70d328bf5334a86a5) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
15:38:56.0012 10248 FLEXnet Licensing Service - ok
15:38:56.0044 10248 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
15:38:56.0044 10248 flpydisk - ok
15:38:56.0075 10248 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys
15:38:56.0090 10248 FltMgr - ok
15:38:56.0231 10248 FontCache (be1c5bd1ca7ed015bc6fa1ae67e592c8) C:\Windows\system32\FntCache.dll
15:38:56.0293 10248 FontCache - ok
15:38:56.0324 10248 FontCache3.0.0.0 (bc5b0be5af3510b0fd8c140ee42c6d3e) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
15:38:56.0340 10248 FontCache3.0.0.0 - ok
15:38:56.0434 10248 ForceWare Intelligent Application Manager (IAM) (edfe4ee6513e9d9b33799c6838da7b5f) C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
15:38:56.0434 10248 ForceWare Intelligent Application Manager (IAM) - ok
15:38:56.0496 10248 Fs_Rec (5779b86cd8b32519fbecb136394d946a) C:\Windows\system32\drivers\Fs_Rec.sys
15:38:56.0496 10248 Fs_Rec - ok
15:38:56.0527 10248 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
15:38:56.0527 10248 gagp30kx - ok
15:38:56.0621 10248 GameConsoleService (617dc2877015270914ca3c03873560d5) C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
15:38:56.0636 10248 GameConsoleService - ok
15:38:56.0714 10248 gpsvc (a0e1b575ba8f504968cd40c0faeb2384) C:\Windows\System32\gpsvc.dll
15:38:56.0730 10248 gpsvc - ok
15:38:56.0792 10248 Hardlock (d8bf3c594bd17a37960362e6c6739b90) C:\Windows\system32\drivers\hardlock.sys
15:38:56.0808 10248 Hardlock - ok
15:38:56.0839 10248 HdAudAddService (df45f8142dc6df9d18c39b3effbd0409) C:\Windows\system32\drivers\HdAudio.sys
15:38:56.0855 10248 HdAudAddService - ok
15:38:56.0933 10248 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys
15:38:56.0948 10248 HDAudBus - ok
15:38:56.0964 10248 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
15:38:56.0964 10248 HidBth - ok
15:38:57.0011 10248 HidIr (5f47839455d01ff6403b008d481a6f5b) C:\Windows\system32\DRIVERS\hidir.sys
15:38:57.0011 10248 HidIr - ok
15:38:57.0026 10248 hidserv (59361d38a297755d46a540e450202b2a) C:\Windows\System32\hidserv.dll
15:38:57.0042 10248 hidserv - ok
15:38:57.0042 10248 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys
15:38:57.0042 10248 HidUsb - ok
15:38:57.0089 10248 hkmsvc (b12f367ea39c0795fd57e31242ce1a5a) C:\Windows\system32\kmsvc.dll
15:38:57.0104 10248 hkmsvc - ok
15:38:57.0136 10248 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
15:38:57.0136 10248 HpCISSs - ok
15:38:57.0182 10248 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys
15:38:57.0214 10248 HTTP - ok
15:38:57.0214 10248 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
15:38:57.0229 10248 i2omp - ok
15:38:57.0260 10248 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
15:38:57.0260 10248 i8042prt - ok
15:38:57.0292 10248 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
15:38:57.0307 10248 iaStorV - ok
15:38:57.0401 10248 idsvc (749f5f8cedca70f2a512945325fc489d) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
15:38:57.0448 10248 idsvc - ok
15:38:57.0463 10248 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
15:38:57.0463 10248 iirsp - ok
15:38:57.0526 10248 IKEEXT (0c9ea6e654e7b0471741e343a6c671af) C:\Windows\System32\ikeext.dll
15:38:57.0541 10248 IKEEXT - ok
15:38:57.0619 10248 int15 (8c7fa71cb1ebcd3ede8958d27b1bf0b4) C:\Windows\SysWOW64\drivers\int15_64.sys
15:38:57.0619 10248 int15 - ok
15:38:57.0744 10248 IntcAzAudAddService (6fdf709500c20362ffc5057f0d1e0c8d) C:\Windows\system32\drivers\RTKVHD64.sys
15:38:57.0760 10248 IntcAzAudAddService - ok
15:38:57.0853 10248 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys
15:38:57.0853 10248 intelide - ok
15:38:57.0869 10248 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
15:38:57.0869 10248 intelppm - ok
15:38:57.0916 10248 IPBusEnum (5624bc1bc5eeb49c0ab76a8114f05ea3) C:\Windows\system32\ipbusenum.dll
15:38:57.0931 10248 IPBusEnum - ok
15:38:57.0962 10248 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys
15:38:57.0962 10248 IpFilterDriver - ok
15:38:58.0009 10248 iphlpsvc (bf0dbfa9792c5c14fa00f61c75116c1b) C:\Windows\System32\iphlpsvc.dll
15:38:58.0025 10248 iphlpsvc - ok
15:38:58.0025 10248 IpInIp - ok
15:38:58.0040 10248 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
15:38:58.0056 10248 IPMIDRV - ok
15:38:58.0072 10248 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
15:38:58.0087 10248 IPNAT - ok
15:38:58.0087 10248 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
15:38:58.0103 10248 IRENUM - ok
15:38:58.0212 10248 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
15:38:58.0228 10248 isapnp - ok
15:38:58.0259 10248 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys
15:38:58.0259 10248 iScsiPrt - ok
15:38:58.0290 10248 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
15:38:58.0290 10248 iteatapi - ok
15:38:58.0321 10248 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
15:38:58.0337 10248 iteraid - ok
15:38:58.0352 10248 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
15:38:58.0368 10248 kbdclass - ok
15:38:58.0384 10248 kbdhid (dbdf75d51464fbc47d0104ec3d572c05) C:\Windows\system32\DRIVERS\kbdhid.sys
15:38:58.0384 10248 kbdhid - ok
15:38:58.0415 10248 KeyIso (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
15:38:58.0415 10248 KeyIso - ok
15:38:58.0462 10248 KSecDD (2758d174604f597bbc8a217ff667913d) C:\Windows\system32\Drivers\ksecdd.sys
15:38:58.0477 10248 KSecDD - ok
15:38:58.0524 10248 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
15:38:58.0524 10248 ksthunk - ok
15:38:58.0586 10248 KtmRm (1faf6926f3416d3da05c5b265491bdae) C:\Windows\system32\msdtckrm.dll
