Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I'm infected with Kegotip.A


  • This topic is locked This topic is locked
17 replies to this topic

#1 thedictator

thedictator

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 10 May 2012 - 12:30 AM

MSE detects Kegotip.A and removes it, but it reappears after restarting. I think there might be a rootkit.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.0.0
Run by King at 0:44:16 on 2012-05-10
Microsoft Windows 7 Ultimate 6.1.7601.1.936.86.1033.18.1972.504 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlk.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe
C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\Windows\system32\vmnat.exe
C:\Windows\system32\vmnetdhcp.exe
C:\Program Files\Lenovo\Access Connections\AcSvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\King\qk92f5mjv3.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Users\King\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Lenovo\Access Connections\SvcGuiHlpr.exe
C:\Program Files\Lenovo\Client Security Solution\password_manager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\King\AppData\Local\Temp\$hp6901.tmp
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
C:\Windows\system32\svchost.exe -k HsfXAudioService
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\sppsvc.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://lenovo.msn.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live 登录帮助程序: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\king\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [qk92f5mjv3] c:\users\king\qk92f5mjv3.exe
uRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [<NO NAME>]
mRun: [RotateImage] c:\program files\integrated camera driver\RCIMGDIR.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [SmartAudio] c:\program files\conexant\saii\SAIICpl.exe /t
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [LENOVO.TPKNRRES] c:\program files\lenovo\communications utility\TPKNRRES.exe
mRun: [Microsoft Pinyin IME Migration] c:\progra~1\common~1\micros~1\ime12\imesc\IMSCMIG.EXE /INSTALL
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [nwiz] nwiz.exe /installquiet
mRun: [AcWin7Hlpr] c:\program files\lenovo\access connections\AcTBenabler.exe
StartupFolder: c:\users\king\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\king\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: 导出到 Microsoft Excel(&X) - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
LSP: %SystemRoot%\system32\vsocklib.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0-windows-i586.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5814E0EB-E70D-4861-88D9-2F51BD065867} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5814E0EB-E70D-4861-88D9-2F51BD065867}\2454C4C4332393 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5814E0EB-E70D-4861-88D9-2F51BD065867}\2454C4C4434313 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5814E0EB-E70D-4861-88D9-2F51BD065867}\2454C4C4531363 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5814E0EB-E70D-4861-88D9-2F51BD065867}\2454C4C4636363 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5814E0EB-E70D-4861-88D9-2F51BD065867}\34E2023416F60276F64747160227F616D6 : DhcpNameServer = 64.71.255.198 64.71.255.253
TCP: Interfaces\{5814E0EB-E70D-4861-88D9-2F51BD065867}\34E2023416F60276F6E6E6160227F616D6 : DhcpNameServer = 64.71.255.198 64.71.255.253
TCP: Interfaces\{5814E0EB-E70D-4861-88D9-2F51BD065867}\543686F6563686F6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AC4DE5E3-D1C9-4C62-B593-D477512752EA} : DhcpNameServer = 132.206.85.18 132.206.85.19 132.206.85.36 132.206.44.21 132.206.25.21
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: psfus - c:\program files\thinkvantage fingerprint software\psqlpwd.dll
LSA: Notification Packages = scecli c:\program files\thinkvantage fingerprint software\psqlpwd.dll ACGina
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\king\appdata\roaming\mozilla\firefox\profiles\bk6yehc5.default\
FF - prefs.js: browser.startup.homepage - about:cehome
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\new_plugin\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\king\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\king\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\king\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll
FF - plugin: d:\programs\mozilla plugins\npitunes.dll
.
============= SERVICES / DRIVERS ===============
.
R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-7-13 24304]
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 171064]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2009-10-9 20520]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2010-4-23 13480]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\SeaPort.EXE [2011-10-13 249648]
R2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe -k HsfXAudioService [2009-7-13 20992]
R2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\lenovo\communications utility\CamMute.exe [2010-7-13 50536]
R2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2010-4-23 45496]
R2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\lenovo\communications utility\TPKNRSVC.exe [2010-7-13 74088]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-5 654408]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-7-14 48640]
R2 smihlp;SMI Helper Driver (smihlp);c:\program files\thinkvantage fingerprint software\smihlp.sys [2009-3-13 12560]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2010-4-23 63928]
R2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\drivers\TurboB.sys [2009-9-29 13752]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-7-13 2320920]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2011-8-29 665200]
R3 5U877;USB Video Device;c:\windows\system32\drivers\5U877.sys [2010-7-13 127232]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-7-13 29472]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-7-14 214696]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-7-13 125696]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-5 22344]
R3 NETw5s32;Intel® Wireless WiFi Link 5000 系列适配器驱动程序(适用于 Windows 7 32 位);c:\windows\system32\drivers\NETw5s32.sys [2010-3-17 6758912]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-7-13 68200]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2009-10-8 38336]
S2 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-10-21 196176]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-16 253088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-7-13 132456]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2011-4-27 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-5-7 21360]
S3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys [2010-7-13 816792]
S3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2010-7-13 75112]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-3-27 15872]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-3-27 52224]
S3 TurboBoost;TurboBoost;c:\program files\intel\turboboost\TurboBoost.exe [2009-9-29 99768]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-3-27 1343400]
.
=============== Created Last 30 ================
.
2012-05-10 04:43:08 -------- d-----w- c:\windows\system32\appmgmt
2012-05-09 22:48:21 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-09 22:48:20 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-09 22:48:20 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-09 22:48:20 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-09 22:47:57 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-09 22:47:57 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-09 22:47:57 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-09 22:47:43 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-09 22:47:15 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-09 22:47:00 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-09 17:53:00 6734704 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ff0bb1ed-dd7a-40e3-9cbc-1dbe655d8427}\mpengine.dll
2012-05-08 17:36:26 -------- d-----w- c:\program files\CCleaner
2012-05-08 15:35:06 -------- d-----w- C:\found.001
2012-05-08 01:04:21 6734704 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-07 20:36:44 18392 ----a-w- c:\users\king\qk92f5mjv3.exe
2012-05-05 20:03:56 -------- d-----w- c:\users\king\appdata\roaming\Malwarebytes
2012-05-05 20:03:51 -------- d-----w- c:\programdata\Malwarebytes
2012-05-05 20:03:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-05 20:03:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-27 01:49:20 -------- d-----w- c:\program files\Maxis
2012-04-27 01:43:46 -------- d-----w- c:\program files\Elaborate Bytes
2012-04-27 01:37:35 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2012-04-27 01:37:33 -------- d-----w- c:\program files\MagicDisc
2012-04-16 04:32:36 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-16 03:16:50 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{0cdf7008-6c65-4de3-b632-2ad05e9ff266}\gapaengine.dll
2012-04-16 03:14:17 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-12 17:08:52 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5c4fbd45-168d-485b-8f07-4c2c7dd08a1f}\offreg.dll
2012-04-10 22:29:42 -------- d-----w- c:\program files\Convert AVI to MP4
2012-04-10 22:25:54 -------- d-----w- c:\users\king\appdata\roaming\Stellarium
2012-04-10 22:25:31 -------- d-----w- c:\program files\Stellarium
2012-04-10 19:29:21 6582328 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5c4fbd45-168d-485b-8f07-4c2c7dd08a1f}\mpengine.dll
2012-04-10 19:29:01 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-10 19:29:00 141112 ----a-w- c:\program files\internet explorer\sqmapi.dll
2012-04-10 19:28:59 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-04-10 19:28:58 194048 ----a-w- c:\program files\internet explorer\IEShims.dll
2012-04-10 19:28:58 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-04-10 19:28:57 678912 ----a-w- c:\program files\internet explorer\iedvtool.dll
2012-04-10 19:28:56 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-04-10 19:23:11 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-10 19:23:11 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-10 19:23:11 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-10 19:23:11 159232 ----a-w- c:\windows\system32\imagehlp.dll
.
==================== Find3M ====================
.
2012-04-16 04:32:36 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-06 21:28:26 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-03-27 21:09:13 409088 ----a-w- c:\windows\system32\systemcpl.dll
2012-03-27 21:09:13 13824 ----a-w- c:\windows\system32\slwga.dll
2012-03-27 21:09:12 811520 ----a-w- c:\windows\system32\user32.dll
2012-03-27 15:49:01 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-03-27 15:49:01 161792 ----a-w- c:\windows\system32\msls31.dll
2012-03-27 15:49:00 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-03-27 15:49:00 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-03-27 15:49:00 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-03-27 15:49:00 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-03-27 15:49:00 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-03-27 15:49:00 367104 ----a-w- c:\windows\system32\html.iec
2012-03-27 15:49:00 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-27 15:49:00 152064 ----a-w- c:\windows\system32\wextract.exe
2012-03-27 15:49:00 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-03-27 15:48:57 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-03-27 15:48:57 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-03-27 15:48:57 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-03-27 15:48:57 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-03-27 15:48:57 11776 ----a-w- c:\windows\system32\mshta.exe
2012-03-27 15:48:57 101888 ----a-w- c:\windows\system32\admparse.dll
2012-03-27 15:25:59 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-03-21 00:44:12 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 00:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-04 07:20:35 729088 ------r- c:\program files\TMAC.exe
2012-03-04 06:08:27 192835 ----a-w- c:\program files\Installer.exe
2012-03-04 06:08:25 224016 --s---r- c:\windows\system32\TABCTL32.OCX
2012-03-04 06:08:24 152848 --s---r- c:\windows\system32\COMDLG32.OCX
2012-03-04 06:08:24 1010720 --s---r- c:\windows\system32\MSCHRT20.OCX
2012-02-17 05:34:22 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601 Disk: HITACHI_ rev.PC3Z -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: >>UNKNOWN [0x8464A000]<< >>UNKNOWN [0x8A9A7000]<< >>UNKNOWN [0x8AA00000]<< >>UNKNOWN [0x8A282000]<< >>UNKNOWN [0x84613000]<< >>UNKNOWN [0x8A439000]<< >>UNKNOWN [0x92264000]<< >>UNKNOWN [0x92E12000]<< >>UNKNOWN [0x9378C000]<< >>UNKNOWN [0x8A9E5000]<<
_asm { DEC EBP; POP EDX; NOP ; ADD [EBX], AL; ADD [EAX], AL; ADD [EAX+EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x8468155A] -> \Device\Harddisk0\DR0[0x88EA0288]
\Driver\Disk[0x88E9FAD0] -> IRP_MJ_CREATE -> 0x8A9AB39F
3 [0x8A9AB59E] -> ntkrnlpa!IofCallDriver[0x8468155A] -> [0x87345A50]
\Driver\ACPI[0x86666ED0] -> IRP_MJ_CREATE -> 0x8A28B4CC
5 [0x8A28B3D4] -> ntkrnlpa!IofCallDriver[0x8468155A] -> \Device\Ide\IAAStorageDevice-1[0x87364028]
\Driver\iaStor[0x8733E9E0] -> IRP_MJ_CREATE -> 0x8A45FC54
kernel: MBR read successfully
_asm { JMP 0x10; }
user & kernel MBR OK
copy of MBR has been found in sector 9 !
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 0:45:32.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:37 PM

Posted 10 May 2012 - 12:36 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 thedictator

thedictator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 10 May 2012 - 01:55 PM

My computer is running fine, although sometimes Firefox freezes up for no reason. And my C: drive just got an extra 6GB of free space.

Combofix log:

ComboFix 12-05-10.04 - King 2/05/10 周四 14:26:01.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.936.86.1033.18.1972.641 [GMT -4:00]
执行位置: d:\downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
Error: Cfiles.dat
.
((((((((((((((((((((((((((((((((((((((( 被删除的档案 )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\King\AppData\Local\assembly\tmp
c:\users\King\AppData\Roaming\SogouExplorer
c:\users\King\AppData\Roaming\SogouExplorer\confdll.dll
c:\users\King\qk92f5mjv3.exe
Q:\Autorun.inf
.
.
((((((((((((((((((((((((( 2012-04-10 至 2012-05-10 的新的档案 )))))))))))))))))))))))))))))))
.
.
