Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

can't get windows updates, frequent lockups, and no firewall


  • This topic is locked This topic is locked
18 replies to this topic

#1 harvx

harvx

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 25 May 2012 - 03:58 PM

Some kind of malware with the symptoms being I cannot access Windows Updates. I've recieved various messages such as - The website has encountered a problem and cannot display . . . error number 0x800A0007

Trying various fixes as identified by MS do not work.

Ran malwarebytes and MSE scans several times. Once malwarebytes did report and fix several viruses but now the scan comes back clean. A few times MSE requested a restart to fix a problem.

Also after computer is on for a while it appears to lock up including not letting me do a shutdown.

Attempting to start a firewall I get the message "Windows firewall setting can't be displayed because the associated is not running". When I repond to start it I get the message "Windows cannot start the shared access service"


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Ken at 16:17:47 on 2012-05-25
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1904 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Microsoft Security Client\msseces.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=type=W3i_SP,204,0_0,StartPage,20120519,16898,0,8,0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab
DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223654519171
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} - hxxp://pogo.oberon-media.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 172.27.35.1
TCP: Interfaces\{A69D410B-3103-4C28-96D7-C6F0CCFCED21} : DhcpNameServer = 192.168.1.1 172.27.35.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 94.63.147.17 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 257696]
S3 cpuz134;cpuz134;\??\c:\docume~1\ken\locals~1\temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\ken\locals~1\temp\cpuz134\cpuz134_x32.sys [?]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2012-2-1 21744]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-11 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
UnknownUnknown llelntvt;llelntvt; [x]
.
=============== Created Last 30 ================
.
2012-05-25 19:44:15 6737808 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{40bc5fc1-ac6c-42a5-82f8-c1a98e8e43b6}\mpengine.dll
2012-05-25 19:32:33 6737808 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-05-25 17:02:30 -------- d-----w- c:\documents and settings\ken\application data\ElevatedDiagnostics
2012-05-25 00:44:22 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-24 16:45:11 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2012-05-20 00:36:13 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-05-20 00:36:13 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-19 19:34:40 -------- d-sha-r- C:\cmdcons
2012-05-19 18:11:02 246740 ----a-w- C:\combo-setup.exe
2012-05-19 17:49:00 -------- d-----w- c:\documents and settings\ken\application data\WinPatrol
2012-05-19 17:48:51 -------- d-----w- c:\program files\BillP Studios
2012-05-19 17:48:51 -------- d-----w- c:\documents and settings\all users\application data\InstallMate
2012-05-18 15:47:46 -------- d-----w- C:\7f94da7002412db2b7d7d2b1741135a7
2012-05-18 10:09:46 -------- d-----w- c:\program files\CCleaner
2012-05-17 20:32:42 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-17 20:32:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-16 02:53:02 -------- d-----w- c:\windows\pss
2012-05-08 15:49:20 -------- d-----w- C:\Intel
2012-05-08 15:40:18 -------- d-----w- c:\documents and settings\all users\application data\PC-Doctor
2012-05-08 15:22:48 315392 ----a-w- c:\windows\HideWin.exe
2012-05-08 01:28:49 -------- d-----w- c:\documents and settings\all users\application data\PC Optimizer Pro
2012-05-08 01:00:03 -------- d-----w- c:\documents and settings\ken\local settings\application data\visi_coupon
2012-05-08 00:59:13 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-05-08 00:58:59 -------- d-----w- c:\documents and settings\all users\application data\WeCareReminder
2012-05-08 00:58:46 -------- d-----w- c:\program files\Yahoo!
2012-05-08 00:42:17 -------- d-----w- c:\program files\Bucksbee Loyalty Plugin - 100815
2012-05-08 00:42:00 -------- d-----w- c:\documents and settings\all users\application data\Tarma Installer
2012-05-08 00:33:36 -------- d-----w- C:\WinUnhide
2012-05-08 00:18:01 -------- d-----w- c:\documents and settings\ken\AppData
2012-05-07 22:06:19 -------- d-----w- c:\program files\stinger
2012-04-29 13:07:15 -------- d-----w- c:\documents and settings\ken\local settings\application data\PCHealth
.
==================== Find3M ====================
.
2012-05-24 14:04:39 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-24 14:04:39 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-21 00:44:12 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDP725050GLA360 rev.GM4OA5BA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7F749F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a7fe740]; MOV EAX, [0x8a7fe8b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8AFBBAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000064[0x8AFD9520]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AF98940]
\Driver\atapi[0x8A8C4C30] -> IRP_MJ_CREATE -> 0x8A7F749F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A7F72C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 16:19:27.76 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:44 PM

Posted 26 May 2012 - 12:38 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 harvx

harvx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 26 May 2012 - 01:14 PM

Thanks for your help Gringo. It's greatly appreciated.