15:38:58.0602 10248 KtmRm - ok
15:38:58.0649 10248 LanmanServer (50c7a3cb427e9bb5ed0708a669956ab5) C:\Windows\System32\srvsvc.dll
15:38:58.0649 10248 LanmanServer - ok
15:38:58.0711 10248 LanmanWorkstation (caf86fc1388be1e470f1a7b43e348adb) C:\Windows\System32\wkssvc.dll
15:38:58.0727 10248 LanmanWorkstation - ok
15:38:58.0774 10248 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
15:38:58.0774 10248 lltdio - ok
15:38:58.0852 10248 lltdsvc (961ccbd0b1ccb5675d64976fae37d092) C:\Windows\System32\lltdsvc.dll
15:38:58.0914 10248 lltdsvc - ok
15:38:58.0930 10248 lmhosts (a47f8080cacc23c91fe823ad19aa5612) C:\Windows\System32\lmhsvc.dll
15:38:58.0930 10248 lmhosts - ok
15:38:58.0945 10248 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
15:38:58.0961 10248 LSI_FC - ok
15:38:58.0976 10248 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
15:38:58.0976 10248 LSI_SAS - ok
15:38:58.0992 10248 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
15:38:59.0008 10248 LSI_SCSI - ok
15:38:59.0023 10248 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
15:38:59.0023 10248 luafv - ok
15:38:59.0054 10248 Mcx2Svc (76a58df02bd4ea29f189b82d0bef17f8) C:\Windows\system32\Mcx2Svc.dll
15:38:59.0070 10248 Mcx2Svc - ok
15:38:59.0086 10248 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
15:38:59.0101 10248 megasas - ok
15:38:59.0148 10248 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
15:38:59.0164 10248 MegaSR - ok
15:38:59.0242 10248 Microsoft SharePoint Workspace Audit Service - ok
15:38:59.0257 10248 MMCSS (3cbe4995e80e13ccfbc42e5dcf3ac81a) C:\Windows\system32\mmcss.dll
15:38:59.0257 10248 MMCSS - ok
15:38:59.0273 10248 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
15:38:59.0273 10248 Modem - ok
15:38:59.0304 10248 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
15:38:59.0304 10248 monitor - ok
15:38:59.0320 10248 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
15:38:59.0335 10248 mouclass - ok
15:38:59.0366 10248 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
15:38:59.0366 10248 mouhid - ok
15:38:59.0366 10248 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
15:38:59.0382 10248 MountMgr - ok
15:38:59.0413 10248 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
15:38:59.0413 10248 mpio - ok
15:38:59.0444 10248 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
15:38:59.0444 10248 mpsdrv - ok
15:38:59.0522 10248 MpsSvc (897e3baf68ba406a61682ae39c83900c) C:\Windows\system32\mpssvc.dll
15:38:59.0522 10248 MpsSvc - ok
15:38:59.0554 10248 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
15:38:59.0554 10248 Mraid35x - ok
15:38:59.0569 10248 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys
15:38:59.0585 10248 MRxDAV - ok
15:38:59.0616 10248 mrxsmb (1485811b320ff8c7edad1caebb1c6c2b) C:\Windows\system32\DRIVERS\mrxsmb.sys
15:38:59.0632 10248 mrxsmb - ok
15:38:59.0647 10248 mrxsmb10 (3b929a60c833fc615fd97fba82bc7632) C:\Windows\system32\DRIVERS\mrxsmb10.sys
15:38:59.0647 10248 mrxsmb10 - ok
15:38:59.0678 10248 mrxsmb20 (c64ab3e1f53b4f5b5bb6d796b2d7bec3) C:\Windows\system32\DRIVERS\mrxsmb20.sys
15:38:59.0694 10248 mrxsmb20 - ok
15:38:59.0710 10248 msahci (1ac860612b85d8e85ee257d372e39f4d) C:\Windows\system32\drivers\msahci.sys
15:38:59.0725 10248 msahci - ok
15:38:59.0741 10248 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
15:38:59.0741 10248 msdsm - ok
15:38:59.0772 10248 MSDTC (7ec02ce772f068ed0beafa3da341a9bc) C:\Windows\System32\msdtc.exe
15:38:59.0788 10248 MSDTC - ok
15:38:59.0819 10248 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
15:38:59.0819 10248 Msfs - ok
15:38:59.0850 10248 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
15:38:59.0850 10248 msisadrv - ok
15:38:59.0881 10248 MSiSCSI (366b0c1f4478b519c181e37d43dcda32) C:\Windows\system32\iscsiexe.dll
15:38:59.0897 10248 MSiSCSI - ok
15:38:59.0912 10248 msiserver - ok
15:38:59.0928 10248 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
15:38:59.0928 10248 MSKSSRV - ok
15:38:59.0944 10248 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
15:38:59.0944 10248 MSPCLOCK - ok
15:38:59.0990 10248 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
15:38:59.0990 10248 MSPQM - ok
15:39:00.0022 10248 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys
15:39:00.0022 10248 MsRPC - ok
15:39:00.0037 10248 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
15:39:00.0037 10248 mssmbios - ok
15:39:00.0068 10248 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
15:39:00.0068 10248 MSTEE - ok
15:39:00.0084 10248 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys
15:39:00.0084 10248 Mup - ok
15:39:00.0115 10248 napagent (a5b10c845e7538c60c0f5d87a57cb3f5) C:\Windows\system32\qagentRT.dll
15:39:00.0115 10248 napagent - ok
15:39:00.0162 10248 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys
15:39:00.0178 10248 NativeWifiP - ok
15:39:00.0240 10248 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys
15:39:00.0240 10248 NDIS - ok
15:39:00.0256 10248 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
15:39:00.0256 10248 NdisTapi - ok
15:39:00.0271 10248 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
15:39:00.0271 10248 Ndisuio - ok
15:39:00.0287 10248 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys
15:39:00.0302 10248 NdisWan - ok
15:39:00.0318 10248 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
15:39:00.0318 10248 NDProxy - ok
15:39:00.0334 10248 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
15:39:00.0349 10248 NetBIOS - ok
15:39:00.0365 10248 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys
15:39:00.0380 10248 netbt - ok