2012-05-10 18:32 . 2012-05-10 18:32 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-10 16:10 . 2012-05-10 16:10 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF0BB1ED-DD7A-40E3-9CBC-1DBE655D8427}\offreg.dll
2012-05-10 16:10 . 2012-05-10 16:10 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF0BB1ED-DD7A-40E3-9CBC-1DBE655D8427}\MpKsl78313d5d.sys
2012-05-09 22:48 . 2012-03-31 04:29 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 22:48 . 2012-03-31 04:30 1221632 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-09 22:48 . 2012-03-31 04:29 989184 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-09 22:48 . 2012-03-31 04:29 969216 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-09 22:47 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-09 22:47 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-09 22:47 . 2012-03-31 02:36 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-09 22:47 . 2012-03-30 10:23 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-09 22:47 . 2012-03-17 07:27 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-09 22:47 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-09 17:53 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF0BB1ED-DD7A-40E3-9CBC-1DBE655D8427}\mpengine.dll
2012-05-08 17:36 . 2012-05-08 17:36 -------- d-----w- c:\program files\CCleaner
2012-05-08 15:35 . 2012-05-08 17:48 -------- d-----w- C:\found.001
2012-05-08 01:04 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-07 16:21 . 2012-05-07 16:21 -------- d-----w- c:\users\King\AppData\Roaming\InterVideo
2012-05-05 20:03 . 2012-05-05 20:03 -------- d-----w- c:\users\King\AppData\Roaming\Malwarebytes
2012-05-05 20:03 . 2012-05-05 20:03 -------- d-----w- c:\programdata\Malwarebytes
2012-05-05 20:03 . 2012-05-05 20:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-05 20:03 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-03 03:38 . 2012-05-03 03:38 -------- d-----w- c:\program files\Common Files\Skype
2012-04-27 01:49 . 2012-04-27 01:49 -------- d-----w- c:\program files\Maxis
2012-04-27 01:43 . 2012-04-27 01:43 -------- d-----w- c:\program files\Elaborate Bytes
2012-04-27 01:37 . 2009-02-24 22:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2012-04-27 01:37 . 2012-04-27 01:37 -------- d-----w- c:\program files\MagicDisc
2012-04-22 06:08 . 2012-05-10 18:19 -------- d-----w- c:\users\King\AppData\Roaming\Notepad++
2012-04-22 06:08 . 2012-04-22 06:09 -------- d-----w- c:\program files\Notepad++
2012-04-16 04:32 . 2012-04-16 04:32 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-16 03:16 . 2012-04-16 03:16 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0CDF7008-6C65-4DE3-B632-2AD05E9FF266}\gapaengine.dll
2012-04-16 03:14 . 2012-04-25 20:37 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-12 17:08 . 2012-04-12 17:08 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C4FBD45-168D-485B-8F07-4C2C7DD08A1F}\offreg.dll
2012-04-10 22:29 . 2012-04-10 22:29 -------- d-----w- c:\program files\Convert AVI to MP4
2012-04-10 22:25 . 2012-04-10 22:26 -------- d-----w- c:\users\King\AppData\Roaming\Stellarium
2012-04-10 22:25 . 2012-04-10 22:25 -------- d-----w- c:\program files\Stellarium
2012-04-10 19:29 . 2012-03-20 07:53 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C4FBD45-168D-485B-8F07-4C2C7DD08A1F}\mpengine.dll
2012-04-10 19:29 . 2012-02-28 01:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-10 19:29 . 2012-02-28 01:58 141112 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2012-04-10 19:23 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-10 19:23 . 2012-03-01 05:37 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-10 19:23 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-10 19:23 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-16 04:32 . 2011-11-22 20:19 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-06 21:28 . 2012-04-06 21:28 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-03-27 21:09 . 2012-03-27 14:50 409088 ----a-w- c:\windows\system32\systemcpl.dll
2012-03-27 21:09 . 2012-03-27 14:50 13824 ----a-w- c:\windows\system32\slwga.dll
2012-03-27 21:09 . 2012-03-27 14:52 811520 ----a-w- c:\windows\system32\user32.dll
2012-03-27 15:49 . 2012-03-27 15:49 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-03-27 15:49 . 2012-03-27 15:49 161792 ----a-w- c:\windows\system32\msls31.dll
2012-03-27 15:49 . 2012-03-27 15:49 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-03-27 15:49 . 2012-03-27 15:49 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-03-27 15:49 . 2012-03-27 15:49 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-03-27 15:49 . 2012-03-27 15:49 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-03-27 15:49 . 2012-03-27 15:49 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-03-27 15:49 . 2012-03-27 15:49 367104 ----a-w- c:\windows\system32\html.iec
2012-03-27 15:49 . 2012-03-27 15:49 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-27 15:49 . 2012-03-27 15:49 152064 ----a-w- c:\windows\system32\wextract.exe
2012-03-27 15:49 . 2012-03-27 15:49 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-03-27 15:48 . 2012-03-27 15:48 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-03-27 15:48 . 2012-03-27 15:48 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-03-27 15:48 . 2012-03-27 15:48 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-03-27 15:48 . 2012-03-27 15:48 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-03-27 15:48 . 2012-03-27 15:48 11776 ----a-w- c:\windows\system32\mshta.exe
2012-03-27 15:48 . 2012-03-27 15:48 101888 ----a-w- c:\windows\system32\admparse.dll
2012-03-27 15:25 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-03-21 00:44 . 2011-04-27 19:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 00:44 . 2011-04-18 17:18 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-04 07:20 . 2012-03-04 06:08 729088 ------r- c:\program files\TMAC.exe
2012-03-04 06:08 . 2012-03-04 06:08 192835 ----a-w- c:\program files\Installer.exe
2012-03-04 06:08 . 2012-03-04 06:08 224016 --s---r- c:\windows\system32\TABCTL32.OCX
2012-03-04 06:08 . 2012-03-04 06:08 152848 --s---r- c:\windows\system32\COMDLG32.OCX
2012-03-04 06:08 . 2012-03-04 06:08 1010720 --s---r- c:\windows\system32\MSCHRT20.OCX
2012-02-17 05:34 . 2012-03-27 13:13 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 05:34 . 2012-03-27 13:13 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-27 13:13 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-27 13:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 20:13 . 2012-02-15 20:13 192768 ----a-w- c:\programdata\Microsoft\VPDExpress\10.0\1033\ResourceCache.dll
2011-11-28 08:10 . 2011-08-23 23:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-03-27 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\King\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\King\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\King\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RotateImage"="c:\program files\Integrated Camera Driver\RCIMGDIR.exe" [2008-10-30 31744]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-17 307768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-19 13838952]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-05-06 886120]
"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2010-04-20 62312]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-04 33128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"nwiz"="nwiz.exe" [2010-03-17 1657448]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-13 36864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-22 1725736]
"TpShocks"="TpShocks.exe" [2009-12-11 337256]
.
c:\users\King\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\King\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-4 27087944]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2009-8-11 795936]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-7-13 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2010-03-25 04:05 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
IME File REG_SZ IMSC12.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210804]
Ime File REG_SZ SOGOUPY.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 06:36 421736 ----a-w- d:\programs\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Message Center Plus]
2009-05-27 14:09 49976 ----a-w- c:\program files\Lenovo\Message Center Plus\MCPLaunch.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 253088]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2010-05-06 132456]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 74112]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]
R3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-05-07 21360]
R3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys [2010-07-13 816792]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-05-06 75112]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-09-29 99768]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-27 1343400]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [2010-05-06 24304]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-10-09 20520]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [2011-08-08 98928]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S1 MpKsl78313d5d;MpKsl78313d5d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF0BB1ED-DD7A-40E3-9CBC-1DBE655D8427}\MpKsl78313d5d.sys [2012-05-10 29904]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-04-20 50536]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2010-04-07 45496]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-04-20 74088]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-04-07 63928]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-09-29 13752]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-25 2320920]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-08-30 665200]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-12-14 127232]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-12-10 214696]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 系列适配器驱动程序(适用于 Windows 7 32 位);c:\windows\system32\DRIVERS\NETw5s32.sys [2010-03-17 6758912]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-01-27 68200]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-09-24 38336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
‘计划任务’ 文件夹 里的内容
.
2012-05-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 04:32]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2628063611-1983361895-1303246480-1000Core.job
- c:\users\King\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-09 16:02]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2628063611-1983361895-1303246480-1000UA.job
- c:\users\King\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-09 16:02]
.
2012-04-25 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-05-07 19:46]
.
2012-05-04 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-05-08 00:50]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
IE: 导出到 Microsoft Excel(&X) - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\vsocklib.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\King\AppData\Roaming\Mozilla\Firefox\Profiles\bk6yehc5.default\
FF - prefs.js: browser.startup.homepage - about:cehome
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-qk92f5mjv3 - c:\users\King\qk92f5mjv3.exe
HKCU-Run-Regedit32 - c:\windows\system32\regedit.exe
MSConfigStartUp-qk92f5mjv3 - c:\users\King\qk92f5mjv3.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06020000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2628063611-1983361895-1303246480-1000\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]
"ClientGUID"=hex:28,8c,c0,94,e2,21,ef,4d,98,db,bb,a7,86,ef,26,92
.
[HKEY_USERS\S-1-5-21-2628063611-1983361895-1303246480-1000\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
"ClientGUID"=hex:cb,e5,13,ef,d1,67,f9,49,b5,4b,95,ef,97,4e,9a,57
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- 运行进程下的动态链接库 ---------------------
.
- - - - - - - > 'lsass.exe'(740)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
- - - - - - - > 'Explorer.exe'(6096)
c:\program files\Lenovo\Client Security Solution\tvtpwm_windows_hook.dll
c:\users\King\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\ThinkPad\Bluetooth Software\btncopy.dll
c:\program files\WinSCP\DragExt.dll
c:\program files\Lenovo\Client Security Solution\tvtpwm_keyboard_hook.dll
c:\program files\Lenovo\Client Security Solution\tvtpwm_interface.dll
c:\progra~1\Lenovo\HOTKEY\tpnumlkd.dll
.
------------------------ 其他运行进程 ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\AUDIODG.EXE
c:\windows\system32\WUDFHost.exe
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\windows\system32\nvvsvc.exe
c:\progra~1\SOGOUI~1\600~1.623\SGTool.exe
c:\program files\Lenovo\Access Connections\AcPrfMgrSvc.exe
c:\progra~1\Lenovo\HOTKEY\tpnumlk.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\ThinkVantage Fingerprint Software\upeksvr.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\Lenovo\Access Connections\AcSvc.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\Lenovo\HOTKEY\tpnumlkd.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\program files\ThinkPad\Bluetooth Software\btwdins.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Lenovo\Client Security Solution\cssauth.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\program files\Lenovo\Client Security Solution\password_manager.exe