Between SecurityCheck and combofix I tried openning a browser. It appears to be very slow. Even though slow to open the browser I can still do other things like disabling real time virus check in MSE with no slow down. I tried to do a restart and was able to select Restart but I didn't get the shutdown so did a power off by holding down the power button. This has happened several times before.

After combofix completed I did a few things such as trying to get Windows Updates. The behavior appears to be the same - slowdowns and not able to get the updates and not able to turn on the firewall.

Results of screen317's Security Check version 0.99.38
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes Anti-Malware version 1.61.0.1400
CCleaner
Java™ 6 Update 7
Java version out of date!
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Microsoft Security Essentials msseces.exe
Windows Defender MSMpEng.exe
WinPatrol winpatrol.exe
system32 WinPatrol.exe -?-
``````````End of Log````````````


ComboFix 12-05-26.02 - Ken 05/26/2012 13:51:50.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2551 [GMT -4:00]
Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-26 to 2012-05-26 )))))))))))))))))))))))))))))))
.
.
2012-05-26 16:58 . 2012-05-26 16:58 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{40BC5FC1-AC6C-42A5-82F8-C1A98E8E43B6}\MpKslac3972b1.sys
2012-05-25 19:44 . 2012-05-15 05:43 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{40BC5FC1-AC6C-42A5-82F8-C1A98E8E43B6}\mpengine.dll
2012-05-25 19:32 . 2012-05-15 05:43 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-25 17:02 . 2012-05-25 17:02 -------- d-----w- c:\documents and settings\Ken\Application Data\ElevatedDiagnostics
2012-05-25 00:44 . 2012-05-25 00:45 -------- d-----w- c:\program files\Microsoft Security Client
2012-05-24 16:45 . 2012-05-24 16:45 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2012-05-20 00:36 . 2012-05-20 00:36 -------- d-----w- c:\windows\system32\wbem\Repository
2012-05-19 18:11 . 2012-05-19 18:11 246740 ----a-w- C:\combo-setup.exe
2012-05-19 17:49 . 2012-05-19 17:49 -------- d-----w- c:\documents and settings\Ken\Application Data\WinPatrol
2012-05-19 17:48 . 2012-05-19 17:48 -------- d-----w- c:\program files\BillP Studios
2012-05-19 17:48 . 2012-05-19 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-05-18 15:47 . 2012-05-18 15:47 -------- d-----w- C:\7f94da7002412db2b7d7d2b1741135a7
2012-05-18 10:09 . 2012-05-18 10:09 -------- d-----w- c:\program files\CCleaner
2012-05-17 20:32 . 2012-05-17 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-17 20:32 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-12 14:42 . 2012-05-12 14:42 -------- d-----w- c:\documents and settings\Cindy\Local Settings\Application Data\visi_coupon
2012-05-12 14:42 . 2012-05-12 14:42 -------- d-----w- c:\documents and settings\Cindy\Application Data\Yahoo!
2012-05-08 15:49 . 2012-05-08 15:49 -------- d-----w- C:\Intel
2012-05-08 15:40 . 2012-05-08 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC-Doctor
2012-05-08 15:22 . 2012-05-08 15:22 315392 ----a-w- c:\windows\HideWin.exe
2012-05-08 01:28 . 2012-05-08 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Optimizer Pro
2012-05-08 01:00 . 2012-05-08 01:00 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\visi_coupon
2012-05-08 00:59 . 2012-05-08 00:59 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-05-08 00:58 . 2012-05-08 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
2012-05-08 00:58 . 2012-05-19 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2012-05-08 00:58 . 2012-05-19 17:56 -------- d-----w- c:\documents and settings\Ken\Application Data\Yahoo!
2012-05-08 00:58 . 2012-05-19 17:56 -------- d-----w- c:\program files\Yahoo!
2012-05-08 00:42 . 2012-05-08 03:00 -------- d-----w- c:\program files\7-Zip
2012-05-08 00:42 . 2012-05-08 02:51 -------- d-----w- c:\program files\Bucksbee Loyalty Plugin - 100815
2012-05-08 00:42 . 2012-05-15 11:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2012-05-08 00:33 . 2012-05-15 23:26 -------- d-----w- C:\WinUnhide
2012-05-08 00:18 . 2012-05-08 00:18 -------- d-----w- c:\documents and settings\Ken\AppData
2012-05-07 22:06 . 2012-05-15 23:27 -------- d-----w- c:\program files\stinger
2012-04-29 13:07 . 2012-04-29 13:07 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\PCHealth
2012-04-29 00:12 . 2012-04-29 00:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-24 14:04 . 2012-04-04 03:45 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-24 14:04 . 2011-06-09 19:15 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-04-15 374368]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\documents and settings\Cindy\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
easy gadget.lnk - c:\program files\easy gadget\easy gadget.exe [2011-8-14 95232]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ken^Start Menu^Programs^Startup^easy gadget.lnk]