15:39:00.0412 10248 Netlogon (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
15:39:00.0412 10248 Netlogon - ok
15:39:00.0443 10248 Netman (9b63b29defc0f3115a559d2597bf5d75) C:\Windows\System32\netman.dll
15:39:00.0443 10248 Netman - ok
15:39:00.0474 10248 netprofm (7846d0136cc2b264926a73047ba7688a) C:\Windows\System32\netprofm.dll
15:39:00.0474 10248 netprofm - ok
15:39:00.0568 10248 netr28x (336a9164be14da360a7e95dba26fcc30) C:\Windows\system32\DRIVERS\netr28x.sys
15:39:00.0583 10248 netr28x - ok
15:39:00.0614 10248 NetTcpPortSharing (74751dda198165947fd7454d83f49825) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
15:39:00.0630 10248 NetTcpPortSharing - ok
15:39:00.0646 10248 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
15:39:00.0646 10248 nfrd960 - ok
15:39:00.0677 10248 NlaSvc (f145bf4c4668e7e312069f81ef847cfc) C:\Windows\System32\nlasvc.dll
15:39:00.0677 10248 NlaSvc - ok
15:39:00.0692 10248 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys
15:39:00.0708 10248 Npfs - ok
15:39:00.0739 10248 nsi (acb62baa1c319b17752553df3026eeeb) C:\Windows\system32\nsisvc.dll
15:39:00.0739 10248 nsi - ok
15:39:00.0755 10248 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
15:39:00.0755 10248 nsiproxy - ok
15:39:00.0848 10248 nSvcIp (0304ac408043c6cb9e88fa6c813cf841) C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
15:39:00.0864 10248 nSvcIp - ok
15:39:00.0958 10248 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys
15:39:00.0973 10248 Ntfs - ok
15:39:01.0036 10248 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
15:39:01.0051 10248 Null - ok
15:39:01.0082 10248 nvamacpi (2b0885148f27b49365d3ad489f7d7b70) C:\Windows\system32\DRIVERS\NVAMACPI.sys
15:39:01.0082 10248 nvamacpi - ok
15:39:01.0114 10248 NVENETFD (cf2a023f422ce6e43302b139e4b87b05) C:\Windows\system32\DRIVERS\nvmfdx64.sys
15:39:01.0129 10248 NVENETFD - ok
15:39:01.0784 10248 nvlddmkm (b34e9bfbd9c61048ef6281c3e7ec210a) C:\Windows\system32\DRIVERS\nvlddmkm.sys
15:39:01.0862 10248 nvlddmkm - ok
15:39:02.0003 10248 NVNET (cf2a023f422ce6e43302b139e4b87b05) C:\Windows\system32\DRIVERS\nvmfdx64.sys
15:39:02.0003 10248 NVNET - ok
15:39:02.0050 10248 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
15:39:02.0065 10248 nvraid - ok
15:39:02.0096 10248 nvrd64 (90731d8a25964715b850a5b8c3dbfd22) C:\Windows\system32\drivers\nvrd64.sys
15:39:02.0112 10248 nvrd64 - ok
15:39:02.0143 10248 nvsmu (a3ac469ad99ac3fd63afccfc29a90fa9) C:\Windows\system32\DRIVERS\nvsmu.sys
15:39:02.0159 10248 nvsmu - ok
15:39:02.0159 10248 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
15:39:02.0174 10248 nvstor - ok
15:39:02.0174 10248 nvstor64 (39d974fd0937db87b10e78ae90951fb1) C:\Windows\system32\drivers\nvstor64.sys
15:39:02.0174 10248 nvstor64 - ok
15:39:02.0268 10248 nvsvc (dfda089bb2cd0ff7e789e2ef6ba1e4ba) C:\Windows\system32\nvvsvc.exe
15:39:02.0284 10248 nvsvc - ok
15:39:02.0424 10248 nvUpdatusService (e7818cd4fb51284c948d68a7a85a69b8) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
15:39:02.0455 10248 nvUpdatusService - ok
15:39:02.0580 10248 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
15:39:02.0596 10248 nv_agp - ok
15:39:02.0596 10248 NwlnkFlt - ok
15:39:02.0596 10248 NwlnkFwd - ok
15:39:02.0689 10248 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
15:39:02.0720 10248 odserv - ok
15:39:02.0767 10248 ohci1394 (b5b1ce65ac15bbd11c0619e3ef7cfc28) C:\Windows\system32\DRIVERS\ohci1394.sys
15:39:02.0767 10248 ohci1394 - ok
15:39:02.0798 10248 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
15:39:02.0830 10248 ose - ok
15:39:03.0142 10248 osppsvc (61bffb5f57ad12f83ab64b7181829b34) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
15:39:03.0235 10248 osppsvc - ok
15:39:03.0407 10248 p2pimsvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
15:39:03.0422 10248 p2pimsvc - ok
15:39:03.0438 10248 p2psvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
15:39:03.0438 10248 p2psvc - ok
15:39:03.0485 10248 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
15:39:03.0485 10248 Parport - ok
15:39:03.0516 10248 partmgr (f9b5eda4c17a2be7663f064dbf0fe254) C:\Windows\system32\drivers\partmgr.sys
15:39:03.0516 10248 partmgr - ok
15:39:03.0547 10248 PcaSvc (9ab157b374192ff276c1628fbdba2b0e) C:\Windows\System32\pcasvc.dll
15:39:03.0547 10248 PcaSvc - ok
15:39:03.0563 10248 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys
15:39:03.0578 10248 pci - ok
15:39:03.0578 10248 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys
15:39:03.0594 10248 pciide - ok
15:39:03.0610 10248 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
15:39:03.0625 10248 pcmcia - ok
15:39:03.0672 10248 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
15:39:03.0719 10248 PEAUTH - ok
15:39:03.0797 10248 PerfHost (0ed8727ea0172860f47258456c06caea) C:\Windows\SysWow64\perfhost.exe
15:39:03.0797 10248 PerfHost - ok
15:39:03.0906 10248 pla (e9e68c1a0f25cf4a7ac966eea74ee89e) C:\Windows\system32\pla.dll
15:39:03.0937 10248 pla - ok
15:39:03.0984 10248 PlugPlay (fe6b0f59215c9fd9f9d26539c58c8b82) C:\Windows\system32\umpnpmgr.dll
15:39:04.0000 10248 PlugPlay - ok
15:39:04.0078 10248 PNRPAutoReg (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
15:39:04.0093 10248 PNRPAutoReg - ok
15:39:04.0093 10248 PNRPsvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
15:39:04.0109 10248 PNRPsvc - ok
15:39:04.0156 10248 PolicyAgent (89a5560671c2d8b4a4b51f3e1aa069d8) C:\Windows\System32\ipsecsvc.dll
15:39:04.0218 10248 PolicyAgent - ok
15:39:04.0265 10248 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys
15:39:04.0280 10248 PptpMiniport - ok