.
**************************************************************************
.
完成时间: 2012-05-10 14:38:56 - 电脑已重新启动
ComboFix-quarantined-files.txt 2012-05-10 18:38
.
Pre-Run: 20,004,683,776 bytes free
Post-Run: 26,155,458,560 bytes free
.
- - End Of File - - 7E1AA683246B23332DB39AD3190A46E1


Checkup.txt:

Results of screen317's Security Check version 0.99.32
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
Java™ 7
Java™ SE Development Kit 7
Adobe Flash Player 11.2.202.233
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (8.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Microsoft Security Essentials msseces.exe
``````````End of Log````````````

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:37 PM

Posted 10 May 2012 - 03:04 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 thedictator

thedictator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 10 May 2012 - 04:31 PM

ASW:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-10 17:10:59
-----------------------------
17:10:59.932 OS Version: Windows 6.1.7601 Service Pack 1
17:10:59.932 Number of processors: 4 586 0x2502
17:10:59.935 ComputerName: ACE UserName:
17:11:11.366 Initialize success
17:17:08.357 AVAST engine defs: 12051000
17:17:58.237 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:17:58.241 Disk 0 Vendor: HITACHI_ PC3Z Size: 305245MB BusType: 3
17:17:58.255 Disk 0 MBR read successfully
17:17:58.259 Disk 0 MBR scan
17:17:58.289 Disk 0 unknown MBR code
17:17:58.306 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1200 MB offset 2048
17:17:58.375 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 61442 MB offset 2459648
17:17:58.436 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 10000 MB offset 604659712
17:17:58.451 Disk 0 Partition - 00 0F Extended LBA 232595 MB offset 128293200
17:17:58.483 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 116294 MB offset 128293263
17:17:58.491 Disk 0 Partition - 00 05 Extended 116301 MB offset 366463440
17:17:58.512 Disk 0 Partition 5 00 07 HPFS/NTFS NTFS 116301 MB offset 366463503
17:17:58.523 Disk 0 scanning sectors +625139712
17:17:58.890 Disk 0 scanning C:\Windows\system32\drivers
17:18:15.971 Service scanning
17:18:33.578 Service MpKsl7f278d3b C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{299563D8-488F-41FC-9A58-3DE83BF40233}\MpKsl7f278d3b.sys **LOCKED** 32
17:18:59.537 Modules scanning
17:19:10.569 Module: C:\Windows\System32\user32.dll **SUSPICIOUS**
17:19:15.371 Disk 0 trace - called modules:
17:19:15.392 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll iaStor.sys
17:19:15.403 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x88ea1030]
17:19:15.410 3 CLASSPNP.SYS[8a9b659e] -> nt!IofCallDriver -> [0x8733c998]
17:19:15.416 5 ACPI.sys[8a28b3d4] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8734b028]
17:19:15.928 AVAST engine scan C:\Windows
17:19:19.600 AVAST engine scan C:\Windows\system32
17:23:48.047 AVAST engine scan C:\Windows\system32\drivers
17:24:10.089 AVAST engine scan C:\Users\King
17:28:43.836 AVAST engine scan C:\ProgramData
17:29:40.844 Scan finished successfully
17:30:46.125 Disk 0 MBR has been saved successfully to "C:\Users\King\Desktop\MBR.dat"
17:30:46.131 The log file has been saved successfully to "C:\Users\King\Desktop\aswMBR.txt"



TDSSkiller:

17:06:20.0333 5760 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
17:06:20.0949 5760 ============================================================
17:06:20.0950 5760 Current date / time: 2012/05/10 17:06:20.0949
17:06:20.0950 5760 SystemInfo:
17:06:20.0950 5760
17:06:20.0950 5760 OS Version: 6.1.7601 ServicePack: 1.0
17:06:20.0950 5760 Product type: Workstation
17:06:20.0950 5760 ComputerName: ACE
17:06:20.0951 5760 UserName: King
17:06:20.0951 5760 Windows directory: C:\Windows
17:06:20.0951 5760 System windows directory: C:\Windows
17:06:20.0951 5760 Processor architecture: Intel x86
17:06:20.0951 5760 Number of processors: 4
17:06:20.0951 5760 Page size: 0x1000
17:06:20.0951 5760 Boot type: Normal boot
17:06:20.0951 5760 ============================================================
17:06:21.0942 5760 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0xA181, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
17:06:21.0946 5760 ============================================================
17:06:21.0946 5760 \Device\Harddisk0\DR0:
17:06:21.0946 5760 MBR partitions:
17:06:21.0946 5760 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x258000
17:06:21.0946 5760 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x258800, BlocksNum 0x7801150
17:06:21.0946 5760 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x240A6000, BlocksNum 0x1388000
17:06:21.0962 5760 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x7A5998F, BlocksNum 0xE323041
17:06:21.0991 5760 \Device\Harddisk0\DR0\Partition4: MBR, Type 0x7, StartLBA 0x15D7CA0F, BlocksNum 0xE326B51
17:06:21.0991 5760 ============================================================
17:06:22.0051 5760 C: <-> \Device\Harddisk0\DR0\Partition1
17:06:22.0078 5760 E: <-> \Device\Harddisk0\DR0\Partition4
17:06:22.0116 5760 Q: <-> \Device\Harddisk0\DR0\Partition2
17:06:22.0150 5760 D: <-> \Device\Harddisk0\DR0\Partition3
17:06:22.0151 5760 ============================================================
17:06:22.0151 5760 Initialize success
17:06:22.0151 5760 ============================================================
17:06:23.0520 4292 ============================================================
17:06:23.0520 4292 Scan started
17:06:23.0520 4292 Mode: Manual;
17:06:23.0520 4292 ============================================================
17:06:23.0923 4292 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
17:06:23.0925 4292 1394ohci - ok
17:06:23.0976 4292 5U877 (5e67a474cbc887daf0ddd343f6f7fea0) C:\Windows\system32\DRIVERS\5U877.sys
17:06:23.0978 4292 5U877 - ok
17:06:24.0036 4292 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
17:06:24.0038 4292 ACPI - ok
17:06:24.0080 4292 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
17:06:24.0081 4292 AcpiPmi - ok
17:06:24.0210 4292 AcPrfMgrSvc (c8b90210aad4c319916598d0312d8fca) C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
17:06:24.0212 4292 AcPrfMgrSvc - ok
17:06:24.0263 4292 AcSvc (5c17051bd808f6ff708bc9f2d0445092) C:\Program Files\Lenovo\Access Connections\AcSvc.exe
17:06:24.0267 4292 AcSvc - ok
17:06:24.0374 4292 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
17:06:24.0378 4292 AdobeFlashPlayerUpdateSvc - ok
17:06:24.0442 4292 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
17:06:24.0449 4292 adp94xx - ok
17:06:24.0513 4292 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
17:06:24.0519 4292 adpahci - ok
17:06:24.0544 4292 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
17:06:24.0547 4292 adpu320 - ok
17:06:24.0584 4292 AeLookupSvc (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
17:06:24.0585 4292 AeLookupSvc - ok
17:06:24.0655 4292 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
17:06:24.0661 4292 AFD - ok
17:06:24.0702 4292 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
17:06:24.0703 4292 agp440 - ok
17:06:24.0744 4292 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
17:06:24.0746 4292 aic78xx - ok
17:06:24.0809 4292 ALG (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
17:06:24.0811 4292 ALG - ok
17:06:24.0830 4292 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
17:06:24.0831 4292 aliide - ok
17:06:24.0852 4292 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
17:06:24.0854 4292 amdagp - ok
17:06:24.0879 4292 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
17:06:24.0880 4292 amdide - ok
17:06:24.0912 4292 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
17:06:24.0914 4292 AmdK8 - ok
17:06:24.0945 4292 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
17:06:24.0947 4292 AmdPPM - ok
17:06:24.0957 4292 amdsata (e7f4d42d8076ec60e21715cd11743a0d) C:\Windows\system32\drivers\amdsata.sys
17:06:24.0959 4292 amdsata - ok
17:06:25.0000 4292 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
17:06:25.0002 4292 amdsbs - ok
17:06:25.0022 4292 amdxata (146459d2b08bfdcbfa856d9947043c81) C:\Windows\system32\drivers\amdxata.sys
17:06:25.0023 4292 amdxata - ok
17:06:25.0084 4292 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
17:06:25.0087 4292 AppID - ok
17:06:25.0119 4292 AppIDSvc (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
17:06:25.0121 4292 AppIDSvc - ok
17:06:25.0167 4292 Appinfo (fb1959012294d6ad43e5304df65e3c26) C:\Windows\System32\appinfo.dll
17:06:25.0168 4292 Appinfo - ok
17:06:25.0319 4292 Apple Mobile Device (3debbecf665dcdde3a95d9b902010817) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
17:06:25.0320 4292 Apple Mobile Device - ok
17:06:25.0359 4292 AppMgmt (a45d184df6a8803da13a0b329517a64a) C:\Windows\System32\appmgmts.dll
17:06:25.0362 4292 AppMgmt - ok
17:06:25.0416 4292 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
17:06:25.0417 4292 arc - ok
17:06:25.0453 4292 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
17:06:25.0455 4292 arcsas - ok
17:06:25.0663 4292 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
17:06:25.0664 4292 aspnet_state - ok
17:06:25.0719 4292 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
17:06:25.0720 4292 AsyncMac - ok
17:06:25.0766 4292 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
17:06:25.0767 4292 atapi - ok
17:06:25.0834 4292 AudioEndpointBuilder (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
17:06:25.0838 4292 AudioEndpointBuilder - ok
17:06:25.0846 4292 Audiosrv (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
17:06:25.0849 4292 Audiosrv - ok
17:06:25.0919 4292 AxInstSV (6e30d02aac9cac84f421622e3a2f6178) C:\Windows\System32\AxInstSV.dll
17:06:25.0921 4292 AxInstSV - ok
17:06:25.0980 4292 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
17:06:25.0987 4292 b06bdrv - ok
17:06:26.0017 4292 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
17:06:26.0020 4292 b57nd60x - ok
17:06:26.0135 4292 BBSvc (01a24b415926bb5f772dbe12459d97de) C:\Program Files\Microsoft\BingBar\BBSvc.EXE
17:06:26.0139 4292 BBSvc - ok
17:06:26.0187 4292 BBUpdate (785de7abda13309d6065305542829e76) C:\Program Files\Microsoft\BingBar\SeaPort.EXE
17:06:26.0188 4292 BBUpdate - ok
17:06:26.0212 4292 BDESVC (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
17:06:26.0214 4292 BDESVC - ok
17:06:26.0245 4292 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
17:06:26.0246 4292 Beep - ok
17:06:26.0312 4292 BFE (1e2bac209d184bb851e1a187d8a29136) C:\Windows\System32\bfe.dll
17:06:26.0316 4292 BFE - ok
17:06:26.0361 4292 BITS (e585445d5021971fae10393f0f1c3961) C:\Windows\system32\qmgr.dll
17:06:26.0372 4292 BITS - ok
17:06:26.0398 4292 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
17:06:26.0402 4292 blbdrive - ok
17:06:26.0555 4292 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
17:06:26.0559 4292 Bonjour Service - ok
17:06:26.0610 4292 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
17:06:26.0611 4292 bowser - ok
17:06:26.0627 4292 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
17:06:26.0628 4292 BrFiltLo - ok
17:06:26.0655 4292 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
17:06:26.0657 4292 BrFiltUp - ok
17:06:26.0696 4292 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
17:06:26.0698 4292 BridgeMP - ok
17:06:26.0730 4292 Browser (6e11f33d14d020f58d5e02e4d67dfa19) C:\Windows\System32\browser.dll
17:06:26.0731 4292 Browser - ok
17:06:26.0761 4292 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
17:06:26.0765 4292 Brserid - ok
17:06:26.0784 4292 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
17:06:26.0785 4292 BrSerWdm - ok
17:06:26.0794 4292 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
17:06:26.0796 4292 BrUsbMdm - ok
17:06:26.0802 4292 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
17:06:26.0804 4292 BrUsbSer - ok
17:06:26.0865 4292 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\drivers\BthEnum.sys
17:06:26.0867 4292 BthEnum - ok
17:06:26.0880 4292 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
17:06:26.0882 4292 BTHMODEM - ok
17:06:26.0908 4292 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
17:06:26.0909 4292 BthPan - ok
17:06:26.0946 4292 BTHPORT (c2fbf6d271d9a94d839c416bf186ead9) C:\Windows\System32\Drivers\BTHport.sys
17:06:26.0951 4292 BTHPORT - ok
17:06:26.0988 4292 bthserv (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
17:06:26.0990 4292 bthserv - ok
17:06:27.0007 4292 BTHUSB (c81e9413a25a439f436b1d4b6a0cf9e9) C:\Windows\System32\Drivers\BTHUSB.sys
17:06:27.0009 4292 BTHUSB - ok
17:06:27.0045 4292 btwaudio (d57d29132efe13a83133d9bd449e0cf1) C:\Windows\system32\drivers\btwaudio.sys
17:06:27.0049 4292 btwaudio - ok
17:06:27.0057 4292 btwavdt (d282c14a69357d0e1bafaecc2ca98c3a) C:\Windows\system32\DRIVERS\btwavdt.sys
17:06:27.0059 4292 btwavdt - ok
17:06:27.0177 4292 btwdins (7caa4410c25026b9bee85f6c7f86b19b) C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