path=c:\documents and settings\Ken\Start Menu\Programs\Startup\easy gadget.lnk
backup=c:\windows\pss\easy gadget.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 -c--a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2007-07-16 23:48 69632 -c--a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-22 04:28 47904 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-26 19:58 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-28 17:18 17920 -c----w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-16 23:45 162584 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-08-04 21:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-16 23:45 142104 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 21:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 14:57 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-07-16 23:45 138008 -c--a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 -c--a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-07-16 23:48 16132608 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKslac3972b1;MpKslac3972b1;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{40BC5FC1-AC6C-42A5-82F8-C1A98E8E43B6}\MpKslac3972b1.sys [5/26/2012 12:58 PM 29904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 11:45 PM 257696]
S3 cpuz134;cpuz134;\??\c:\docume~1\Ken\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Ken\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\Dell Support Center\pcdsrvc.pkms [2/1/2012 5:53 PM 21744]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 5:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 14:04]
.
2012-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-05-26 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
2012-05-26 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
2012-05-26 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-02-07 23:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=type=W3i_SP,204,0_0,StartPage,20120519,16898,0,8,0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.1.1 172.27.35.1
DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-26 14:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HDP725050GLA360 rev.GM4OA5BA -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A7972C6
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3247143723-386678728-3784697378-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:10,0b,c5,1c,c1,b3,28,06,de,43,3f,79,00,b8,7f,d4,7b,96,03,63,03,21,a8,
ae,ee,4d,18,26,30,9b,40,d6,ba,19,43,f7,8b,13,80,7e,aa,6e,70,b9,45,60,5a,b1,\
"??"=hex:47,ff,c2,27,98,58,12,62,a9,21,00,fb,f4,3d,f3,8f
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(808)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2144)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-05-26 14:04:39
ComboFix-quarantined-files.txt 2012-05-26 18:04
ComboFix2.txt 2012-05-25 16:14
.
Pre-Run: 474,533,715,968 bytes free
Post-Run: 475,429,605,376 bytes free
.
- - End Of File - - AE10DC0722F0CF623AE73B159EE0C4AE

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:44 PM

Posted 26 May 2012 - 01:50 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 harvx

harvx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 26 May 2012 - 03:17 PM

Gringo,

I am now able to get the windows updates and the firewall is on. Also, general response seems good.

I was also able to update and do a quick scan using Malwarebytes and MSE with good response.

Do you think the problem is resolved? Can you share what the problem was?

Marc


15:20:08.0984 0552 TDSS rootkit removing tool 2.7.37.0 May 23 2012 08:15:30
15:20:09.0343 0552 ============================================================
15:20:09.0343 0552 Current date / time: 2012/05/26 15:20:09.0343
15:20:09.0343 0552 SystemInfo:
15:20:09.0343 0552
15:20:09.0343 0552 OS Version: 5.1.2600 ServicePack: 3.0
15:20:09.0343 0552 Product type: Workstation
15:20:09.0343 0552 ComputerName: DESKTOP
15:20:09.0343 0552 UserName: Ken
15:20:09.0359 0552 Windows directory: C:\WINDOWS
15:20:09.0359 0552 System windows directory: C:\WINDOWS
15:20:09.0359 0552 Processor architecture: Intel x86
15:20:09.0359 0552 Number of processors: 2
15:20:09.0359 0552 Page size: 0x1000
15:20:09.0359 0552 Boot type: Normal boot
15:20:09.0359 0552 ============================================================
15:20:10.0687 0552 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags

0x00000054
15:20:10.0703 0552 Drive \Device\Harddisk1\DR3 - Size: 0xFA00000 (0.24 Gb), SectorSize: 0x200, Cylinders: 0x1F, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:20:10.0703 0552 ============================================================
15:20:10.0703 0552 \Device\Harddisk0\DR0:
15:20:10.0703 0552 MBR partitions:
15:20:10.0703 0552 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1F608, BlocksNum 0x3A361778
15:20:10.0703 0552 \Device\Harddisk1\DR3:
15:20:10.0703 0552 MBR partitions:
15:20:10.0703 0552 \Device\Harddisk1\DR3\Partition0: MBR, Type 0xE, StartLBA 0x3F, BlocksNum 0x7CFC1