15:39:04.0327 10248 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
15:39:04.0343 10248 Processor - ok
15:39:04.0358 10248 ProfSvc (e058ce4fc2449d8bfa14739c83b7ff2a) C:\Windows\system32\profsvc.dll
15:39:04.0374 10248 ProfSvc - ok
15:39:04.0390 10248 ProtectedStorage (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
15:39:04.0390 10248 ProtectedStorage - ok
15:39:04.0405 10248 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys
15:39:04.0421 10248 PSched - ok
15:39:04.0514 10248 PSI_SVC_2 (a6a7ad767bf5141665f5c675f671b3e1) c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
15:39:04.0514 10248 PSI_SVC_2 - ok
15:39:04.0592 10248 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
15:39:04.0624 10248 ql2300 - ok
15:39:04.0655 10248 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
15:39:04.0655 10248 ql40xx - ok
15:39:04.0686 10248 QWAVE (90574842c3da781e279061a3eff91f07) C:\Windows\system32\qwave.dll
15:39:04.0702 10248 QWAVE - ok
15:39:04.0717 10248 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
15:39:04.0717 10248 QWAVEdrv - ok
15:39:04.0795 10248 RalinkRegistryWriter (583608ee65aabf971117a61aee4bcaae) C:\Program Files (x86)\Tenda\Common\RaRegistry.exe
15:39:04.0811 10248 RalinkRegistryWriter - ok
15:39:04.0826 10248 RalinkRegistryWriter64 (2dd4830ab9543bd9067380a7e8e99258) C:\Program Files (x86)\Tenda\Common\RaRegistry64.exe
15:39:04.0826 10248 RalinkRegistryWriter64 - ok
15:39:04.0842 10248 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
15:39:04.0858 10248 RasAcd - ok
15:39:04.0889 10248 RasAuto (b2ae18f847d07f0044404ddf7cb04497) C:\Windows\System32\rasauto.dll
15:39:04.0889 10248 RasAuto - ok
15:39:04.0936 10248 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys
15:39:04.0936 10248 Rasl2tp - ok
15:39:04.0967 10248 RasMan (3ad83e4046c43be510de681588acb8af) C:\Windows\System32\rasmans.dll
15:39:04.0982 10248 RasMan - ok
15:39:04.0998 10248 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys
15:39:04.0998 10248 RasPppoe - ok
15:39:05.0029 10248 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys
15:39:05.0029 10248 RasSstp - ok
15:39:05.0060 10248 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys
15:39:05.0076 10248 rdbss - ok
15:39:05.0092 10248 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
15:39:05.0092 10248 RDPCDD - ok
15:39:05.0123 10248 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
15:39:05.0123 10248 rdpdr - ok
15:39:05.0138 10248 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
15:39:05.0138 10248 RDPENCDD - ok
15:39:05.0185 10248 RDPWD (5c141fc457f1ac833664789235aca673) C:\Windows\system32\drivers\RDPWD.sys
15:39:05.0201 10248 RDPWD - ok
15:39:05.0232 10248 RemoteAccess (c612b9557da73f70d41f8a6fbc8e5344) C:\Windows\System32\mprdim.dll
15:39:05.0232 10248 RemoteAccess - ok
15:39:05.0263 10248 RemoteRegistry (44b9d8ec2f3ef3a0efb00857af70d861) C:\Windows\system32\regsvc.dll
15:39:05.0263 10248 RemoteRegistry - ok
15:39:05.0294 10248 RpcLocator (f46c457840d4b7a4daafee739ce04102) C:\Windows\system32\locator.exe
15:39:05.0310 10248 RpcLocator - ok
15:39:05.0357 10248 RpcSs (cf8b9a3a5e7dc57724a89d0c3e8cf9ef) C:\Windows\system32\rpcss.dll
15:39:05.0357 10248 RpcSs - ok
15:39:05.0372 10248 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
15:39:05.0388 10248 rspndr - ok
15:39:05.0450 10248 RSUSBSTOR (1807ea271c9685a25571d94ae4e3a8dd) C:\Windows\system32\Drivers\RTS5121.sys
15:39:05.0466 10248 RSUSBSTOR - ok
15:39:05.0466 10248 Rts516xIR - ok
15:39:05.0497 10248 SamSs (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
15:39:05.0497 10248 SamSs - ok
15:39:05.0513 10248 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
15:39:05.0513 10248 sbp2port - ok
15:39:05.0528 10248 SCardSvr (fd1cdcf108d5ef3366f00d18b70fb89b) C:\Windows\System32\SCardSvr.dll
15:39:05.0544 10248 SCardSvr - ok
15:39:05.0606 10248 Schedule (0f838c811ad295d2a4489b9993096c63) C:\Windows\system32\schedsvc.dll
15:39:05.0606 10248 Schedule - ok
15:39:05.0638 10248 SCPolicySvc (5a268127633c7ee2a7fb87f39d748d56) C:\Windows\System32\certprop.dll
15:39:05.0638 10248 SCPolicySvc - ok
15:39:05.0638 10248 SDRSVC (4ff71b076a7760fe75ea5ae2d0ee0018) C:\Windows\System32\SDRSVC.dll
15:39:05.0653 10248 SDRSVC - ok
15:39:05.0669 10248 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
15:39:05.0669 10248 secdrv - ok
15:39:05.0684 10248 seclogon (5acdcbc67fcf894a1815b9f96d704490) C:\Windows\system32\seclogon.dll
15:39:05.0684 10248 seclogon - ok
15:39:05.0700 10248 SENS (90973a64b96cd647ff81c79443618eed) C:\Windows\system32\sens.dll
15:39:05.0700 10248 SENS - ok
15:39:05.0747 10248 Sentinel64 (255476b54c82a89416efdf09fd62f107) C:\Windows\System32\Drivers\Sentinel64.sys
15:39:05.0762 10248 Sentinel64 - ok
15:39:05.0856 10248 SentinelProtectionServer (3ee0cbb405af078f7c25fdb64e4b68f5) C:\Program Files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
15:39:05.0856 10248 SentinelProtectionServer - ok
15:39:05.0872 10248 Serenum (2449316316411d65bd2c761a6ffb2ce2) C:\Windows\system32\DRIVERS\serenum.sys
15:39:05.0872 10248 Serenum - ok
15:39:05.0887 10248 Serial (4b438170be2fc8e0bd35ee87a960f84f) C:\Windows\system32\DRIVERS\serial.sys
15:39:05.0887 10248 Serial - ok
15:39:05.0903 10248 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
15:39:05.0918 10248 sermouse - ok
15:39:05.0934 10248 SessionEnv (a8e4a4407a09f35dccc3771af590b0c4) C:\Windows\system32\sessenv.dll
15:39:05.0950 10248 SessionEnv - ok
15:39:05.0965 10248 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
15:39:05.0965 10248 sffdisk - ok
15:39:05.0981 10248 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
15:39:05.0981 10248 sffp_mmc - ok