17:06:27.0186 4292 btwdins - ok
17:06:27.0210 4292 btwl2cap (aafd7cb76ba61fbb08e302da208c974a) C:\Windows\system32\DRIVERS\btwl2cap.sys
17:06:27.0212 4292 btwl2cap - ok
17:06:27.0228 4292 btwrchid (02eb4d2b05967df2d32f29c84ab1fb17) C:\Windows\system32\DRIVERS\btwrchid.sys
17:06:27.0229 4292 btwrchid - ok
17:06:27.0345 4292 catchme - ok
17:06:27.0390 4292 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
17:06:27.0392 4292 cdfs - ok
17:06:27.0448 4292 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys
17:06:27.0449 4292 cdrom - ok
17:06:27.0503 4292 CertPropSvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
17:06:27.0504 4292 CertPropSvc - ok
17:06:27.0521 4292 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
17:06:27.0523 4292 circlass - ok
17:06:27.0581 4292 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
17:06:27.0584 4292 CLFS - ok
17:06:27.0635 4292 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:06:27.0636 4292 clr_optimization_v2.0.50727_32 - ok
17:06:27.0779 4292 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
17:06:27.0819 4292 clr_optimization_v4.0.30319_32 - ok
17:06:27.0842 4292 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
17:06:27.0843 4292 CmBatt - ok
17:06:27.0874 4292 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
17:06:27.0875 4292 cmdide - ok
17:06:27.0951 4292 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
17:06:27.0956 4292 CNG - ok
17:06:28.0046 4292 CnxtHdAudService (a0cdca3e0936081c796b3a2059cdc940) C:\Windows\system32\drivers\CHDRT32.sys
17:06:28.0054 4292 CnxtHdAudService - ok
17:06:28.0066 4292 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
17:06:28.0067 4292 Compbatt - ok
17:06:28.0103 4292 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
17:06:28.0104 4292 CompositeBus - ok
17:06:28.0132 4292 COMSysApp - ok
17:06:28.0161 4292 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
17:06:28.0162 4292 crcdisk - ok
17:06:28.0213 4292 CryptSvc (a585bebf7d054bd9618eda0922d5484a) C:\Windows\system32\cryptsvc.dll
17:06:28.0215 4292 CryptSvc - ok
17:06:28.0263 4292 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
17:06:28.0269 4292 CSC - ok
17:06:28.0330 4292 CscService (15f93b37f6801943360d9eb42485d5d3) C:\Windows\System32\cscsvc.dll
17:06:28.0335 4292 CscService - ok
17:06:28.0382 4292 DcomLaunch (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
17:06:28.0388 4292 DcomLaunch - ok
17:06:28.0424 4292 defragsvc (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
17:06:28.0428 4292 defragsvc - ok
17:06:28.0479 4292 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
17:06:28.0481 4292 DfsC - ok
17:06:28.0540 4292 Dhcp (e9e01eb683c132f7fa27cd607b8a2b63) C:\Windows\system32\dhcpcore.dll
17:06:28.0543 4292 Dhcp - ok
17:06:28.0573 4292 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
17:06:28.0574 4292 discache - ok
17:06:28.0617 4292 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
17:06:28.0619 4292 Disk - ok
17:06:28.0681 4292 Dnscache (33ef4861f19a0736b11314aad9ae28d0) C:\Windows\System32\dnsrslvr.dll
17:06:28.0684 4292 Dnscache - ok
17:06:28.0736 4292 dot3svc (366ba8fb4b7bb7435e3b9eacb3843f67) C:\Windows\System32\dot3svc.dll
17:06:28.0740 4292 dot3svc - ok
17:06:28.0778 4292 DozeHDD (e00b3ce273b17aee1259c105df5524ca) C:\Windows\system32\DRIVERS\DozeHDD.sys
17:06:28.0780 4292 DozeHDD - ok
17:06:28.0858 4292 DozeSvc (1cfd5b47a899cfff4cb5c44b8b66f0c2) C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
17:06:28.0861 4292 DozeSvc - ok
17:06:28.0904 4292 DPS (8ec04ca86f1d68da9e11952eb85973d6) C:\Windows\system32\dps.dll
17:06:28.0906 4292 DPS - ok
17:06:28.0934 4292 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
17:06:28.0935 4292 drmkaud - ok
17:06:29.0011 4292 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
17:06:29.0022 4292 DXGKrnl - ok
17:06:29.0114 4292 e1kexpress (a13f07a0422e4a04e7ff6f6f3b05e729) C:\Windows\system32\DRIVERS\e1k6232.sys
17:06:29.0118 4292 e1kexpress - ok
17:06:29.0174 4292 EapHost (8600142fa91c1b96367d3300ad0f3f3a) C:\Windows\System32\eapsvc.dll
17:06:29.0176 4292 EapHost - ok
17:06:29.0433 4292 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
17:06:29.0470 4292 ebdrv - ok
17:06:29.0592 4292 EFS (81951f51e318aecc2d68559e47485cc4) C:\Windows\System32\lsass.exe
17:06:29.0594 4292 EFS - ok
17:06:29.0703 4292 ehRecvr (a8c362018efc87beb013ee28f29c0863) C:\Windows\ehome\ehRecvr.exe
17:06:29.0712 4292 ehRecvr - ok
17:06:29.0732 4292 ehSched (d389bff34f80caede417bf9d1507996a) C:\Windows\ehome\ehsched.exe
17:06:29.0734 4292 ehSched - ok
17:06:29.0802 4292 ElbyCDIO (d71233d7ccc2e64f8715a20428d5a33b) C:\Windows\system32\Drivers\ElbyCDIO.sys
17:06:29.0804 4292 ElbyCDIO - ok
17:06:29.0867 4292 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
17:06:29.0875 4292 elxstor - ok
17:06:29.0912 4292 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
17:06:29.0914 4292 ErrDev - ok
17:06:30.0011 4292 EventSystem (f6916efc29d9953d5d0df06882ae8e16) C:\Windows\system32\es.dll
17:06:30.0015 4292 EventSystem - ok
17:06:30.0198 4292 EvtEng (8597822f0e0eaa61a9ffd18778828792) C:\Program Files\Intel\WiFi\bin\EvtEng.exe
17:06:30.0207 4292 EvtEng - ok
17:06:30.0266 4292 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
17:06:30.0269 4292 exfat - ok
17:06:30.0287 4292 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
17:06:30.0289 4292 fastfat - ok
17:06:30.0361 4292 Fax (967ea5b213e9984cbe270205df37755b) C:\Windows\system32\fxssvc.exe
17:06:30.0366 4292 Fax - ok
17:06:30.0387 4292 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
17:06:30.0388 4292 fdc - ok
17:06:30.0413 4292 fdPHost (f3222c893bd2f5821a0179e5c71e88fb) C:\Windows\system32\fdPHost.dll
17:06:30.0416 4292 fdPHost - ok
17:06:30.0428 4292 FDResPub (7dbe8cbfe79efbdeb98c9fb08d3a9a5b) C:\Windows\system32\fdrespub.dll
17:06:30.0430 4292 FDResPub - ok
17:06:30.0442 4292 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
17:06:30.0443 4292 FileInfo - ok
17:06:30.0455 4292 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
17:06:30.0457 4292 Filetrace - ok
17:06:30.0470 4292 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
17:06:30.0472 4292 flpydisk - ok
17:06:30.0491 4292 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
17:06:30.0495 4292 FltMgr - ok
17:06:30.0619 4292 FontCache (fa6c66e4364d7da57aade5dcc03bb999) C:\Windows\system32\FntCache.dll
17:06:30.0627 4292 FontCache - ok
17:06:30.0673 4292 FontCache3.0.0.0 (e56f39f6b7fda0ac77a79b0fd3de1a2f) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
17:06:30.0674 4292 FontCache3.0.0.0 - ok
17:06:30.0711 4292 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
17:06:30.0713 4292 FsDepends - ok
17:06:30.0740 4292 Fs_Rec (7dae5ebcc80e45d3253f4923dc424d05) C:\Windows\system32\drivers\Fs_Rec.sys
17:06:30.0742 4292 Fs_Rec - ok
17:06:30.0791 4292 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
17:06:30.0795 4292 fvevol - ok
17:06:30.0829 4292 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
17:06:30.0831 4292 gagp30kx - ok
17:06:30.0878 4292 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
17:06:30.0879 4292 GEARAspiWDM - ok
17:06:30.0953 4292 gpsvc (e897eaf5ed6ba41e081060c9b447a673) C:\Windows\System32\gpsvc.dll
17:06:30.0963 4292 gpsvc - ok
17:06:31.0011 4292 hcmon (88a6f2571405b3a4abc4ed2f52136317) C:\Windows\system32\drivers\hcmon.sys
17:06:31.0012 4292 hcmon - ok
17:06:31.0033 4292 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
17:06:31.0034 4292 hcw85cir - ok
17:06:31.0095 4292 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
17:06:31.0099 4292 HdAudAddService - ok
17:06:31.0133 4292 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
17:06:31.0135 4292 HDAudBus - ok
17:06:31.0156 4292 HECI (a88485dc6a7136c10d9a6c7e38fdfe3c) C:\Windows\system32\DRIVERS\HECI.sys
17:06:31.0157 4292 HECI - ok
17:06:31.0169 4292 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
17:06:31.0171 4292 HidBatt - ok
17:06:31.0199 4292 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
17:06:31.0200 4292 HidBth - ok
17:06:31.0217 4292 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
17:06:31.0218 4292 HidIr - ok
17:06:31.0242 4292 hidserv (2bc6f6a1992b3a77f5f41432ca6b3b6b) C:\Windows\System32\hidserv.dll
17:06:31.0244 4292 hidserv - ok
17:06:31.0274 4292 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys
17:06:31.0277 4292 HidUsb - ok
17:06:31.0333 4292 hkmsvc (196b4e3f4cccc24af836ce58facbb699) C:\Windows\system32\kmsvc.dll
17:06:31.0335 4292 hkmsvc - ok
17:06:31.0374 4292 HomeGroupListener (6658f4404de03d75fe3ba09f7aba6a30) C:\Windows\system32\ListSvc.dll
17:06:31.0378 4292 HomeGroupListener - ok
17:06:31.0431 4292 HomeGroupProvider (dbc02d918fff1cad628acbe0c0eaa8e8) C:\Windows\system32\provsvc.dll
17:06:31.0436 4292 HomeGroupProvider - ok
17:06:31.0500 4292 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
17:06:31.0502 4292 HpSAMD - ok
17:06:31.0567 4292 HsfXAudioService (210388fd8225b02bd83d77628aae64a9) C:\Windows\system32\XAudio32.dll
17:06:31.0573 4292 HsfXAudioService - ok
17:06:31.0700 4292 HSF_DPV (c761b4a8391f5e47f7c51a691ce773f4) C:\Windows\system32\DRIVERS\HSX_DPV.sys
17:06:31.0715 4292 HSF_DPV - ok
17:06:31.0753 4292 HSXHWAZL (50b42ef358a2e5363be6b77138a22391) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
17:06:31.0756 4292 HSXHWAZL - ok
17:06:31.0833 4292 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
17:06:31.0839 4292 HTTP - ok
17:06:31.0853 4292 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
17:06:31.0854 4292 hwpolicy - ok
17:06:31.0911 4292 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
17:06:31.0913 4292 i8042prt - ok
17:06:31.0976 4292 iaStor (39f7c9aeee865fe8e98cf3edd2b4bb4a) C:\Windows\system32\DRIVERS\iaStor.sys
17:06:31.0979 4292 iaStor - ok
17:06:32.0030 4292 iaStorV (a3cae5d281db4cff7cff8233507ee5ad) C:\Windows\system32\drivers\iaStorV.sys
17:06:32.0035 4292 iaStorV - ok
17:06:32.0074 4292 IBMPMDRV (400d7095d5ae08970f839bcac1843106) C:\Windows\system32\DRIVERS\ibmpmdrv.sys
17:06:32.0076 4292 IBMPMDRV - ok
17:06:32.0090 4292 IBMPMSVC (06af18300c5b511a3d85c3e0b7909c10) C:\Windows\system32\ibmpmsvc.exe
17:06:32.0093 4292 IBMPMSVC - ok
17:06:32.0220 4292 idsvc (c521d7eb6497bb1af6afa89e322fb43c) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
17:06:32.0234 4292 idsvc - ok
17:06:32.0623 4292 igfx (ad626f6964f4d364d226c39e06872dd3) C:\Windows\system32\DRIVERS\igdkmd32.sys
17:06:32.0672 4292 igfx - ok
17:06:32.0794 4292 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
17:06:32.0796 4292 iirsp - ok
17:06:32.0898 4292 IKEEXT (f95622f161474511b8d80d6b093aa610) C:\Windows\System32\ikeext.dll
17:06:32.0907 4292 IKEEXT - ok
17:06:32.0978 4292 Impcd (2db41ba61d5e44d0667cf126d35dcf34) C:\Windows\system32\DRIVERS\Impcd.sys
17:06:32.0981 4292 Impcd - ok
17:06:33.0048 4292 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
17:06:33.0050 4292 intelide - ok
17:06:33.0079 4292 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
17:06:33.0080 4292 intelppm - ok
17:06:33.0109 4292 IPBusEnum (acb364b9075a45c0736e5c47be5cae19) C:\Windows\system32\ipbusenum.dll
17:06:33.0112 4292 IPBusEnum - ok
17:06:33.0133 4292 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
17:06:33.0135 4292 IpFilterDriver - ok
17:06:33.0180 4292 iphlpsvc (4d65a07b795d6674312f879d09aa7663) C:\Windows\System32\iphlpsvc.dll
17:06:33.0185 4292 iphlpsvc - ok
17:06:33.0244 4292 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
17:06:33.0246 4292 IPMIDRV - ok
17:06:33.0277 4292 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
17:06:33.0280 4292 IPNAT - ok
17:06:33.0405 4292 iPod Service (178fe38b7740f598391eb2f51ae4ccac) C:\Program Files\iPod\bin\iPodService.exe
17:06:33.0412 4292 iPod Service - ok
17:06:33.0436 4292 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
17:06:33.0438 4292 IRENUM - ok
17:06:33.0466 4292 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
17:06:33.0467 4292 isapnp - ok
17:06:33.0530 4292 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
17:06:33.0534 4292 iScsiPrt - ok
17:06:33.0566 4292 IviRegMgr (213822072085b5bbad9af30ab577d817) C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
17:06:33.0568 4292 IviRegMgr - ok
17:06:33.0592 4292 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
17:06:33.0594 4292 kbdclass - ok
17:06:33.0609 4292 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
17:06:33.0610 4292 kbdhid - ok
17:06:33.0632 4292 KeyIso (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
17:06:33.0634 4292 KeyIso - ok
17:06:33.0653 4292 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
17:06:33.0654 4292 KSecDD - ok
17:06:33.0708 4292 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
17:06:33.0711 4292 KSecPkg - ok
17:06:33.0750 4292 KtmRm (89a7b9cc98d0d80c6f31b91c0a310fcd) C:\Windows\system32\msdtckrm.dll
17:06:33.0756 4292 KtmRm - ok
17:06:33.0833 4292 LanmanServer (d64af876d53eca3668bb97b51b4e70ab) C:\Windows\System32\srvsvc.dll
17:06:33.0838 4292 LanmanServer - ok
17:06:33.0881 4292 LanmanWorkstation (58405e4f68ba8e4057c6e914f326aba2) C:\Windows\System32\wkssvc.dll
17:06:33.0886 4292 LanmanWorkstation - ok
17:06:33.0948 4292 LENOVO.CAMMUTE (70481dabd9adab51a6933c5893b82925) C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