15:20:10.0703 0552 ============================================================
15:20:10.0765 0552 C: <-> \Device\Harddisk0\DR0\Partition0
15:20:10.0765 0552 ============================================================
15:20:10.0765 0552 Initialize success
15:20:10.0765 0552 ============================================================
15:20:25.0687 1364 ============================================================
15:20:25.0687 1364 Scan started
15:20:25.0687 1364 Mode: Manual;
15:20:25.0687 1364 ============================================================
15:20:25.0906 1364 Abiosdsk - ok
15:20:25.0953 1364 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
15:20:25.0953 1364 abp480n5 - ok
15:20:26.0000 1364 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:20:26.0000 1364 ACPI - ok
15:20:26.0000 1364 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
15:20:26.0000 1364 ACPIEC - ok
15:20:26.0078 1364 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
15:20:26.0078 1364 AdobeFlashPlayerUpdateSvc - ok
15:20:26.0093 1364 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
15:20:26.0093 1364 adpu160m - ok
15:20:26.0125 1364 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
15:20:26.0125 1364 aec - ok
15:20:26.0187 1364 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
15:20:26.0187 1364 AFD - ok
15:20:26.0234 1364 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
15:20:26.0234 1364 agp440 - ok
15:20:26.0234 1364 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
15:20:26.0250 1364 agpCPQ - ok
15:20:26.0250 1364 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
15:20:26.0250 1364 Aha154x - ok
15:20:26.0250 1364 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
15:20:26.0250 1364 aic78u2 - ok
15:20:26.0250 1364 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
15:20:26.0265 1364 aic78xx - ok
15:20:26.0281 1364 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
15:20:26.0296 1364 Alerter - ok
15:20:26.0312 1364 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
15:20:26.0312 1364 ALG - ok
15:20:26.0343 1364 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
15:20:26.0343 1364 AliIde - ok
15:20:26.0343 1364 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
15:20:26.0343 1364 alim1541 - ok
15:20:26.0343 1364 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
15:20:26.0343 1364 amdagp - ok
15:20:26.0359 1364 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
15:20:26.0359 1364 amsint - ok
15:20:26.0468 1364 Apple Mobile Device (018857ead9a077a56aedfc0e5ef7a24a) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
15:20:26.0468 1364 Apple Mobile Device - ok
15:20:26.0500 1364 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
15:20:26.0515 1364 AppMgmt - ok
15:20:26.0531 1364 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
15:20:26.0531 1364 asc - ok
15:20:26.0546 1364 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
15:20:26.0546 1364 asc3350p - ok
15:20:26.0546 1364 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
15:20:26.0546 1364 asc3550 - ok
15:20:26.0656 1364 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
15:20:26.0703 1364 aspnet_state - ok
15:20:26.0734 1364 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:20:26.0734 1364 AsyncMac - ok
15:20:26.0765 1364 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
15:20:26.0765 1364 atapi - ok
15:20:26.0765 1364 Atdisk - ok
15:20:26.0828 1364 Ati HotKey Poller (d5406ad4263487bd6c6b2d7735b095bc) C:\WINDOWS\system32\Ati2evxx.exe
15:20:26.0828 1364 Ati HotKey Poller - ok
15:20:26.0968 1364 ati2mtag (8e54c76db5d88bf8b4e82b37e1322671) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
15:20:27.0000 1364 ati2mtag - ok
15:20:27.0125 1364 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:20:27.0125 1364 Atmarpc - ok
15:20:27.0171 1364 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
15:20:27.0187 1364 AudioSrv - ok
15:20:27.0234 1364 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
15:20:27.0234 1364 audstub - ok
15:20:27.0375 1364 BcmSqlStartupSvc (6163664c7e9cd110af70180c126c3fdc) C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
15:20:27.0375 1364 BcmSqlStartupSvc - ok
15:20:27.0390 1364 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
15:20:27.0390 1364 Beep - ok
15:20:27.0453 1364 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
15:20:27.0593 1364 BITS - ok
15:20:27.0656 1364 Bonjour Service (673cf4f6bb1fbe09331b526802fbb892) C:\Program Files\Bonjour\mDNSResponder.exe
15:20:27.0656 1364 Bonjour Service - ok
15:20:27.0718 1364 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
15:20:27.0718 1364 Browser - ok
15:20:27.0796 1364 catchme - ok
15:20:27.0812 1364 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
15:20:27.0812 1364 cbidf - ok
15:20:27.0828 1364 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
15:20:27.0828 1364 cbidf2k - ok
15:20:27.0843 1364 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