15:39:05.0996 10248 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
15:39:05.0996 10248 sffp_sd - ok
15:39:05.0996 10248 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
15:39:06.0012 10248 sfloppy - ok
15:39:06.0059 10248 SharedAccess (4c5aee179da7e1ee9a9ccb9da289af34) C:\Windows\System32\ipnathlp.dll
15:39:06.0059 10248 SharedAccess - ok
15:39:06.0121 10248 ShellHWDetection (56793271ecdedd350c5add305603e963) C:\Windows\System32\shsvcs.dll
15:39:06.0137 10248 ShellHWDetection - ok
15:39:06.0168 10248 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
15:39:06.0168 10248 SiSRaid2 - ok
15:39:06.0199 10248 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
15:39:06.0199 10248 SiSRaid4 - ok
15:39:06.0340 10248 slsvc (a9a27a8e257b45a604fdad4f26fe7241) C:\Windows\system32\SLsvc.exe
15:39:06.0371 10248 slsvc - ok
15:39:06.0480 10248 SLUINotify (fd74b4b7c2088e390a30c85a896fc3af) C:\Windows\system32\SLUINotify.dll
15:39:06.0480 10248 SLUINotify - ok
15:39:06.0511 10248 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys
15:39:06.0511 10248 Smb - ok
15:39:06.0542 10248 SNMPTRAP (f8f47f38909823b1af28d60b96340cff) C:\Windows\System32\snmptrap.exe
15:39:06.0542 10248 SNMPTRAP - ok
15:39:06.0574 10248 SNTUSB64 (2d5576c01c8a34aa614870e745fe8f19) C:\Windows\system32\DRIVERS\SNTUSB64.SYS
15:39:06.0574 10248 SNTUSB64 - ok
15:39:06.0605 10248 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys
15:39:06.0605 10248 spldr - ok
15:39:06.0636 10248 Spooler (f66ff751e7efc816d266977939ef5dc3) C:\Windows\System32\spoolsv.exe
15:39:06.0636 10248 Spooler - ok
15:39:06.0667 10248 srv (880a57fccb571ebd063d4dd50e93e46d) C:\Windows\system32\DRIVERS\srv.sys
15:39:06.0698 10248 srv - ok
15:39:06.0714 10248 srv2 (a1ad14a6d7a37891fffeca35ebbb0730) C:\Windows\system32\DRIVERS\srv2.sys
15:39:06.0730 10248 srv2 - ok
15:39:06.0745 10248 srvnet (4bed62f4fa4d8300973f1151f4c4d8a7) C:\Windows\system32\DRIVERS\srvnet.sys
15:39:06.0745 10248 srvnet - ok
15:39:06.0761 10248 SSDPSRV (192c74646ec5725aef3f80d19ff75f6a) C:\Windows\System32\ssdpsrv.dll
15:39:06.0776 10248 SSDPSRV - ok
15:39:06.0808 10248 SstpSvc (2ee3fa0308e6185ba64a9a7f2e74332b) C:\Windows\system32\sstpsvc.dll
15:39:06.0823 10248 SstpSvc - ok
15:39:06.0870 10248 stisvc (15825c1fbfb8779992cb65087f316af5) C:\Windows\System32\wiaservc.dll
15:39:06.0886 10248 stisvc - ok
15:39:06.0917 10248 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
15:39:06.0917 10248 swenum - ok
15:39:06.0964 10248 swprv (6de37f4de19d4efd9c48c43addbc949a) C:\Windows\System32\swprv.dll
15:39:06.0964 10248 swprv - ok
15:39:06.0979 10248 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
15:39:06.0995 10248 Symc8xx - ok
15:39:06.0995 10248 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
15:39:07.0010 10248 Sym_hi - ok
15:39:07.0026 10248 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
15:39:07.0026 10248 Sym_u3 - ok
15:39:07.0088 10248 SysMain (92d7a8b0f87b036f17d25885937897a6) C:\Windows\system32\sysmain.dll
15:39:07.0104 10248 SysMain - ok
15:39:07.0104 10248 TabletInputService (005ce42567f9113a3bccb3b20073b029) C:\Windows\System32\TabSvc.dll
15:39:07.0120 10248 TabletInputService - ok
15:39:07.0151 10248 TapiSrv (cc2562b4d55e0b6a4758c65407f63b79) C:\Windows\System32\tapisrv.dll
15:39:07.0166 10248 TapiSrv - ok
15:39:07.0182 10248 TBS (cdbe8d7c1e201b911cdc346d06617fb5) C:\Windows\System32\tbssvc.dll
15:39:07.0182 10248 TBS - ok
15:39:07.0307 10248 Tcpip (2cc45d932bd193cd4117321d469ad6b2) C:\Windows\system32\drivers\tcpip.sys
15:39:07.0322 10248 Tcpip - ok
15:39:07.0463 10248 Tcpip6 (2cc45d932bd193cd4117321d469ad6b2) C:\Windows\system32\DRIVERS\tcpip.sys
15:39:07.0463 10248 Tcpip6 - ok
15:39:07.0510 10248 tcpipreg (c7e72a4071ee0200e3c075dacfb2b334) C:\Windows\system32\drivers\tcpipreg.sys
15:39:07.0525 10248 tcpipreg - ok
15:39:07.0525 10248 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
15:39:07.0541 10248 TDPIPE - ok
15:39:07.0556 10248 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
15:39:07.0556 10248 TDTCP - ok
15:39:07.0572 10248 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys
15:39:07.0588 10248 tdx - ok
15:39:07.0603 10248 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys
15:39:07.0603 10248 TermDD - ok
15:39:07.0650 10248 TermService (5cdd30bc217082dac71a9878d9bfd566) C:\Windows\System32\termsrv.dll
15:39:07.0650 10248 TermService - ok
15:39:07.0681 10248 Themes (56793271ecdedd350c5add305603e963) C:\Windows\system32\shsvcs.dll
15:39:07.0697 10248 Themes - ok
15:39:07.0712 10248 THREADORDER (3cbe4995e80e13ccfbc42e5dcf3ac81a) C:\Windows\system32\mmcss.dll
15:39:07.0712 10248 THREADORDER - ok
15:39:07.0744 10248 tomcatcws3 (5f22132c9153639762708909f156b33d) C:\Windows\system32\freesshdservice.dll
15:39:07.0759 10248 Suspicious file (NoAccess): C:\Windows\system32\freesshdservice.dll. md5: 5f22132c9153639762708909f156b33d
15:39:07.0759 10248 tomcatcws3 ( Backdoor.Multi.ZAccess.gen ) - infected
15:39:07.0759 10248 tomcatcws3 - detected Backdoor.Multi.ZAccess.gen (0)
15:39:07.0806 10248 TrkWks (f4689f05af472a651a7b1b7b02d200e7) C:\Windows\System32\trkwks.dll
15:39:07.0822 10248 TrkWks - ok
15:39:07.0853 10248 TrustedInstaller (66328b08ef5a9305d8ede36b93930369) C:\Windows\servicing\TrustedInstaller.exe
15:39:07.0853 10248 TrustedInstaller - ok
15:39:07.0884 10248 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
15:39:07.0884 10248 tssecsrv - ok
15:39:07.0900 10248 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
15:39:07.0900 10248 tunmp - ok
15:39:07.0915 10248 tunnel (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys
15:39:07.0931 10248 tunnel - ok