17:06:33.0949 4292 LENOVO.CAMMUTE - ok
17:06:33.0968 4292 LENOVO.MICMUTE (c88eb33793420a79f601fb5e33e2edd9) C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
17:06:33.0969 4292 LENOVO.MICMUTE - ok
17:06:34.0042 4292 lenovo.smi (3c3f7f424e324c6971632c5de5ff458f) C:\Windows\system32\DRIVERS\smiif32.sys
17:06:34.0044 4292 lenovo.smi - ok
17:06:34.0072 4292 LENOVO.TPKNRSVC (d0daf6a22037f6dee706a095c647aa41) C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
17:06:34.0075 4292 LENOVO.TPKNRSVC - ok
17:06:34.0114 4292 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
17:06:34.0115 4292 lltdio - ok
17:06:34.0161 4292 lltdsvc (5700673e13a2117fa3b9020c852c01e2) C:\Windows\System32\lltdsvc.dll
17:06:34.0164 4292 lltdsvc - ok
17:06:34.0179 4292 lmhosts (55ca01ba19d0006c8f2639b6c045e08b) C:\Windows\System32\lmhsvc.dll
17:06:34.0181 4292 lmhosts - ok
17:06:34.0255 4292 LMS (044caec23b5959a09f8e6f71b365e405) C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
17:06:34.0257 4292 LMS - ok
17:06:34.0293 4292 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
17:06:34.0295 4292 LSI_FC - ok
17:06:34.0314 4292 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
17:06:34.0316 4292 LSI_SAS - ok
17:06:34.0327 4292 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
17:06:34.0329 4292 LSI_SAS2 - ok
17:06:34.0348 4292 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
17:06:34.0350 4292 LSI_SCSI - ok
17:06:34.0379 4292 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
17:06:34.0381 4292 luafv - ok
17:06:34.0436 4292 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\Windows\system32\drivers\mbam.sys
17:06:34.0437 4292 MBAMProtector - ok
17:06:34.0511 4292 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
17:06:34.0520 4292 MBAMService - ok
17:06:34.0598 4292 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\Windows\system32\DRIVERS\mcdbus.sys
17:06:34.0604 4292 mcdbus - ok
17:06:34.0642 4292 Mcx2Svc (bfb9ee8ee977efe85d1a3105abef6dd1) C:\Windows\system32\Mcx2Svc.dll
17:06:34.0645 4292 Mcx2Svc - ok
17:06:34.0664 4292 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
17:06:34.0665 4292 mdmxsdk - ok
17:06:34.0689 4292 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
17:06:34.0693 4292 megasas - ok
17:06:34.0728 4292 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
17:06:34.0732 4292 MegaSR - ok
17:06:34.0761 4292 MMCSS (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
17:06:34.0763 4292 MMCSS - ok
17:06:34.0778 4292 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
17:06:34.0779 4292 Modem - ok
17:06:34.0830 4292 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
17:06:34.0831 4292 monitor - ok
17:06:34.0861 4292 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys
17:06:34.0863 4292 mouclass - ok
17:06:34.0872 4292 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
17:06:34.0874 4292 mouhid - ok
17:06:34.0915 4292 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
17:06:34.0916 4292 mountmgr - ok
17:06:34.0981 4292 MpFilter (d993bea500e7382dc4e760bf4f35efcb) C:\Windows\system32\DRIVERS\MpFilter.sys
17:06:34.0984 4292 MpFilter - ok
17:06:35.0023 4292 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
17:06:35.0026 4292 mpio - ok
17:06:35.0202 4292 MpKsl7f278d3b (a69630d039c38018689190234f866d77) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{299563D8-488F-41FC-9A58-3DE83BF40233}\MpKsl7f278d3b.sys
17:06:35.0203 4292 MpKsl7f278d3b - ok
17:06:35.0236 4292 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
17:06:35.0238 4292 mpsdrv - ok
17:06:35.0332 4292 MpsSvc (9835584e999d25004e1ee8e5f3e3b881) C:\Windows\system32\mpssvc.dll
17:06:35.0339 4292 MpsSvc - ok
17:06:35.0377 4292 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
17:06:35.0379 4292 MRxDAV - ok
17:06:35.0425 4292 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
17:06:35.0427 4292 mrxsmb - ok
17:06:35.0452 4292 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
17:06:35.0455 4292 mrxsmb10 - ok
17:06:35.0474 4292 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
17:06:35.0476 4292 mrxsmb20 - ok
17:06:35.0535 4292 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
17:06:35.0536 4292 msahci - ok
17:06:35.0570 4292 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
17:06:35.0573 4292 msdsm - ok
17:06:35.0601 4292 MSDTC (e1bce74a3bd9902b72599c0192a07e27) C:\Windows\System32\msdtc.exe
17:06:35.0605 4292 MSDTC - ok
17:06:35.0648 4292 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
17:06:35.0649 4292 Msfs - ok
17:06:35.0660 4292 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
17:06:35.0662 4292 mshidkmdf - ok
17:06:35.0673 4292 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
17:06:35.0674 4292 msisadrv - ok
17:06:35.0713 4292 MSiSCSI (90f7d9e6b6f27e1a707d4a297f077828) C:\Windows\system32\iscsiexe.dll
17:06:35.0716 4292 MSiSCSI - ok
17:06:35.0720 4292 msiserver - ok
17:06:35.0764 4292 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
17:06:35.0766 4292 MSKSSRV - ok
17:06:35.0849 4292 MsMpSvc (24516bf4e12a46cb67302e2cdcb8cddf) C:\Program Files\Microsoft Security Client\MsMpEng.exe
17:06:35.0849 4292 MsMpSvc - ok
17:06:35.0858 4292 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
17:06:35.0859 4292 MSPCLOCK - ok
17:06:35.0874 4292 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
17:06:35.0875 4292 MSPQM - ok
17:06:35.0899 4292 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
17:06:35.0901 4292 MsRPC - ok
17:06:35.0937 4292 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
17:06:35.0938 4292 mssmbios - ok
17:06:35.0959 4292 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
17:06:35.0960 4292 MSTEE - ok
17:06:35.0965 4292 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
17:06:35.0967 4292 MTConfig - ok
17:06:35.0978 4292 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
17:06:35.0979 4292 Mup - ok
17:06:36.0030 4292 napagent (61d57a5d7c6d9afe10e77dae6e1b445e) C:\Windows\system32\qagentRT.dll
17:06:36.0034 4292 napagent - ok
17:06:36.0116 4292 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
17:06:36.0120 4292 NativeWifiP - ok
17:06:36.0176 4292 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
17:06:36.0186 4292 NDIS - ok
17:06:36.0201 4292 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
17:06:36.0203 4292 NdisCap - ok
17:06:36.0231 4292 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
17:06:36.0233 4292 NdisTapi - ok
17:06:36.0268 4292 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
17:06:36.0270 4292 Ndisuio - ok
17:06:36.0350 4292 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
17:06:36.0353 4292 NdisWan - ok
17:06:36.0393 4292 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
17:06:36.0409 4292 NDProxy - ok
17:06:36.0438 4292 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
17:06:36.0439 4292 NetBIOS - ok
17:06:36.0477 4292 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
17:06:36.0480 4292 NetBT - ok
17:06:36.0508 4292 Netlogon (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
17:06:36.0510 4292 Netlogon - ok
17:06:36.0540 4292 Netman (7cccfca7510684768da22092d1fa4db2) C:\Windows\System32\netman.dll
17:06:36.0543 4292 Netman - ok
17:06:36.0678 4292 NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
17:06:36.0681 4292 NetMsmqActivator - ok
17:06:36.0697 4292 NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
17:06:36.0699 4292 NetPipeActivator - ok
17:06:36.0770 4292 netprofm (8c338238c16777a802d6a9211eb2ba50) C:\Windows\System32\netprofm.dll
17:06:36.0777 4292 netprofm - ok
17:06:36.0797 4292 NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
17:06:36.0799 4292 NetTcpActivator - ok
17:06:36.0804 4292 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
17:06:36.0806 4292 NetTcpPortSharing - ok
17:06:37.0294 4292 NETw5s32 (3577b851e59da59e6d65419a057c9914) C:\Windows\system32\DRIVERS\NETw5s32.sys
17:06:37.0361 4292 NETw5s32 - ok
17:06:37.0932 4292 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
17:06:37.0975 4292 netw5v32 - ok
17:06:38.0136 4292 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
17:06:38.0139 4292 nfrd960 - ok
17:06:38.0192 4292 NisDrv (b52f26bade7d7e4a79706e3fd91834cd) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
17:06:38.0193 4292 NisDrv - ok
17:06:38.0294 4292 NisSrv (290c0d4c4889398797f8df3be00b9698) C:\Program Files\Microsoft Security Client\NisSrv.exe
17:06:38.0298 4292 NisSrv - ok
17:06:38.0346 4292 NlaSvc (912084381d30d8b89ec4e293053f4710) C:\Windows\System32\nlasvc.dll
17:06:38.0350 4292 NlaSvc - ok
17:06:38.0403 4292 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\Windows\system32\drivers\npf.sys
17:06:38.0405 4292 NPF - ok
17:06:38.0436 4292 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
17:06:38.0439 4292 Npfs - ok
17:06:38.0473 4292 nsi (ba387e955e890c8a88306d9b8d06bf17) C:\Windows\system32\nsisvc.dll
17:06:38.0477 4292 nsi - ok
17:06:38.0494 4292 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
17:06:38.0495 4292 nsiproxy - ok
17:06:38.0612 4292 Ntfs (33c3093d09017cfe2e219f2472bff6eb) C:\Windows\system32\drivers\Ntfs.sys
17:06:38.0626 4292 Ntfs - ok
17:06:38.0769 4292 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
17:06:38.0771 4292 Null - ok
17:06:38.0806 4292 NVHDA (79e97cdae5449a59a4798fc5b006c58f) C:\Windows\system32\drivers\nvhda32v.sys
17:06:38.0808 4292 NVHDA - ok
17:06:39.0505 4292 nvlddmkm (102836787916cb968e3305bbbfbaab3d) C:\Windows\system32\DRIVERS\nvlddmkm.sys
17:06:39.0692 4292 nvlddmkm - ok
17:06:39.0842 4292 nvraid (af2eec9580c1d32fb7eaf105d9784061) C:\Windows\system32\drivers\nvraid.sys
17:06:39.0845 4292 nvraid - ok
17:06:39.0863 4292 nvstor (9283c58ebaa2618f93482eb5dabcec82) C:\Windows\system32\drivers\nvstor.sys
17:06:39.0866 4292 nvstor - ok
17:06:39.0915 4292 nvsvc (e4c80c1408f17a4a2e18c8363ba96358) C:\Windows\system32\nvvsvc.exe
17:06:39.0920 4292 nvsvc - ok
17:06:39.0938 4292 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
17:06:39.0941 4292 nv_agp - ok
17:06:40.0080 4292 odserv (1f0e05dff4f5a833168e49be1256f002) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
17:06:40.0085 4292 odserv - ok
17:06:40.0104 4292 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
17:06:40.0105 4292 ohci1394 - ok
17:06:40.0147 4292 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
17:06:40.0149 4292 ose - ok
17:06:40.0180 4292 p2pimsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
17:06:40.0187 4292 p2pimsvc - ok
17:06:40.0256 4292 p2psvc (59c3ddd501e39e006dac31bf55150d91) C:\Windows\system32\p2psvc.dll
17:06:40.0261 4292 p2psvc - ok
17:06:40.0283 4292 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
17:06:40.0285 4292 Parport - ok
17:06:40.0308 4292 partmgr (3f34a1b4c5f6475f320c275e63afce9b) C:\Windows\system32\drivers\partmgr.sys
17:06:40.0309 4292 partmgr - ok
17:06:40.0326 4292 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
17:06:40.0327 4292 Parvdm - ok
17:06:40.0350 4292 PcaSvc (358ab7956d3160000726574083dfc8a6) C:\Windows\System32\pcasvc.dll
17:06:40.0354 4292 PcaSvc - ok
17:06:40.0419 4292 PCDSRVC{3037D694-FD904ACA-06020000}_0 (ae5fc5fe7127744a84102128fdc6810b) c:\program files\pc-doctor\pcdsrvc.pkms
17:06:40.0441 4292 PCDSRVC{3037D694-FD904ACA-06020000}_0 - ok
17:06:40.0475 4292 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
17:06:40.0477 4292 pci - ok
17:06:40.0523 4292 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
17:06:40.0525 4292 pciide - ok
17:06:40.0552 4292 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
17:06:40.0556 4292 pcmcia - ok
17:06:40.0575 4292 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
17:06:40.0577 4292 pcw - ok
17:06:40.0625 4292 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
17:06:40.0634 4292 PEAUTH - ok
17:06:40.0719 4292 PeerDistSvc (af4d64d2a57b9772cf3801950b8058a6) C:\Windows\system32\peerdistsvc.dll
17:06:40.0732 4292 PeerDistSvc - ok
17:06:40.0888 4292 pla (414bba67a3ded1d28437eb66aeb8a720) C:\Windows\system32\pla.dll
17:06:40.0914 4292 pla - ok
17:06:41.0107 4292 PlugPlay (ec7bc28d207da09e79b3e9faf8b232ca) C:\Windows\system32\umpnpmgr.dll
17:06:41.0114 4292 PlugPlay - ok
17:06:41.0207 4292 pmxdrv (b4079d61b5c6b4919bde17c38202e236) C:\Windows\system32\drivers\pmxdrv.sys
17:06:41.0281 4292 pmxdrv - ok
17:06:41.0326 4292 PNRPAutoReg (63ff8572611249931eb16bb8eed6afc8) C:\Windows\system32\pnrpauto.dll
17:06:41.0328 4292 PNRPAutoReg - ok
17:06:41.0357 4292 PNRPsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
17:06:41.0360 4292 PNRPsvc - ok
17:06:41.0418 4292 PolicyAgent (53946b69ba0836bd95b03759530c81ec) C:\Windows\System32\ipsecsvc.dll
17:06:41.0424 4292 PolicyAgent - ok
17:06:41.0464 4292 Power (f87d30e72e03d579a5199ccb3831d6ea) C:\Windows\system32\umpo.dll
17:06:41.0468 4292 Power - ok
17:06:41.0587 4292 Power Manager DBC Service (61f79e1bc440323138c7701c761d2525) C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
17:06:41.0589 4292 Power Manager DBC Service - ok
17:06:41.0669 4292 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
17:06:41.0671 4292 PptpMiniport - ok
17:06:41.0684 4292 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
17:06:41.0686 4292 Processor - ok
17:06:41.0724 4292 ProfSvc (43ca4ccc22d52fb58e8988f0198851d0) C:\Windows\system32\profsvc.dll