15:20:27.0843 1364 cd20xrnt - ok
15:20:27.0875 1364 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
15:20:27.0875 1364 Cdaudio - ok
15:20:27.0937 1364 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
15:20:27.0937 1364 Cdfs - ok
15:20:27.0953 1364 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:20:27.0953 1364 Cdrom - ok
15:20:27.0953 1364 Changer - ok
15:20:27.0984 1364 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
15:20:27.0984 1364 CiSvc - ok
15:20:28.0000 1364 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
15:20:28.0000 1364 ClipSrv - ok
15:20:28.0078 1364 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:20:28.0109 1364 clr_optimization_v2.0.50727_32 - ok
15:20:28.0187 1364 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15:20:28.0234 1364 clr_optimization_v4.0.30319_32 - ok
15:20:28.0265 1364 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
15:20:28.0265 1364 CmdIde - ok
15:20:28.0265 1364 COMSysApp - ok
15:20:28.0296 1364 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
15:20:28.0296 1364 Cpqarray - ok
15:20:28.0296 1364 cpuz134 - ok
15:20:28.0343 1364 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
15:20:28.0343 1364 CryptSvc - ok
15:20:28.0375 1364 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
15:20:28.0375 1364 dac2w2k - ok
15:20:28.0406 1364 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
15:20:28.0406 1364 dac960nt - ok
15:20:28.0453 1364 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
15:20:28.0453 1364 DcomLaunch - ok
15:20:28.0500 1364 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
15:20:28.0500 1364 Dhcp - ok
15:20:28.0546 1364 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
15:20:28.0546 1364 Disk - ok
15:20:28.0546 1364 dmadmin - ok
15:20:28.0578 1364 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
15:20:28.0593 1364 dmboot - ok
15:20:28.0625 1364 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
15:20:28.0625 1364 dmio - ok
15:20:28.0656 1364 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
15:20:28.0656 1364 dmload - ok
15:20:28.0687 1364 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
15:20:28.0687 1364 dmserver - ok
15:20:28.0718 1364 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
15:20:28.0718 1364 DMusic - ok
15:20:28.0812 1364 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
15:20:28.0812 1364 Dnscache - ok
15:20:28.0859 1364 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
15:20:28.0859 1364 Dot3svc - ok
15:20:28.0875 1364 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
15:20:28.0875 1364 dpti2o - ok
15:20:28.0875 1364 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
15:20:28.0875 1364 drmkaud - ok
15:20:28.0890 1364 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
15:20:28.0890 1364 E100B - ok
15:20:28.0921 1364 e1express (34aaa3b298a852b3663e6e0d94d12945) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
15:20:28.0937 1364 e1express - ok
15:20:28.0953 1364 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
15:20:28.0968 1364 EapHost - ok
15:20:28.0968 1364 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
15:20:28.0968 1364 ERSvc - ok
15:20:29.0000 1364 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
15:20:29.0015 1364 Eventlog - ok
15:20:29.0031 1364 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
15:20:29.0046 1364 EventSystem - ok
15:20:29.0062 1364 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
15:20:29.0078 1364 Fastfat - ok
15:20:29.0109 1364 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:20:29.0125 1364 FastUserSwitchingCompatibility - ok
15:20:29.0171 1364 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
15:20:29.0171 1364 Fax - ok
15:20:29.0203 1364 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
15:20:29.0203 1364 Fdc - ok
15:20:29.0203 1364 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
15:20:29.0203 1364 Fips - ok
15:20:29.0281 1364 FLEXnet Licensing Service (bb0667b0171b632b97ea759515476f07) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
15:20:29.0296 1364 FLEXnet Licensing Service - ok
15:20:29.0312 1364 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:20:29.0312 1364 Flpydisk - ok
15:20:29.0359 1364 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
15:20:29.0359 1364 FltMgr - ok
15:20:29.0437 1364 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:20:29.0437 1364 FontCache3.0.0.0 - ok
15:20:29.0468 1364 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:20:29.0468 1364 Fs_Rec - ok
15:20:29.0515 1364 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:20:29.0515 1364 Ftdisk - ok
15:20:29.0546 1364 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
15:20:29.0546 1364 GEARAspiWDM - ok
15:20:29.0546 1364 getPlusHelper - ok
15:20:29.0609 1364 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:20:29.0609 1364 Gpc - ok
15:20:29.0625 1364 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:20:29.0625 1364 HDAudBus - ok