15:39:07.0946 10248 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
15:39:07.0962 10248 uagp35 - ok
15:39:07.0993 10248 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys
15:39:07.0993 10248 udfs - ok
15:39:08.0009 10248 UI0Detect (060507c4113391394478f6953a79eedc) C:\Windows\system32\UI0Detect.exe
15:39:08.0009 10248 UI0Detect - ok
15:39:08.0040 10248 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
15:39:08.0040 10248 uliagpkx - ok
15:39:08.0071 10248 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
15:39:08.0071 10248 uliahci - ok
15:39:08.0102 10248 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
15:39:08.0118 10248 UlSata - ok
15:39:08.0149 10248 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
15:39:08.0165 10248 ulsata2 - ok
15:39:08.0180 10248 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
15:39:08.0196 10248 umbus - ok
15:39:08.0227 10248 UMPass (01abe05c401e70795b43a8933b44831e) C:\Windows\system32\DRIVERS\umpass.sys
15:39:08.0227 10248 UMPass - ok
15:39:08.0258 10248 upnphost (7093799ff80e9deca0680d2e3535be60) C:\Windows\System32\upnphost.dll
15:39:08.0258 10248 upnphost - ok
15:39:08.0321 10248 usbaudio (c6ba890de6e41857fbe84175519cae7d) C:\Windows\system32\drivers\usbaudio.sys
15:39:08.0321 10248 usbaudio - ok
15:39:08.0383 10248 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
15:39:08.0383 10248 usbccgp - ok
15:39:08.0414 10248 USBCCID (f8e1cb9b8da037219953190cd2aca358) C:\Windows\system32\DRIVERS\usbccid.sys
15:39:08.0414 10248 USBCCID - ok
15:39:08.0430 10248 usbcir (8c39d53e1a343f4c47ee8f3c052126d8) C:\Windows\system32\DRIVERS\usbcir.sys
15:39:08.0430 10248 usbcir - ok
15:39:08.0446 10248 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys
15:39:08.0446 10248 usbehci - ok
15:39:08.0477 10248 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys
15:39:08.0492 10248 usbhub - ok
15:39:08.0539 10248 usbohci (e406b003a354776d317762694956b0fc) C:\Windows\system32\DRIVERS\usbohci.sys
15:39:08.0539 10248 usbohci - ok
15:39:08.0555 10248 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys
15:39:08.0570 10248 usbprint - ok
15:39:08.0602 10248 usbscan (ea0bf666868964fbe8cb10e50c97b9f1) C:\Windows\system32\DRIVERS\usbscan.sys
15:39:08.0602 10248 usbscan - ok
15:39:08.0617 10248 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS
15:39:08.0633 10248 USBSTOR - ok
15:39:08.0648 10248 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
15:39:08.0648 10248 usbuhci - ok
15:39:08.0664 10248 UxSms (d76e231e4850bb3f88a3d9a78df191e3) C:\Windows\System32\uxsms.dll
15:39:08.0664 10248 UxSms - ok
15:39:08.0695 10248 vds (294945381dfa7ce58cecf0a9896af327) C:\Windows\System32\vds.exe
15:39:08.0711 10248 vds - ok
15:39:08.0726 10248 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
15:39:08.0726 10248 vga - ok
15:39:08.0742 10248 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
15:39:08.0742 10248 VgaSave - ok
15:39:08.0758 10248 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
15:39:08.0773 10248 viaide - ok
15:39:08.0773 10248 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys
15:39:08.0789 10248 volmgr - ok
15:39:08.0820 10248 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys
15:39:08.0836 10248 volmgrx - ok
15:39:08.0867 10248 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys
15:39:08.0882 10248 volsnap - ok
15:39:08.0914 10248 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
15:39:08.0929 10248 vsmraid - ok
15:39:09.0023 10248 VSS (b75232dad33bfd95bf6f0a3e6bff51e1) C:\Windows\system32\vssvc.exe
15:39:09.0054 10248 VSS - ok
15:39:09.0163 10248 W32Time (f14a7de2ea41883e250892e1e5230a9a) C:\Windows\system32\w32time.dll
15:39:09.0163 10248 W32Time - ok
15:39:09.0194 10248 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
15:39:09.0194 10248 WacomPen - ok
15:39:09.0241 10248 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
15:39:09.0257 10248 Wanarp - ok
15:39:09.0257 10248 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
15:39:09.0257 10248 Wanarpv6 - ok
15:39:09.0288 10248 wcncsvc (b4e4c37d0aa6100090a53213ee2bf1c1) C:\Windows\System32\wcncsvc.dll
15:39:09.0304 10248 wcncsvc - ok
15:39:09.0335 10248 WcsPlugInService (ea4b369560e986f19d93f45a881484ac) C:\Windows\System32\WcsPlugInService.dll
15:39:09.0335 10248 WcsPlugInService - ok
15:39:09.0350 10248 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
15:39:09.0350 10248 Wd - ok
15:39:09.0413 10248 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys
15:39:09.0428 10248 Wdf01000 - ok
15:39:09.0460 10248 WdiServiceHost (c5efda73ebfca8b02a094898de0a9276) C:\Windows\system32\wdi.dll
15:39:09.0460 10248 WdiServiceHost - ok
15:39:09.0460 10248 WdiSystemHost (c5efda73ebfca8b02a094898de0a9276) C:\Windows\system32\wdi.dll
15:39:09.0475 10248 WdiSystemHost - ok
15:39:09.0491 10248 WebClient (3e6d05381cf35f75ebb055544a8ed9ac) C:\Windows\System32\webclnt.dll
15:39:09.0491 10248 WebClient - ok
15:39:09.0506 10248 Wecsvc (8d40bc587993f876658bf9fb0f7d3462) C:\Windows\system32\wecsvc.dll
15:39:09.0522 10248 Wecsvc - ok
15:39:09.0538 10248 wercplsupport (9c980351d7e96288ea0c23ae232bd065) C:\Windows\System32\wercplsupport.dll
15:39:09.0538 10248 wercplsupport - ok
15:39:09.0553 10248 WerSvc (66b9ecebc46683f47edc06333c075fef) C:\Windows\System32\WerSvc.dll
15:39:09.0553 10248 WerSvc - ok
15:39:09.0584 10248 WinDefend - ok
15:39:09.0584 10248 WinHttpAutoProxySvc - ok
15:39:09.0631 10248 Winmgmt (d2e7296ed1bd26d8db2799770c077a02) C:\Windows\system32\wbem\WMIsvc.dll
15:39:09.0647 10248 Winmgmt - ok
15:39:09.0756 10248 WinRM (6cbb0c68f13b9c2ec1b16f5fa5e7c869) C:\Windows\system32\WsmSvc.dll
15:39:09.0787 10248 WinRM - ok