17:06:41.0728 4292 ProfSvc - ok
17:06:41.0759 4292 ProtectedStorage (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
17:06:41.0762 4292 ProtectedStorage - ok
17:06:41.0782 4292 psadd (72de205cd4006dc45b1401859c506679) C:\Windows\system32\DRIVERS\psadd.sys
17:06:41.0784 4292 psadd - ok
17:06:41.0817 4292 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
17:06:41.0819 4292 Psched - ok
17:06:41.0926 4292 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
17:06:41.0946 4292 ql2300 - ok
17:06:42.0089 4292 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
17:06:42.0092 4292 ql40xx - ok
17:06:42.0128 4292 QWAVE (31ac809e7707eb580b2bdb760390765a) C:\Windows\system32\qwave.dll
17:06:42.0135 4292 QWAVE - ok
17:06:42.0153 4292 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
17:06:42.0155 4292 QWAVEdrv - ok
17:06:42.0162 4292 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
17:06:42.0163 4292 RasAcd - ok
17:06:42.0193 4292 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
17:06:42.0194 4292 RasAgileVpn - ok
17:06:42.0210 4292 RasAuto (a60f1839849c0c00739787fd5ec03f13) C:\Windows\System32\rasauto.dll
17:06:42.0213 4292 RasAuto - ok
17:06:42.0226 4292 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
17:06:42.0228 4292 Rasl2tp - ok
17:06:42.0289 4292 RasMan (cb9e04dc05eacf5b9a36ca276d475006) C:\Windows\System32\rasmans.dll
17:06:42.0295 4292 RasMan - ok
17:06:42.0315 4292 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
17:06:42.0317 4292 RasPppoe - ok
17:06:42.0341 4292 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
17:06:42.0343 4292 RasSstp - ok
17:06:42.0388 4292 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
17:06:42.0392 4292 rdbss - ok
17:06:42.0413 4292 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
17:06:42.0415 4292 rdpbus - ok
17:06:42.0449 4292 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
17:06:42.0451 4292 RDPCDD - ok
17:06:42.0479 4292 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
17:06:42.0481 4292 RDPDR - ok
17:06:42.0499 4292 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
17:06:42.0500 4292 RDPENCDD - ok
17:06:42.0515 4292 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
17:06:42.0516 4292 RDPREFMP - ok
17:06:42.0565 4292 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
17:06:42.0566 4292 RdpVideoMiniport - ok
17:06:42.0591 4292 RDPWD (244c83332f44589ae98fc347f11b2693) C:\Windows\system32\drivers\RDPWD.sys
17:06:42.0593 4292 RDPWD - ok
17:06:42.0643 4292 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
17:06:42.0646 4292 rdyboost - ok
17:06:42.0658 4292 regi (001b4278407f4303efc902a2b16f2453) C:\Windows\system32\drivers\regi.sys
17:06:42.0659 4292 regi - ok
17:06:42.0755 4292 RegSrvc (7afcbe32616e08d45e4eaadb0a1dd5cf) C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
17:06:42.0759 4292 RegSrvc - ok
17:06:42.0820 4292 RemoteAccess (7b5e1419717fac363a31cc302895217a) C:\Windows\System32\mprdim.dll
17:06:42.0824 4292 RemoteAccess - ok
17:06:42.0874 4292 RemoteRegistry (cb9a8683f4ef2bf99e123d79950d7935) C:\Windows\system32\regsvc.dll
17:06:42.0879 4292 RemoteRegistry - ok
17:06:42.0911 4292 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
17:06:42.0914 4292 RFCOMM - ok
17:06:43.0000 4292 rimspci (e891f07815af88075705ef6a248711f6) C:\Windows\system32\DRIVERS\rimspe86.sys
17:06:43.0002 4292 rimspci - ok
17:06:43.0057 4292 rpcapd (b60f58f175de20a6739194e85b035178) C:\Program Files\WinPcap\rpcapd.exe
17:06:43.0062 4292 rpcapd - ok
17:06:43.0081 4292 RpcEptMapper (78d072f35bc45d9e4e1b61895c152234) C:\Windows\System32\RpcEpMap.dll
17:06:43.0085 4292 RpcEptMapper - ok
17:06:43.0099 4292 RpcLocator (94d36c0e44677dd26981d2bfeef2a29d) C:\Windows\system32\locator.exe
17:06:43.0102 4292 RpcLocator - ok
17:06:43.0156 4292 RpcSs (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
17:06:43.0162 4292 RpcSs - ok
17:06:43.0200 4292 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
17:06:43.0202 4292 rspndr - ok
17:06:43.0255 4292 SamSs (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
17:06:43.0257 4292 SamSs - ok
17:06:43.0316 4292 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
17:06:43.0319 4292 sbp2port - ok
17:06:43.0347 4292 SCardSvr (8fc518ffe9519c2631d37515a68009c4) C:\Windows\System32\SCardSvr.dll
17:06:43.0353 4292 SCardSvr - ok
17:06:43.0386 4292 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
17:06:43.0388 4292 scfilter - ok
17:06:43.0470 4292 Schedule (a04bb13f8a72f8b6e8b4071723e4e336) C:\Windows\system32\schedsvc.dll
17:06:43.0490 4292 Schedule - ok
17:06:43.0528 4292 SCPolicySvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
17:06:43.0529 4292 SCPolicySvc - ok
17:06:43.0573 4292 sdbus (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\drivers\sdbus.sys
17:06:43.0575 4292 sdbus - ok
17:06:43.0597 4292 SDRSVC (08236c4bce5edd0a0318a438af28e0f7) C:\Windows\System32\SDRSVC.dll
17:06:43.0603 4292 SDRSVC - ok
17:06:43.0635 4292 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
17:06:43.0637 4292 secdrv - ok
17:06:43.0658 4292 seclogon (a59b3a4442c52060cc7a85293aa3546f) C:\Windows\system32\seclogon.dll
17:06:43.0662 4292 seclogon - ok
17:06:43.0685 4292 SENS (dcb7fcdcc97f87360f75d77425b81737) C:\Windows\system32\sens.dll
17:06:43.0689 4292 SENS - ok
17:06:43.0715 4292 SensrSvc (50087fe1ee447009c9cc2997b90de53f) C:\Windows\system32\sensrsvc.dll
17:06:43.0718 4292 SensrSvc - ok
17:06:43.0747 4292 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
17:06:43.0748 4292 Serenum - ok
17:06:43.0771 4292 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
17:06:43.0773 4292 Serial - ok
17:06:43.0787 4292 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
17:06:43.0789 4292 sermouse - ok
17:06:43.0833 4292 SessionEnv (4ae380f39a0032eab7dd953030b26d28) C:\Windows\system32\sessenv.dll
17:06:43.0836 4292 SessionEnv - ok
17:06:43.0869 4292 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
17:06:43.0871 4292 sffdisk - ok
17:06:43.0882 4292 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
17:06:43.0884 4292 sffp_mmc - ok
17:06:43.0893 4292 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
17:06:43.0895 4292 sffp_sd - ok
17:06:43.0916 4292 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
17:06:43.0917 4292 sfloppy - ok
17:06:43.0965 4292 SharedAccess (d1a079a0de2ea524513b6930c24527a2) C:\Windows\System32\ipnathlp.dll
17:06:43.0970 4292 SharedAccess - ok
17:06:44.0032 4292 ShellHWDetection (414da952a35bf5d50192e28263b40577) C:\Windows\System32\shsvcs.dll
17:06:44.0040 4292 ShellHWDetection - ok
17:06:44.0094 4292 Shockprf (486a1bd22dd66d0a8542ebb0cd792bdb) C:\Windows\system32\DRIVERS\Apsx86.sys
17:06:44.0096 4292 Shockprf - ok
17:06:44.0111 4292 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
17:06:44.0113 4292 sisagp - ok
17:06:44.0131 4292 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
17:06:44.0133 4292 SiSRaid2 - ok
17:06:44.0148 4292 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
17:06:44.0151 4292 SiSRaid4 - ok
17:06:44.0236 4292 SkypeUpdate (6128e98eaaed364ed1a32708d2fd22cb) C:\Program Files\Skype\Updater\Updater.exe
17:06:44.0239 4292 SkypeUpdate - ok
17:06:44.0265 4292 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
17:06:44.0267 4292 Smb - ok
17:06:44.0308 4292 smihlp (0b9c01236d25bdcb37aa79dc59dfb7d3) C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys
17:06:44.0309 4292 smihlp - ok
17:06:44.0370 4292 SNMPTRAP (6a984831644eca1a33ffeae4126f4f37) C:\Windows\System32\snmptrap.exe
17:06:44.0373 4292 SNMPTRAP - ok
17:06:44.0401 4292 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
17:06:44.0403 4292 spldr - ok
17:06:44.0464 4292 Spooler (866a43013535dc8587c258e43579c764) C:\Windows\System32\spoolsv.exe
17:06:44.0470 4292 Spooler - ok
17:06:44.0747 4292 sppsvc (cf87a1de791347e75b98885214ced2b8) C:\Windows\system32\sppsvc.exe
17:06:44.0786 4292 sppsvc - ok
17:06:44.0906 4292 sppuinotify (b0180b20b065d89232a78a40fe56eaa6) C:\Windows\system32\sppuinotify.dll
17:06:44.0910 4292 sppuinotify - ok
17:06:44.0977 4292 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
17:06:44.0983 4292 srv - ok
17:06:45.0018 4292 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
17:06:45.0023 4292 srv2 - ok
17:06:45.0072 4292 SrvHsfHDA (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
17:06:45.0076 4292 SrvHsfHDA - ok
17:06:45.0186 4292 SrvHsfV92 (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
17:06:45.0203 4292 SrvHsfV92 - ok
17:06:45.0260 4292 SrvHsfWinac (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
17:06:45.0270 4292 SrvHsfWinac - ok
17:06:45.0311 4292 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
17:06:45.0313 4292 srvnet - ok
17:06:45.0348 4292 SSDPSRV (d887c9fd02ac9fa880f6e5027a43e118) C:\Windows\System32\ssdpsrv.dll
17:06:45.0354 4292 SSDPSRV - ok
17:06:45.0376 4292 SstpSvc (d318f23be45d5e3a107469eb64815b50) C:\Windows\system32\sstpsvc.dll
17:06:45.0380 4292 SstpSvc - ok
17:06:45.0403 4292 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
17:06:45.0405 4292 stexstor - ok
17:06:45.0465 4292 StiSvc (e1fb3706030fb4578a0d72c2fc3689e4) C:\Windows\System32\wiaservc.dll
17:06:45.0472 4292 StiSvc - ok
17:06:45.0532 4292 SUService (f3c73e650f1cd3289f38e62ccc325a66) c:\Program Files\Lenovo\System Update\SUService.exe
17:06:45.0532 4292 SUService - ok
17:06:45.0580 4292 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
17:06:45.0581 4292 swenum - ok
17:06:45.0616 4292 swprv (a28bd92df340e57b024ba433165d34d7) C:\Windows\System32\swprv.dll
17:06:45.0623 4292 swprv - ok
17:06:45.0627 4292 Synth3dVsc - ok
17:06:45.0669 4292 SynTP (d7dc30b8b41e7a913c3fccc0631e72ec) C:\Windows\system32\DRIVERS\SynTP.sys
17:06:45.0672 4292 SynTP - ok
17:06:45.0781 4292 SysMain (36650d618ca34c9d357dfd3d89b2c56f) C:\Windows\system32\sysmain.dll
17:06:45.0792 4292 SysMain - ok
17:06:45.0830 4292 TabletInputService (763fecdc3d30c815fe72dd57936c6cd1) C:\Windows\System32\TabSvc.dll
17:06:45.0836 4292 TabletInputService - ok
17:06:45.0884 4292 TapiSrv (613bf4820361543956909043a265c6ac) C:\Windows\System32\tapisrv.dll
17:06:45.0890 4292 TapiSrv - ok
17:06:45.0912 4292 TBS (b799d9fdb26111737f58288d8dc172d9) C:\Windows\System32\tbssvc.dll
17:06:45.0919 4292 TBS - ok
17:06:46.0085 4292 Tcpip (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\drivers\tcpip.sys
17:06:46.0104 4292 Tcpip - ok
17:06:46.0296 4292 TCPIP6 (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\DRIVERS\tcpip.sys
17:06:46.0307 4292 TCPIP6 - ok
17:06:46.0412 4292 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
17:06:46.0413 4292 tcpipreg - ok
17:06:46.0452 4292 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
17:06:46.0453 4292 TDPIPE - ok
17:06:46.0469 4292 TDTCP (2c2c5afe7ee4f620d69c23c0617651a8) C:\Windows\system32\drivers\tdtcp.sys
17:06:46.0470 4292 TDTCP - ok
17:06:46.0509 4292 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
17:06:46.0511 4292 tdx - ok
17:06:46.0547 4292 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
17:06:46.0549 4292 TermDD - ok
17:06:46.0620 4292 TermService (382c804c92811be57829d8e550a900e2) C:\Windows\System32\termsrv.dll
17:06:46.0627 4292 TermService - ok
17:06:46.0650 4292 Themes (42fb6afd6b79d9fe07381609172e7ca4) C:\Windows\system32\themeservice.dll
17:06:46.0653 4292 Themes - ok
17:06:46.0799 4292 ThinkVantage Registry Monitor Service (82c4830ab23a7ab125f38da9a46b6a6d) C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
17:06:46.0812 4292 ThinkVantage Registry Monitor Service - ok
17:06:46.0853 4292 THREADORDER (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
17:06:46.0857 4292 THREADORDER - ok
17:06:46.0904 4292 TPDIGIMN (20a439d6475d6fe1909159c0143d0466) C:\Windows\system32\DRIVERS\ApsHM86.sys
17:06:46.0906 4292 TPDIGIMN - ok
17:06:46.0922 4292 TPHDEXLGSVC (3775e4aa5f72264dbab7a578dd913ecf) C:\Windows\system32\TPHDEXLG.exe
17:06:46.0927 4292 TPHDEXLGSVC - ok
17:06:46.0992 4292 TPHKSVC (2cf225e19490f499528b926263fe4554) C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
17:06:46.0993 4292 TPHKSVC - ok
17:06:47.0023 4292 TPM (5ad05191dc8b444a7ba4d79b76c42a30) C:\Windows\system32\drivers\tpm.sys
17:06:47.0025 4292 TPM - ok
17:06:47.0056 4292 TPPWRIF (6412da2b8d079d821b99b3a99943284e) C:\Windows\system32\drivers\Tppwr32v.sys
17:06:47.0058 4292 TPPWRIF - ok
17:06:47.0094 4292 TrkWks (4792c0378db99a9bc2ae2de6cfff0c3a) C:\Windows\System32\trkwks.dll
17:06:47.0097 4292 TrkWks - ok
17:06:47.0162 4292 truecrypt (ed5e4ce36c54f55e7698642e94d32ec7) C:\Windows\system32\drivers\truecrypt.sys
17:06:47.0165 4292 truecrypt - ok
17:06:47.0257 4292 TrustedInstaller (2c49b175aee1d4364b91b531417fe583) C:\Windows\servicing\TrustedInstaller.exe
17:06:47.0260 4292 TrustedInstaller - ok
17:06:47.0277 4292 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
17:06:47.0279 4292 tssecsrv - ok
17:06:47.0304 4292 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
17:06:47.0305 4292 TsUsbFlt - ok
17:06:47.0309 4292 tsusbhub - ok
17:06:47.0349 4292 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
17:06:47.0351 4292 tunnel - ok
17:06:47.0374 4292 TurboB (c0847edcccef8d4f5354e82ec9e90159) C:\Windows\system32\DRIVERS\TurboB.sys
17:06:47.0388 4292 TurboB - ok