15:20:29.0687 1364 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:20:29.0687 1364 helpsvc - ok
15:20:29.0718 1364 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
15:20:29.0718 1364 HidServ - ok
15:20:29.0718 1364 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:20:29.0734 1364 HidUsb - ok
15:20:29.0750 1364 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
15:20:29.0765 1364 hkmsvc - ok
15:20:29.0765 1364 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
15:20:29.0765 1364 hpn - ok
15:20:29.0828 1364 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
15:20:29.0828 1364 HPZid412 - ok
15:20:29.0828 1364 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
15:20:29.0828 1364 HPZipr12 - ok
15:20:29.0828 1364 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
15:20:29.0828 1364 HPZius12 - ok
15:20:29.0875 1364 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
15:20:29.0875 1364 HTTP - ok
15:20:29.0906 1364 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
15:20:29.0906 1364 HTTPFilter - ok
15:20:29.0953 1364 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
15:20:29.0953 1364 i2omgmt - ok
15:20:29.0984 1364 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
15:20:29.0984 1364 i2omp - ok
15:20:30.0015 1364 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:20:30.0015 1364 i8042prt - ok
15:20:30.0125 1364 ialm (28423512370705aeda6a652fedb25468) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
15:20:30.0171 1364 ialm - ok
15:20:30.0218 1364 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\WINDOWS\system32\drivers\iaStor.sys
15:20:30.0218 1364 iaStor - ok
15:20:30.0328 1364 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:20:30.0328 1364 idsvc - ok
15:20:30.0375 1364 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
15:20:30.0375 1364 Imapi - ok
15:20:30.0406 1364 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
15:20:30.0421 1364 ImapiService - ok
15:20:30.0437 1364 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
15:20:30.0437 1364 ini910u - ok
15:20:30.0609 1364 IntcAzAudAddService (17bbbabb21f86b650b2626045a9d016c) C:\WINDOWS\system32\drivers\RtkHDAud.sys
15:20:30.0640 1364 IntcAzAudAddService - ok
15:20:30.0765 1364 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
15:20:30.0765 1364 IntelIde - ok
15:20:30.0843 1364 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:20:30.0843 1364 intelppm - ok
15:20:30.0875 1364 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
15:20:30.0875 1364 Ip6Fw - ok
15:20:30.0921 1364 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:20:30.0921 1364 IpFilterDriver - ok
15:20:30.0953 1364 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:20:30.0953 1364 IpInIp - ok
15:20:30.0984 1364 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:20:30.0984 1364 IpNat - ok
15:20:31.0078 1364 iPod Service (6e27978a4755f4789f912f5f49392f7c) C:\Program Files\iPod\bin\iPodService.exe
15:20:31.0093 1364 iPod Service - ok
15:20:31.0125 1364 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:20:31.0140 1364 IPSec - ok
15:20:31.0171 1364 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
15:20:31.0171 1364 IRENUM - ok
15:20:31.0203 1364 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:20:31.0203 1364 isapnp - ok
15:20:31.0218 1364 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:20:31.0218 1364 Kbdclass - ok
15:20:31.0218 1364 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:20:31.0218 1364 kbdhid - ok
15:20:31.0234 1364 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
15:20:31.0234 1364 kmixer - ok
15:20:31.0265 1364 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
15:20:31.0265 1364 KSecDD - ok
15:20:31.0296 1364 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
15:20:31.0312 1364 lanmanserver - ok
15:20:31.0359 1364 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
15:20:31.0359 1364 lanmanworkstation - ok
15:20:31.0375 1364 lbrtfdc - ok
15:20:31.0406 1364 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
15:20:31.0406 1364 LmHosts - ok
15:20:31.0421 1364 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
15:20:31.0421 1364 Messenger - ok
15:20:31.0453 1364 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
15:20:31.0453 1364 mnmdd - ok
15:20:31.0468 1364 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
15:20:31.0468 1364 mnmsrvc - ok
15:20:31.0500 1364 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
15:20:31.0500 1364 Modem - ok
15:20:31.0500 1364 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:20:31.0500 1364 Mouclass - ok
15:20:31.0531 1364 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:20:31.0531 1364 mouhid - ok
15:20:31.0546 1364 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
15:20:31.0546 1364 MountMgr - ok
15:20:31.0593 1364 MpFilter (d993bea500e7382dc4e760bf4f35efcb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
15:20:31.0593 1364 MpFilter - ok