15:39:09.0896 10248 Wlansvc (ec339c8115e91baed835957e9a677f16) C:\Windows\System32\wlansvc.dll
15:39:09.0912 10248 Wlansvc - ok
15:39:09.0943 10248 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\DRIVERS\wmiacpi.sys
15:39:09.0943 10248 WmiAcpi - ok
15:39:09.0990 10248 wmiApSrv (21fa389e65a852698b6a1341f36ee02d) C:\Windows\system32\wbem\WmiApSrv.exe
15:39:09.0990 10248 wmiApSrv - ok
15:39:10.0006 10248 WMPNetworkSvc - ok
15:39:10.0021 10248 WPCSvc (cbc156c913f099e6680d1df9307db7a8) C:\Windows\System32\wpcsvc.dll
15:39:10.0037 10248 WPCSvc - ok
15:39:10.0084 10248 WPDBusEnum (490a18b4e4d53dc10879deaa8e8b70d9) C:\Windows\system32\wpdbusenum.dll
15:39:10.0084 10248 WPDBusEnum - ok
15:39:10.0130 10248 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys
15:39:10.0130 10248 WpdUsb - ok
15:39:10.0255 10248 WPFFontCache_v0400 (991e2c2cf3bc204c2bb2ee1476149e4e) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe
15:39:10.0271 10248 WPFFontCache_v0400 - ok
15:39:10.0286 10248 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
15:39:10.0286 10248 ws2ifsl - ok
15:39:10.0318 10248 wscsvc (9ea3e6d0ef7a5c2b9181961052a4b01a) C:\Windows\system32\wscsvc.dll
15:39:10.0318 10248 wscsvc - ok
15:39:10.0318 10248 WSearch - ok
15:39:10.0489 10248 wuauserv (fb3796754fe00f0bdc87a36f164a5f4d) C:\Windows\system32\wuaueng.dll
15:39:10.0520 10248 wuauserv - ok
15:39:10.0661 10248 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
15:39:10.0661 10248 WUDFRd - ok
15:39:10.0676 10248 wudfsvc (6cbd51ff913c851d56ed9dc7f2a27dde) C:\Windows\System32\WUDFSvc.dll
15:39:10.0692 10248 wudfsvc - ok
15:39:10.0739 10248 MBR (0x1B8) (ef9cdc51b437d322d54016b68f003416) \Device\Harddisk0\DR0
15:39:12.0954 10248 \Device\Harddisk0\DR0 - ok
15:39:12.0954 10248 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk5\DR6
15:39:15.0887 10248 \Device\Harddisk5\DR6 - ok
15:39:15.0902 10248 Boot (0x1200) (2d27b2a9797a08bd0a445069215d61bb) \Device\Harddisk0\DR0\Partition0
15:39:15.0902 10248 \Device\Harddisk0\DR0\Partition0 - ok
15:39:15.0918 10248 Boot (0x1200) (1d2e5018f1a38b4d83f91a1c8a48df30) \Device\Harddisk5\DR6\Partition0
15:39:15.0918 10248 \Device\Harddisk5\DR6\Partition0 - ok
15:39:15.0918 10248 ============================================================
15:39:15.0918 10248 Scan finished
15:39:15.0918 10248 ============================================================
15:39:15.0918 10412 Detected object count: 1
15:39:15.0918 10412 Actual detected object count: 1
15:40:57.0677 10412 C:\Windows\system32\freesshdservice.dll - copied to quarantine
15:40:57.0677 10412 HKLM\SYSTEM\ControlSet001\services\tomcatcws3 - will be deleted on reboot
15:40:57.0708 10412 HKLM\SYSTEM\ControlSet002\services\tomcatcws3 - will be deleted on reboot
15:40:57.0848 10412 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\svchost:netsvcs - cured
15:40:57.0926 10412 C:\Windows\system32\freesshdservice.dll - will be deleted on reboot
15:40:57.0926 10412 tomcatcws3 ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
15:41:01.0499 9808 Deinitialize success

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:19 PM

Posted 07 May 2012 - 03:00 PM

that is great

let me see the report from aswMBR please



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 GI-John

GI-John
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 08 May 2012 - 07:48 AM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-07 15:44:09
-----------------------------
15:44:09.808 OS Version: Windows x64 6.0.6002 Service Pack 2
15:44:09.808 Number of processors: 4 586 0x1707
15:44:09.809 ComputerName: ART-PC UserName: Admin
15:44:12.277 Initialize success
15:45:57.824 AVAST engine defs: 12050701
15:49:24.537 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000005a
15:49:24.552 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 8
15:49:24.552 Disk 0 MBR read successfully
15:49:24.568 Disk 0 MBR scan
15:49:24.568 Disk 0 unknown MBR code
15:49:24.584 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 15005 MB offset 63
15:49:24.584 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 595472 MB offset 30734336
15:49:24.599 Disk 0 scanning C:\Windows\system32\drivers
15:49:34.848 Service scanning
15:49:54.630 Modules scanning
15:49:54.630 Disk 0 trace - called modules:
15:49:54.646 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys storport.sys hal.dll nvstor64.sys
15:49:54.646 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b62790]
15:49:55.160 3 CLASSPNP.SYS[fffffa6000a03c33] -> nt!IofCallDriver -> [0xfffffa8006ba6410]
15:49:55.160 5 acpi.sys[fffffa60008fefde] -> nt!IofCallDriver -> \Device\0000005a[0xfffffa8006ba6630]
15:49:57.360 AVAST engine scan C:\Windows
15:50:07.360 AVAST engine scan C:\Windows\system32
15:50:19.247 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
15:52:25.808 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
15:52:30.676 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
15:55:12.617 AVAST engine scan C:\Windows\system32\drivers
15:56:14.658 AVAST engine scan C:\Users\Admin
16:01:41.088 AVAST engine scan C:\ProgramData
16:04:16.027 Scan finished successfully
16:39:28.330 Disk 0 MBR has been saved successfully to "C:\Users\Admin\Desktop\MBR.dat"
16:39:28.330 The log file has been saved successfully to "C:\Users\Admin\Desktop\aswMBR.txt"

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:19 PM

Posted 08 May 2012 - 08:01 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
C:\Windows\system32\consrv.dll
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 GI-John

GI-John
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 08 May 2012 - 01:22 PM

New ComboFix below.