17:06:47.0423 4292 TurboBoost (8629f69817902d9d0f00eb3247aaba51) C:\Program Files\Intel\TurboBoost\TurboBoost.exe
17:06:47.0480 4292 TurboBoost - ok
17:06:47.0611 4292 TVT Backup Service (b56da1aa776c15043d10f82b32aa000d) C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
17:06:47.0688 4292 TVT Backup Service - ok
17:06:47.0837 4292 TVTI2C (3078906e991f29305e8066911153717e) C:\Windows\system32\DRIVERS\Tvti2c.sys
17:06:47.0839 4292 TVTI2C - ok
17:06:47.0864 4292 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
17:06:47.0866 4292 uagp35 - ok
17:06:47.0911 4292 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
17:06:47.0915 4292 udfs - ok
17:06:47.0948 4292 UI0Detect (8344fd4fce927880aa1aa7681d4927e5) C:\Windows\system32\UI0Detect.exe
17:06:47.0952 4292 UI0Detect - ok
17:06:48.0017 4292 UleadBurningHelper (be788a747457e6916586c410ec0111e7) C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
17:06:48.0018 4292 UleadBurningHelper - ok
17:06:48.0056 4292 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
17:06:48.0057 4292 uliagpkx - ok
17:06:48.0071 4292 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
17:06:48.0073 4292 umbus - ok
17:06:48.0083 4292 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
17:06:48.0085 4292 UmPass - ok
17:06:48.0128 4292 UmRdpService (409994a8eaceee4e328749c0353527a0) C:\Windows\System32\umrdp.dll
17:06:48.0133 4292 UmRdpService - ok
17:06:48.0379 4292 UNS (368d1e624510885e552a1de490c606ef) C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
17:06:48.0410 4292 UNS - ok
17:06:48.0540 4292 upnphost (833fbb672460efce8011d262175fad33) C:\Windows\System32\upnphost.dll
17:06:48.0547 4292 upnphost - ok
17:06:48.0607 4292 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
17:06:48.0609 4292 USBAAPL - ok
17:06:48.0650 4292 usbccgp (7e72e7d7e0757d59481d530fd2b0bfae) C:\Windows\system32\drivers\usbccgp.sys
17:06:48.0652 4292 usbccgp - ok
17:06:48.0665 4292 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
17:06:48.0668 4292 usbcir - ok
17:06:48.0689 4292 usbehci (cfbce999c057d78979a181c9c60f208e) C:\Windows\system32\drivers\usbehci.sys
17:06:48.0691 4292 usbehci - ok
17:06:48.0729 4292 usbhub (9d22aad9ac6a07c691a1113e5f860868) C:\Windows\system32\drivers\usbhub.sys
17:06:48.0734 4292 usbhub - ok
17:06:48.0750 4292 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\drivers\usbohci.sys
17:06:48.0751 4292 usbohci - ok
17:06:48.0772 4292 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
17:06:48.0774 4292 usbprint - ok
17:06:48.0793 4292 USBSTOR (bf63ebfc6979fefb2bc03df7989a0c1a) C:\Windows\system32\drivers\USBSTOR.SYS
17:06:48.0795 4292 USBSTOR - ok
17:06:48.0812 4292 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\drivers\usbuhci.sys
17:06:48.0814 4292 usbuhci - ok
17:06:48.0870 4292 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\Windows\System32\Drivers\usbvideo.sys
17:06:48.0876 4292 usbvideo - ok
17:06:48.0894 4292 UxSms (081e6e1c91aec36758902a9f727cd23c) C:\Windows\System32\uxsms.dll
17:06:48.0899 4292 UxSms - ok
17:06:48.0926 4292 VaultSvc (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
17:06:48.0928 4292 VaultSvc - ok
17:06:48.0973 4292 VClone (fce98c43b5c5db8e0da8ea0e2b45e044) C:\Windows\system32\DRIVERS\VClone.sys
17:06:48.0975 4292 VClone - ok
17:06:49.0023 4292 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
17:06:49.0025 4292 vdrvroot - ok
17:06:49.0084 4292 vds (c3cd30495687c2a2f66a65ca6fd89be9) C:\Windows\System32\vds.exe
17:06:49.0093 4292 vds - ok
17:06:49.0115 4292 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
17:06:49.0117 4292 vga - ok
17:06:49.0126 4292 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
17:06:49.0128 4292 VgaSave - ok
17:06:49.0143 4292 VGPU - ok
17:06:49.0165 4292 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
17:06:49.0168 4292 vhdmp - ok
17:06:49.0190 4292 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
17:06:49.0191 4292 viaagp - ok
17:06:49.0204 4292 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
17:06:49.0206 4292 ViaC7 - ok
17:06:49.0219 4292 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
17:06:49.0220 4292 viaide - ok
17:06:49.0313 4292 VMAuthdService (3accf0c817a2bb34efbfb72b57b00252) C:\Program Files\VMware\VMware Player\vmware-authd.exe
17:06:49.0315 4292 VMAuthdService - ok
17:06:49.0360 4292 vmci (15759158f7531853616b2b43af962fcb) C:\Windows\system32\DRIVERS\vmci.sys
17:06:49.0363 4292 vmci - ok
17:06:49.0380 4292 vmkbd (e5fa574436b840d071dbfe74300741ce) C:\Windows\system32\drivers\VMkbd.sys
17:06:49.0382 4292 vmkbd - ok
17:06:49.0454 4292 vmm (c01604eaea9c89035cff58cdb322476c) C:\Windows\system32\Drivers\vmm.sys
17:06:49.0457 4292 vmm - ok
17:06:49.0482 4292 VMnetAdapter (1afa4af55cbea579a4bbe4f90967f720) C:\Windows\system32\DRIVERS\vmnetadapter.sys
17:06:49.0483 4292 VMnetAdapter - ok
17:06:49.0509 4292 VMnetBridge (392964a7bf46986fbd44b24a3bec2088) C:\Windows\system32\DRIVERS\vmnetbridge.sys
17:06:49.0510 4292 VMnetBridge - ok
17:06:49.0570 4292 VMnetDHCP (6f5fe74a4713290e6309b45904403798) C:\Windows\system32\vmnetdhcp.exe
17:06:49.0577 4292 VMnetDHCP - ok
17:06:49.0603 4292 VMnetuserif (c88e5f414c567ff10343df18f8c3e3f0) C:\Windows\system32\drivers\vmnetuserif.sys
17:06:49.0604 4292 VMnetuserif - ok
17:06:49.0648 4292 vmusb (afb10ad9aa91d2f70c9f0e6bda0d119b) C:\Windows\system32\Drivers\vmusb.sys
17:06:49.0650 4292 vmusb - ok
17:06:49.0766 4292 VMUSBArbService (af76c6d3f5053459e18e4c519fb496c8) C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
17:06:49.0771 4292 VMUSBArbService - ok
17:06:49.0837 4292 VMware NAT Service (5cc206036b6648cd3990d77e5117e1d9) C:\Windows\system32\vmnat.exe
17:06:49.0846 4292 VMware NAT Service - ok
17:06:49.0862 4292 vmx86 (847909a1fc0c8eb46ff975747d673a7f) C:\Windows\system32\Drivers\vmx86.sys
17:06:49.0865 4292 vmx86 - ok
17:06:49.0903 4292 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
17:06:49.0905 4292 volmgr - ok
17:06:49.0944 4292 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
17:06:49.0948 4292 volmgrx - ok
17:06:49.0978 4292 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
17:06:49.0982 4292 volsnap - ok
17:06:50.0010 4292 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
17:06:50.0014 4292 vsmraid - ok
17:06:50.0122 4292 VSS (209a3b1901b83aeb8527ed211cce9e4c) C:\Windows\system32\vssvc.exe
17:06:50.0140 4292 VSS - ok
17:06:50.0152 4292 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
17:06:50.0154 4292 vwifibus - ok
17:06:50.0178 4292 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
17:06:50.0180 4292 vwififlt - ok
17:06:50.0223 4292 W32Time (55187fd710e27d5095d10a472c8baf1c) C:\Windows\system32\w32time.dll
17:06:50.0226 4292 W32Time - ok
17:06:50.0242 4292 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
17:06:50.0243 4292 WacomPen - ok
17:06:50.0285 4292 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
17:06:50.0287 4292 WANARP - ok
17:06:50.0290 4292 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
17:06:50.0291 4292 Wanarpv6 - ok
17:06:50.0446 4292 WatAdminSvc (353a04c273ec58475d8633e75ccd5604) C:\Windows\system32\Wat\WatAdminSvc.exe
17:06:50.0481 4292 WatAdminSvc - ok
17:06:50.0698 4292 wbengine (691e3285e53dca558e1a84667f13e15a) C:\Windows\system32\wbengine.exe
17:06:50.0721 4292 wbengine - ok
17:06:50.0751 4292 WbioSrvc (9614b5d29dc76ac3c29f6d2d3aa70e67) C:\Windows\System32\wbiosrvc.dll
17:06:50.0755 4292 WbioSrvc - ok
17:06:50.0800 4292 wcncsvc (34eee0dfaadb4f691d6d5308a51315dc) C:\Windows\System32\wcncsvc.dll
17:06:50.0806 4292 wcncsvc - ok
17:06:50.0817 4292 WcsPlugInService (5d930b6357a6d2af4d7653bdabbf352f) C:\Windows\System32\WcsPlugInService.dll
17:06:50.0820 4292 WcsPlugInService - ok
17:06:50.0878 4292 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
17:06:50.0879 4292 Wd - ok
17:06:50.0923 4292 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
17:06:50.0929 4292 Wdf01000 - ok
17:06:50.0942 4292 WdiServiceHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
17:06:50.0947 4292 WdiServiceHost - ok
17:06:50.0951 4292 WdiSystemHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
17:06:50.0954 4292 WdiSystemHost - ok
17:06:51.0010 4292 WebClient (a9d880f97530d5b8fee278923349929d) C:\Windows\System32\webclnt.dll
17:06:51.0015 4292 WebClient - ok
17:06:51.0043 4292 Wecsvc (760f0afe937a77cff27153206534f275) C:\Windows\system32\wecsvc.dll
17:06:51.0049 4292 Wecsvc - ok
17:06:51.0061 4292 wercplsupport (ac804569bb2364fb6017370258a4091b) C:\Windows\System32\wercplsupport.dll
17:06:51.0065 4292 wercplsupport - ok
17:06:51.0094 4292 WerSvc (08e420d873e4fd85241ee2421b02c4a4) C:\Windows\System32\WerSvc.dll
17:06:51.0097 4292 WerSvc - ok
17:06:51.0113 4292 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
17:06:51.0114 4292 WfpLwf - ok
17:06:51.0129 4292 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
17:06:51.0130 4292 WIMMount - ok
17:06:51.0211 4292 winachsf (253a9c2df9a2a7b3b23146014959f2cd) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
17:06:51.0221 4292 winachsf - ok
17:06:51.0315 4292 WinDefend (3fae8f94296001c32eab62cd7d82e0fd) C:\Program Files\Windows Defender\mpsvc.dll
17:06:51.0326 4292 WinDefend - ok
17:06:51.0340 4292 WinHttpAutoProxySvc - ok
17:06:51.0507 4292 Winmgmt (f62e510b6ad4c21eb9fe8668ed251826) C:\Windows\system32\wbem\WMIsvc.dll
17:06:51.0509 4292 Winmgmt - ok
17:06:51.0622 4292 WinRM (1b91cd34ea3a90ab6a4ef0550174f4cc) C:\Windows\system32\WsmSvc.dll
17:06:51.0638 4292 WinRM - ok
17:06:51.0690 4292 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUSB.sys
17:06:51.0692 4292 WinUsb - ok
17:06:51.0796 4292 Wlansvc (16935c98ff639d185086a3529b1f2067) C:\Windows\System32\wlansvc.dll
17:06:51.0824 4292 Wlansvc - ok
17:06:51.0851 4292 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
17:06:51.0852 4292 WmiAcpi - ok
17:06:51.0915 4292 wmiApSrv (6eb6b66517b048d87dc1856ddf1f4c3f) C:\Windows\system32\wbem\WmiApSrv.exe
17:06:51.0917 4292 wmiApSrv - ok
17:06:52.0122 4292 WMPNetworkSvc (3b40d3a61aa8c21b88ae57c58ab3122e) C:\Program Files\Windows Media Player\wmpnetwk.exe
17:06:52.0138 4292 WMPNetworkSvc - ok
17:06:52.0250 4292 WPCSvc (a2f0ec770a92f2b3f9de6d518e11409c) C:\Windows\System32\wpcsvc.dll
17:06:52.0256 4292 WPCSvc - ok
17:06:52.0299 4292 WPDBusEnum (aa53356d60af47eacc85bc617a4f3f66) C:\Windows\system32\wpdbusenum.dll
17:06:52.0305 4292 WPDBusEnum - ok
17:06:52.0333 4292 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
17:06:52.0334 4292 ws2ifsl - ok
17:06:52.0354 4292 wscsvc (6f5d49efe0e7164e03ae773a3fe25340) C:\Windows\system32\wscsvc.dll
17:06:52.0359 4292 wscsvc - ok
17:06:52.0366 4292 WSearch - ok
17:06:52.0556 4292 wuauserv (3026418a50c5b4761befa632cedb7406) C:\Windows\system32\wuaueng.dll
17:06:52.0583 4292 wuauserv - ok
17:06:52.0732 4292 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
17:06:52.0735 4292 WudfPf - ok
17:06:52.0767 4292 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
17:06:52.0770 4292 WUDFRd - ok
17:06:52.0822 4292 wudfsvc (8d1e1e529a2c9e9b6a85b55a345f7629) C:\Windows\System32\WUDFSvc.dll
17:06:52.0827 4292 wudfsvc - ok
17:06:52.0859 4292 WwanSvc (ff2d745b560f7c71b31f30f4d49f73d2) C:\Windows\System32\wwansvc.dll
17:06:52.0866 4292 WwanSvc - ok
17:06:52.0894 4292 XAudio (894f963be999ba9db5aac3aed55b115d) C:\Windows\system32\DRIVERS\XAudio32.sys
17:06:52.0896 4292 XAudio - ok
17:06:52.0944 4292 MBR (0x1B8) (80540458900a2ef6163b50d3d3b7ac3a) \Device\Harddisk0\DR0
17:06:52.0975 4292 \Device\Harddisk0\DR0 - ok
17:06:53.0005 4292 Boot (0x1200) (e1cb813f5ed4201df8297540cd2669a0) \Device\Harddisk0\DR0\Partition0
17:06:53.0007 4292 \Device\Harddisk0\DR0\Partition0 - ok
17:06:53.0023 4292 Boot (0x1200) (cb2a886f08a61c27d756c556ca522ac3) \Device\Harddisk0\DR0\Partition1
17:06:53.0025 4292 \Device\Harddisk0\DR0\Partition1 - ok
17:06:53.0051 4292 Boot (0x1200) (bec073281e44c78e4ea18afcfa8ddcf4) \Device\Harddisk0\DR0\Partition2
17:06:53.0053 4292 \Device\Harddisk0\DR0\Partition2 - ok
17:06:53.0081 4292 Boot (0x1200) (3e76392d3741d52d34afd77069d8e6be) \Device\Harddisk0\DR0\Partition3
17:06:53.0083 4292 \Device\Harddisk0\DR0\Partition3 - ok
17:06:53.0102 4292 Boot (0x1200) (59e906e9af6f3be96729b2d1902b34d9) \Device\Harddisk0\DR0\Partition4
17:06:53.0104 4292 \Device\Harddisk0\DR0\Partition4 - ok
17:06:53.0105 4292 ============================================================
17:06:53.0105 4292 Scan finished
17:06:53.0105 4292 ============================================================
17:06:53.0121 5160 Detected object count: 0
17:06:53.0122 5160 Actual detected object count: 0

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:37 PM

Posted 10 May 2012 - 05:57 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 thedictator

thedictator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 10 May 2012 - 08:19 PM

Seems to me the computer is fine.

ComboFix 12-05-10.04 - King 2/05/10 周四 21:00:01.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.936.86.1033.18.1972.968 [GMT -4:00]
执行位置: d:\downloads\ComboFix.exe
Command switches used :: c:\users\King\Desktop\CFScript.txt.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* 成功创造新还原点
.
Error: Cfiles.dat
.
((((((((((((((((((((((((( 2012-04-11 至 2012-05-11 的新的档案 )))))))))))))))))))))))))))))))
.
.