15:20:31.0609 1364 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
15:20:31.0609 1364 mraid35x - ok
15:20:31.0625 1364 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:20:31.0625 1364 MRxDAV - ok
15:20:31.0687 1364 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:20:31.0687 1364 MRxSmb - ok
15:20:31.0718 1364 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
15:20:31.0718 1364 MSDTC - ok
15:20:31.0718 1364 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
15:20:31.0718 1364 Msfs - ok
15:20:31.0734 1364 MSIServer - ok
15:20:31.0750 1364 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:20:31.0750 1364 MSKSSRV - ok
15:20:31.0843 1364 MsMpSvc (24516bf4e12a46cb67302e2cdcb8cddf) c:\Program Files\Microsoft Security Client\MsMpEng.exe
15:20:31.0843 1364 MsMpSvc - ok
15:20:31.0875 1364 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:20:31.0875 1364 MSPCLOCK - ok
15:20:31.0890 1364 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
15:20:31.0890 1364 MSPQM - ok
15:20:31.0921 1364 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:20:31.0921 1364 mssmbios - ok
15:20:32.0000 1364 MSSQL$MSSMLBIZ - ok
15:20:32.0015 1364 MSSQLServerADHelper (1d89eb4e2a99cabd4e81225f4f4c4b25) c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
15:20:32.0015 1364 MSSQLServerADHelper - ok
15:20:32.0062 1364 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
15:20:32.0062 1364 Mup - ok
15:20:32.0109 1364 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
15:20:32.0109 1364 napagent - ok
15:20:32.0156 1364 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
15:20:32.0156 1364 NDIS - ok
15:20:32.0203 1364 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:20:32.0203 1364 NdisTapi - ok
15:20:32.0250 1364 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:20:32.0250 1364 Ndisuio - ok
15:20:32.0265 1364 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:20:32.0265 1364 NdisWan - ok
15:20:32.0312 1364 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
15:20:32.0312 1364 NDProxy - ok
15:20:32.0343 1364 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
15:20:32.0343 1364 NetBIOS - ok
15:20:32.0390 1364 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
15:20:32.0390 1364 NetBT - ok
15:20:32.0437 1364 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
15:20:32.0437 1364 NetDDE - ok
15:20:32.0437 1364 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
15:20:32.0437 1364 NetDDEdsdm - ok
15:20:32.0453 1364 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:20:32.0453 1364 Netlogon - ok
15:20:32.0484 1364 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
15:20:32.0484 1364 Netman - ok
15:20:32.0562 1364 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
15:20:32.0562 1364 NetTcpPortSharing - ok
15:20:32.0609 1364 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
15:20:32.0625 1364 Nla - ok
15:20:32.0625 1364 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
15:20:32.0625 1364 Npfs - ok
15:20:32.0656 1364 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
15:20:32.0656 1364 Ntfs - ok
15:20:32.0656 1364 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:20:32.0656 1364 NtLmSsp - ok
15:20:32.0703 1364 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
15:20:32.0703 1364 NtmsSvc - ok
15:20:32.0734 1364 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
15:20:32.0750 1364 Null - ok
15:20:32.0843 1364 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:20:32.0875 1364 nv - ok
15:20:32.0890 1364 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:20:32.0890 1364 NwlnkFlt - ok
15:20:32.0890 1364 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:20:32.0890 1364 NwlnkFwd - ok
15:20:32.0984 1364 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
15:20:32.0984 1364 odserv - ok
15:20:33.0015 1364 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
15:20:33.0031 1364 ose - ok
15:20:33.0062 1364 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
15:20:33.0062 1364 Parport - ok
15:20:33.0093 1364 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
15:20:33.0093 1364 PartMgr - ok
15:20:33.0125 1364 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
15:20:33.0125 1364 ParVdm - ok
15:20:33.0171 1364 PCDSRVC{E9D79540-57D5953E-06020101}_0 (92fddbed716bf5c3cb766101563cfce5) c:\program files\dell support center\pcdsrvc.pkms
15:20:33.0234 1364 PCDSRVC{E9D79540-57D5953E-06020101}_0 - ok
15:20:33.0234 1364 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
15:20:33.0234 1364 PCI - ok
15:20:33.0234 1364 PCIDump - ok
15:20:33.0265 1364 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
15:20:33.0265 1364 PCIIde - ok
15:20:33.0296 1364 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
15:20:33.0296 1364 Pcmcia - ok
15:20:33.0296 1364 PDCOMP - ok
15:20:33.0312 1364 PDFRAME - ok
15:20:33.0312 1364 PDRELI - ok
15:20:33.0312 1364 PDRFRAME - ok
15:20:33.0328 1364 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
15:20:33.0328 1364 perc2 - ok