Updates:

1)Prior to running this ComboFix a power loss shut down the computer. On re-boot, teh PC would not start up regularly and a windows Repair start up began but was unsuccessful. It gave me an option to start from a restore point which I did and PC booted successfully.
2)After start up I ran CF (log below)
3) After running CF, Avira still detecting the following
- LchDrvKey.exe (TR/Patched.Gen)
- Desktop.ini.vir (TR/ATRAPS.Gen2)
- 80000032,@ (TR/ATRAPS.Gen2)



ComboFix 12-05-08.01 - Admin 05/08/2012 10:11:08.2.4 - x64
Running from: c:\users\Admin\Desktop\ComboFix.exe
Command switches used :: c:\users\Admin\Desktop\CFScript.txt
* Created a new restore point
.
FILE ::
"c:\windows\assembly\GAC_32\Desktop.ini"
"c:\windows\assembly\GAC_64\Desktop.ini"
"c:\windows\system32\consrv.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\TEMP
c:\programdata\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\consrv.dll
c:\windows\system32\dds_trash_log.cmd
c:\windows\TEMP\{522D8CD6-1956-4C70-8137-C15BCE2329F2}\{7F811A54-5A09-4579-90E1-C93498E230D9}\_IsRes.dll
c:\windows\TEMP\{522D8CD6-1956-4C70-8137-C15BCE2329F2}\{7F811A54-5A09-4579-90E1-C93498E230D9}\_ISUser.dll
c:\windows\TEMP\{522D8CD6-1956-4C70-8137-C15BCE2329F2}\{7F811A54-5A09-4579-90E1-C93498E230D9}\isrt.dll
c:\windows\TEMP\{522D8CD6-1956-4C70-8137-C15BCE2329F2}\ISBEW64.exe
c:\windows\TEMP\{65258BAF-1B57-4E9B-BF57-F89E799B956C}\_Setup.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-04-08 to 2012-05-08 )))))))))))))))))))))))))))))))
.
.
2012-05-07 19:40 . 2012-05-07 19:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-25 15:09 . 2012-04-25 15:10 -------- d-----w- c:\program files (x86)\Cobian Backup 11
2012-04-23 16:55 . 2012-04-24 12:35 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-04-23 14:21 . 2012-05-08 14:22 98848 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-04-23 14:21 . 2012-05-08 14:22 132832 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-04-23 14:21 . 2011-09-16 20:09 27760 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-04-23 14:21 . 2012-04-23 14:21 -------- d-----w- c:\program files (x86)\Avira
2012-04-20 16:11 . 2012-04-20 16:11 418464 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-04-20 16:11 . 2012-04-20 16:11 -------- d-----w- c:\windows\system32\Macromed
2012-04-11 07:03 . 2012-03-06 06:44 4699520 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 07:02 . 2012-02-29 15:37 5632 ----a-w- c:\windows\system32\wmi.dll
2012-04-11 07:02 . 2012-02-29 15:37 219136 ----a-w- c:\windows\system32\wintrust.dll
2012-04-11 07:02 . 2012-02-29 15:35 78848 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-11 07:02 . 2012-02-29 15:11 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-11 07:02 . 2012-02-29 15:11 172032 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-11 07:02 . 2012-02-29 15:09 157696 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-11 07:02 . 2012-02-29 13:52 16384 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-10 20:33 . 2012-03-01 11:01 2409784 ----a-w- c:\program files (x86)\Windows Mail\OESpamFilter.dat
2012-04-10 20:33 . 2012-03-01 11:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-20 16:11 . 2011-07-12 12:23 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 14:18 . 2011-12-08 07:15 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-14 16:49 . 2012-03-13 19:04 327680 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-02-14 16:49 . 2012-03-13 19:04 196096 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-14 16:09 . 2012-02-14 16:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-14 15:45 . 2012-03-13 19:04 219648 ----a-w- c:\windows\SysWow64\d3d10_1core.dll
2012-02-14 15:45 . 2012-03-13 19:04 160768 ----a-w- c:\windows\SysWow64\d3d10_1.dll
2012-02-13 14:38 . 2012-03-13 19:04 2002944 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-13 14:12 . 2012-03-13 19:04 1172480 ----a-w- c:\windows\SysWow64\d3d10warp.dll
2012-02-13 14:06 . 2012-03-13 19:04 834048 ----a-w- c:\windows\system32\d2d1.dll
2012-02-13 14:03 . 2012-03-13 19:04 1555968 ----a-w- c:\windows\system32\DWrite.dll
2012-02-13 13:47 . 2012-03-13 19:04 683008 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-02-13 13:44 . 2012-03-13 19:04 1068544 ----a-w- c:\windows\SysWow64\DWrite.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\Admin\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"eRecoveryService"="" [BU]
"P2Go_Menu"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-13 210216]
"ArcSoft Connection Service"="c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-27 207424]
"BCSSync"="c:\program files (x86)\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2012-05-08 348624]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-20 253088]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-20 16:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Admin\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="c:\windows\system32\nvraidservice.exe" [2008-08-19 333344]
"Skytel"="Skytel.exe" [2008-09-18 1833504]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
"combofix"="c:\combofix\CF31516.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Subsonic
tomcatcws3
LVVI500A
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?PC=BNHP
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1209&m=lx6810-01
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files (x86)\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office14\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Se&nd to OneNote - c:\progra~2\MICROS~2\Office14\ONBttnIE.dll/105
LSP: %SYSTEMROOT%\system32\nvLsp.dll
LSP: mswsock.dll
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n4ktipeo.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_233_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_233.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files (x86)\Tenda\Common\RaRegistry.exe
c:\program files (x86)\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\GATEWAY\Gateway Recovery Management\eRecovery\HidChk.exe
c:\program files (x86)\Avira\AntiVir Desktop\sched.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\dtgripprov04\Launcher.exe
c:\program files (x86)\Northstar\SmartCopy\SmartCopy.exe
c:\program files (x86)\Northstar\SmartLauncher\SmartLauncher.exe
c:\windows\CNYHKey.exe
c:\program files (x86)\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files (x86)\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe
.
**************************************************************************
.
Completion time: 2012-05-08 10:30:58 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-08 14:30
ComboFix2.txt 2012-05-07 13:18
ComboFix3.txt 2012-04-23 16:45
.
Pre-Run: 465,644,969,984 bytes free
Post-Run: 464,877,260,800 bytes free
.
- - End Of File - - C738A8AEEE02314940AECE7A8883DCC7




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users