2012-05-11 01:06 . 2012-05-11 01:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-10 19:27 . 2012-05-10 19:27 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{299563D8-488F-41FC-9A58-3DE83BF40233}\offreg.dll
2012-05-10 19:27 . 2012-05-10 19:27 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{299563D8-488F-41FC-9A58-3DE83BF40233}\MpKsl7f278d3b.sys
2012-05-10 18:58 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{299563D8-488F-41FC-9A58-3DE83BF40233}\mpengine.dll
2012-05-09 22:48 . 2012-03-31 04:29 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 22:48 . 2012-03-31 04:30 1221632 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-09 22:48 . 2012-03-31 04:29 989184 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-09 22:48 . 2012-03-31 04:29 969216 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-09 22:47 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-09 22:47 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-09 22:47 . 2012-03-31 02:36 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-09 22:47 . 2012-03-30 10:23 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-09 22:47 . 2012-03-17 07:27 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-09 22:47 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-09 17:53 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-08 17:36 . 2012-05-08 17:36 -------- d-----w- c:\program files\CCleaner
2012-05-08 15:35 . 2012-05-08 17:48 -------- d-----w- C:\found.001
2012-05-07 16:21 . 2012-05-07 16:21 -------- d-----w- c:\users\King\AppData\Roaming\InterVideo
2012-05-05 20:03 . 2012-05-05 20:03 -------- d-----w- c:\users\King\AppData\Roaming\Malwarebytes
2012-05-05 20:03 . 2012-05-05 20:03 -------- d-----w- c:\programdata\Malwarebytes
2012-05-05 20:03 . 2012-05-05 20:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-05 20:03 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-03 03:38 . 2012-05-03 03:38 -------- d-----w- c:\program files\Common Files\Skype
2012-04-27 01:49 . 2012-04-27 01:49 -------- d-----w- c:\program files\Maxis
2012-04-27 01:43 . 2012-04-27 01:43 -------- d-----w- c:\program files\Elaborate Bytes
2012-04-27 01:37 . 2009-02-24 22:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2012-04-27 01:37 . 2012-04-27 01:37 -------- d-----w- c:\program files\MagicDisc
2012-04-22 06:08 . 2012-05-10 18:19 -------- d-----w- c:\users\King\AppData\Roaming\Notepad++
2012-04-22 06:08 . 2012-04-22 06:09 -------- d-----w- c:\program files\Notepad++
2012-04-16 04:32 . 2012-04-16 04:32 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-16 03:16 . 2012-04-16 03:16 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{0CDF7008-6C65-4DE3-B632-2AD05E9FF266}\gapaengine.dll
2012-04-16 03:14 . 2012-04-25 20:37 -------- d-----w- c:\program files\Microsoft Security Client
2012-04-12 17:08 . 2012-04-12 17:08 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C4FBD45-168D-485B-8F07-4C2C7DD08A1F}\offreg.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( 在三个月内被修改的档案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-16 04:32 . 2011-11-22 20:19 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-06 21:28 . 2012-04-06 21:28 231760 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2012-03-27 21:09 . 2012-03-27 14:50 409088 ----a-w- c:\windows\system32\systemcpl.dll
2012-03-27 21:09 . 2012-03-27 14:50 13824 ----a-w- c:\windows\system32\slwga.dll
2012-03-27 21:09 . 2012-03-27 14:52 811520 ----a-w- c:\windows\system32\user32.dll
2012-03-27 15:49 . 2012-03-27 15:49 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-03-27 15:49 . 2012-03-27 15:49 161792 ----a-w- c:\windows\system32\msls31.dll
2012-03-27 15:49 . 2012-03-27 15:49 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-03-27 15:49 . 2012-03-27 15:49 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-03-27 15:49 . 2012-03-27 15:49 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-03-27 15:49 . 2012-03-27 15:49 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-03-27 15:49 . 2012-03-27 15:49 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-03-27 15:49 . 2012-03-27 15:49 367104 ----a-w- c:\windows\system32\html.iec
2012-03-27 15:49 . 2012-03-27 15:49 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-27 15:49 . 2012-03-27 15:49 152064 ----a-w- c:\windows\system32\wextract.exe
2012-03-27 15:49 . 2012-03-27 15:49 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-03-27 15:48 . 2012-03-27 15:48 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-03-27 15:48 . 2012-03-27 15:48 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-03-27 15:48 . 2012-03-27 15:48 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-03-27 15:48 . 2012-03-27 15:48 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-03-27 15:48 . 2012-03-27 15:48 11776 ----a-w- c:\windows\system32\mshta.exe
2012-03-27 15:48 . 2012-03-27 15:48 101888 ----a-w- c:\windows\system32\admparse.dll
2012-03-27 15:25 . 2009-07-14 02:05 152576 ----a-w- c:\windows\system32\msclmd.dll
2012-03-21 00:44 . 2011-04-27 19:25 74112 ----a-w- c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-21 00:44 . 2011-04-18 17:18 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-20 07:53 . 2012-04-10 19:29 6582328 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C4FBD45-168D-485B-8F07-4C2C7DD08A1F}\mpengine.dll
2012-03-04 07:20 . 2012-03-04 06:08 729088 ------r- c:\program files\TMAC.exe
2012-03-04 06:08 . 2012-03-04 06:08 192835 ----a-w- c:\program files\Installer.exe
2012-03-04 06:08 . 2012-03-04 06:08 224016 --s---r- c:\windows\system32\TABCTL32.OCX
2012-03-04 06:08 . 2012-03-04 06:08 152848 --s---r- c:\windows\system32\COMDLG32.OCX
2012-03-04 06:08 . 2012-03-04 06:08 1010720 --s---r- c:\windows\system32\MSCHRT20.OCX
2012-03-01 05:46 . 2012-04-10 19:23 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37 . 2012-04-10 19:23 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33 . 2012-04-10 19:23 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29 . 2012-04-10 19:23 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-28 01:18 . 2012-04-10 19:28 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-10 19:28 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-10 19:28 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-10 19:29 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-17 05:34 . 2012-03-27 13:13 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-02-17 05:34 . 2012-03-27 13:13 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-27 13:13 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-27 13:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 20:13 . 2012-02-15 20:13 192768 ----a-w- c:\programdata\Microsoft\VPDExpress\10.0\1033\ResourceCache.dll
2011-11-28 08:10 . 2011-08-23 23:27 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-03-27 . 7BD7F45FF37FA0669CD32CA0EF46E22C . 811520 . . [6.1.7601.17514] . . c:\windows\System32\user32.dll
[7] 2010-11-20 . F1DD3ACAEE5E6B4BBC69BC6DF75CEF66 . 811520 . . [6.1.7601.17514] . . c:\windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll
.
((((((((((((((((((((((((((((((((((((( 重要登入点 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白与合法缺省登录将不会被显示
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\King\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\King\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\King\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RotateImage"="c:\program files\Integrated Camera Driver\RCIMGDIR.exe" [2008-10-30 31744]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2009-12-21 69568]
"SmartAudio"="c:\program files\CONEXANT\SAII\SAIICpl.exe" [2009-11-17 307768]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-03-19 13838952]
"PWMTRV"="c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL" [2010-05-06 886120]
"LENOVO.TPKNRRES"="c:\program files\Lenovo\Communications Utility\TPKNRRES.exe" [2010-04-20 62312]
"Microsoft Pinyin IME Migration"="c:\progra~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2008-11-04 33128]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2011-03-07 89456]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"nwiz"="nwiz.exe" [2010-03-17 1657448]
"AcWin7Hlpr"="c:\program files\Lenovo\Access Connections\AcTBenabler.exe" [2009-10-13 36864]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-04-22 1725736]
"TpShocks"="TpShocks.exe" [2009-12-11 337256]
.
c:\users\King\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\King\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-4 27087944]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2009-8-11 795936]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-7-13 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2010-03-25 04:05 100104 ----a-w- c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer4"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0200804]
IME File REG_SZ IMSC12.IME
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\keyboard layouts\e0210804]
Ime File REG_SZ SOGOUPY.IME
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 06:36 421736 ----a-w- d:\programs\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Message Center Plus]
2009-05-27 14:09 49976 ----a-w- c:\program files\Lenovo\Message Center Plus\MCPLaunch.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-02-29 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 253088]
R3 DozeSvc;Lenovo Doze Mode Service;c:\program files\ThinkPad\Utilities\DOZESVC.EXE [2010-05-06 132456]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 74112]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]
R3 PCDSRVC{3037D694-FD904ACA-06020000}_0;PCDSRVC{3037D694-FD904ACA-06020000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor\pcdsrvc.pkms [2010-05-07 21360]
R3 pmxdrv;pmxdrv;c:\windows\system32\drivers\pmxdrv.sys [2010-07-13 816792]
R3 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2010-05-06 75112]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [2009-07-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2009-07-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [2009-07-13 661504]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-09-29 99768]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-03-27 1343400]
S0 DozeHDD;DozeHDD;c:\windows\System32\DRIVERS\DozeHDD.sys [2010-05-06 24304]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2009-10-09 20520]
S0 vmci;VMware VMCI Bus Driver;c:\windows\system32\DRIVERS\vmci.sys [2011-08-08 98928]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S1 MpKsl7f278d3b;MpKsl7f278d3b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{299563D8-488F-41FC-9A58-3DE83BF40233}\MpKsl7f278d3b.sys [2012-05-10 29904]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-10-21 196176]
S2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [2011-10-13 249648]
S2 HsfXAudioService;HsfXAudioService;c:\windows\system32\svchost.exe [2009-07-14 20992]
S2 LENOVO.CAMMUTE;Lenovo Camera Mute;c:\program files\Lenovo\Communications Utility\CAMMUTE.exe [2010-04-20 50536]
S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\LENOVO\HOTKEY\MICMUTE.exe [2010-04-07 45496]
S2 LENOVO.TPKNRSVC;Lenovo Keyboard Noise Reduction;c:\program files\Lenovo\Communications Utility\TPKNRSVC.exe [2010-04-20 74088]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-06-25 35088]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
S2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2009-10-26 48640]
S2 smihlp;SMI Helper Driver (smihlp);c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [2009-03-13 12560]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2010-04-07 63928]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-09-29 13752]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-25 2320920]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [2011-08-30 665200]
S3 5U877;USB Video Device;c:\windows\system32\DRIVERS\5U877.sys [2009-12-14 127232]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-12-10 214696]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2009-10-26 125696]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 NETw5s32;Intel® Wireless WiFi Link 5000 系列适配器驱动程序(适用于 Windows 7 32 位);c:\windows\system32\DRIVERS\NETw5s32.sys [2010-03-17 6758912]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-01-27 68200]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2009-09-24 38336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
HsfXAudioService REG_MULTI_SZ HsfXAudioService
.
‘计划任务’ 文件夹 里的内容
.
2012-05-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 04:32]
.
2012-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2628063611-1983361895-1303246480-1000Core.job
- c:\users\King\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-09 16:02]
.
2012-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2628063611-1983361895-1303246480-1000UA.job
- c:\users\King\AppData\Local\Google\Update\GoogleUpdate.exe [2011-10-09 16:02]
.
2012-04-25 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-05-07 19:46]
.
2012-05-04 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-05-08 00:50]
.
.
------- 而外的扫描 -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
IE: 导出到 Microsoft Excel(&X) - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
LSP: %SystemRoot%\system32\vsocklib.dll
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\King\AppData\Roaming\Mozilla\Firefox\Profiles\bk6yehc5.default\
FF - prefs.js: browser.startup.homepage - about:cehome
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{3037D694-FD904ACA-06020000}_0]
"ImagePath"="\??\c:\program files\pc-doctor\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2628063611-1983361895-1303246480-1000\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office PowerPoint\Settings\Sb*_]
"ClientGUID"=hex:28,8c,c0,94,e2,21,ef,4d,98,db,bb,a7,86,ef,26,92
.
[HKEY_USERS\S-1-5-21-2628063611-1983361895-1303246480-1000\Software\Microsoft\Office\12.0\Common\Open Find\Microsoft Office Word\Settings\Sb*_]
"ClientGUID"=hex:cb,e5,13,ef,d1,67,f9,49,b5,4b,95,ef,97,4e,9a,57
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- 运行进程下的动态链接库 ---------------------
.
- - - - - - - > 'lsass.exe'(744)
c:\program files\ThinkVantage Fingerprint Software\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\program files\ThinkVantage Fingerprint Software\infql2.dll
.
- - - - - - - > 'Explorer.exe'(3940)
c:\users\King\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\ThinkPad\Bluetooth Software\btmmhook.dll
c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\US\PWMRT32V.DLL
c:\progra~1\ThinkPad\UTILIT~1\PWMIF32V.DLL
.
完成时间: 2012-05-10 21:07:52
ComboFix-quarantined-files.txt 2012-05-11 01:07
ComboFix2.txt 2012-05-10 18:38
.
Pre-Run: 27,755,143,168 bytes free
Post-Run: 27,819,712,512 bytes free
.
- - End Of File - - DEE58A12425F636AAE5EBE9D2AD094F9

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:37 PM

Posted 10 May 2012 - 09:18 PM

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:37 PM

Posted 12 May 2012 - 11:44 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:37 PM

Posted 15 May 2012 - 11:10 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Edited by gringo_pr, 15 May 2012 - 11:11 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 thedictator

thedictator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 17 May 2012 - 12:27 PM

Sorry, I was busy this past week. I also got infected with a UKASH virus that locked my computer on startup, but now it's fixed, hopefully.

Hijackthis: Can't scan the hosts file

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:22:12, on 2012/5/17
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\PROGRA~1\Lenovo\HOTKEY\tpnumlkd.exe
C:\Windows\system32\taskhost.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
D:\Programs\iTunesHelper.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Users\King\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Lenovo\Client Security Solution\password_manager.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Users\King\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live 登录帮助程序 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files\Microsoft\BingBar\BingExt.dll" (file missing)
O4 - HKLM\..\Run: [RotateImage] C:\Program Files\Integrated Camera Driver\RCIMGDIR.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [LENOVO.TPKNRRES] C:\Program Files\Lenovo\Communications Utility\TPKNRRES.exe
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [MSC] "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [AcWin7Hlpr] C:\Program Files\Lenovo\Access Connections\AcTBenabler.exe
O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Programs\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [4w1IjgBXP4HGv63] C:\Users\King\AppData\Roaming\ksprskylabs1.exe
O4 - Startup: Dropbox.lnk = King\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: 导出到 Microsoft Excel(&X) - res://C:\PROGRA~1\MIF5BA~1\Office12\EXCEL.EXE/3000
O9 - Extra button: 写入日志 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: 在 Windows Live Writer 中写入日志(&B) - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @C:\Program Files\ThinkPad\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\vsocklib.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\Windows\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\Windows\System32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\system32\urlmon.dll
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\Windows\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\Windows\system32\urlmon.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\Windows\System32\itss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\Windows\System32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\Windows\System32\mshtml.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O23 - Service: AcPrfMgrSvc - Lenovo - C:\Program Files\Lenovo\Access Connections\AcPrfMgrSvc.exe
O23 - Service: AcSvc - Lenovo - C:\Program Files\Lenovo\Access Connections\AcSvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour 服务 (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\btwdins.exe
O23 - Service: Lenovo Doze Mode Service (DozeSvc) - Lenovo. - C:\Program Files\ThinkPad\Utilities\DOZESVC.EXE
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo. - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: iPod 服务 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lenovo Camera Mute (LENOVO.CAMMUTE) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
O23 - Service: Lenovo Microphone Mute (LENOVO.MICMUTE) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\MICMUTE.exe
O23 - Service: Lenovo Keyboard Noise Reduction (LENOVO.TPKNRSVC) - Lenovo Group Limited - C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TurboBoost - Intel® Corporation - C:\Program Files\Intel\TurboBoost\TurboBoost.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe

--
End of file - 13229 bytes


MBAM:
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.16.08

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
King :: ACE [administrator]

Protection: Enabled

2012/5/17 13:20:57
mbam-log-2012-05-17 (13-20-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 207165
Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:37 PM

Posted 17 May 2012 - 01:05 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
      O4 - HKLM\..\Run: [Message Center Plus] C:\Program Files\LENOVO\Message Center Plus\MCPLaunch.exe /start
      O4 - HKLM\..\Run: [iTunesHelper] "D:\Programs\iTunesHelper.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKCU\..\Run: [4w1IjgBXP4HGv63] C:\Users\King\AppData\Roaming\ksprskylabs1.exe
      O4 - Startup: Dropbox.lnk = King\AppData\Roaming\Dropbox\bin\Dropbox.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:37 PM

Posted 20 May 2012 - 12:24 AM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 thedictator

thedictator
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 AM

Posted 20 May 2012 - 12:52 PM

Here are the results. I think Ultrareach is a mistake.

E:\PC\Archives\DFX Audio Enhancer v9.204 FULL.rar Win32/Keygen.DJ application
E:\PC\E\snservice\bleh\u995.exe a variant of Win32/UltraReach application
E:\PC\E\snservice\bleh\u995a.exe a variant of Win32/UltraReach application
E:\PC\E\snservice\zip\BinderByNathan72389.rar probably a variant of MSIL/TrojanDropper.Agent.BS trojan
E:\PC\yayaya\无界网.exe Win32/UltraReach applicatio

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:37 PM

Posted 20 May 2012 - 01:16 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "E:\PC\Archives\DFX Audio Enhancer v9.204 FULL.rar"
    del /f /s /q "E:\PC\E\snservice\bleh\u995.exe"
    del /f /s /q "E:\PC\E\snservice\bleh\u995a.exe"
    del /f /s /q "E:\PC\E\snservice\zip\BinderByNathan72389.rar"
    del /f /s /q "E:\PC\yayaya\无界网.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)


    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users