15:20:33.0343 1364 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
15:20:33.0343 1364 perc2hib - ok
15:20:33.0375 1364 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
15:20:33.0375 1364 PlugPlay - ok
15:20:33.0406 1364 Pml Driver HPZ12 (5c1cadd1cb67c0b9d8a84ec6e4d6b5cc) C:\WINDOWS\system32\HPZipm12.exe
15:20:33.0406 1364 Pml Driver HPZ12 - ok
15:20:33.0437 1364 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:20:33.0437 1364 PolicyAgent - ok
15:20:33.0484 1364 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:20:33.0484 1364 PptpMiniport - ok
15:20:33.0484 1364 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:20:33.0484 1364 ProtectedStorage - ok
15:20:33.0484 1364 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
15:20:33.0500 1364 PSched - ok
15:20:33.0500 1364 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:20:33.0500 1364 Ptilink - ok
15:20:33.0531 1364 PxHelp20 (03e0fe281823ba64b3782f5b38950e73) C:\WINDOWS\system32\Drivers\PxHelp20.sys
15:20:33.0531 1364 PxHelp20 - ok
15:20:33.0531 1364 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
15:20:33.0531 1364 ql1080 - ok
15:20:33.0531 1364 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
15:20:33.0531 1364 Ql10wnt - ok
15:20:33.0546 1364 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
15:20:33.0546 1364 ql12160 - ok
15:20:33.0562 1364 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
15:20:33.0562 1364 ql1240 - ok
15:20:33.0578 1364 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
15:20:33.0578 1364 ql1280 - ok
15:20:33.0609 1364 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:20:33.0609 1364 RasAcd - ok
15:20:33.0656 1364 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
15:20:33.0656 1364 RasAuto - ok
15:20:33.0671 1364 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:20:33.0671 1364 Rasl2tp - ok
15:20:33.0687 1364 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
15:20:33.0687 1364 RasMan - ok
15:20:33.0687 1364 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:20:33.0687 1364 RasPppoe - ok
15:20:33.0703 1364 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
15:20:33.0703 1364 Raspti - ok
15:20:33.0718 1364 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:20:33.0718 1364 Rdbss - ok
15:20:33.0734 1364 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:20:33.0734 1364 RDPCDD - ok
15:20:33.0750 1364 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:20:33.0750 1364 rdpdr - ok
15:20:33.0781 1364 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
15:20:33.0781 1364 RDPWD - ok
15:20:33.0812 1364 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
15:20:33.0812 1364 RDSessMgr - ok
15:20:33.0890 1364 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
15:20:33.0890 1364 redbook - ok
15:20:33.0906 1364 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
15:20:33.0906 1364 RemoteAccess - ok
15:20:33.0921 1364 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
15:20:33.0921 1364 RemoteRegistry - ok
15:20:33.0937 1364 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
15:20:33.0953 1364 RpcLocator - ok
15:20:34.0000 1364 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
15:20:34.0000 1364 RpcSs - ok
15:20:34.0031 1364 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
15:20:34.0046 1364 RSVP - ok
15:20:34.0046 1364 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
15:20:34.0046 1364 SamSs - ok
15:20:34.0062 1364 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
15:20:34.0062 1364 SCardSvr - ok
15:20:34.0093 1364 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
15:20:34.0109 1364 Schedule - ok
15:20:34.0140 1364 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:20:34.0140 1364 Secdrv - ok
15:20:34.0140 1364 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
15:20:34.0140 1364 seclogon - ok
15:20:34.0171 1364 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
15:20:34.0171 1364 SENS - ok
15:20:34.0218 1364 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
15:20:34.0218 1364 serenum - ok
15:20:34.0250 1364 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
15:20:34.0250 1364 Serial - ok
15:20:34.0265 1364 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
15:20:34.0265 1364 Sfloppy - ok
15:20:34.0328 1364 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
15:20:34.0328 1364 SharedAccess - ok
15:20:34.0390 1364 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:20:34.0390 1364 ShellHWDetection - ok
15:20:34.0390 1364 Simbad - ok
15:20:34.0437 1364 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
15:20:34.0437 1364 sisagp - ok
15:20:34.0468 1364 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
15:20:34.0468 1364 Sparrow - ok
15:20:34.0484 1364 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
15:20:34.0500 1364 splitter - ok
15:20:34.0531 1364 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
15:20:34.0531 1364 Spooler - ok
15:20:34.0625 1364 sprtsvc_DellSupportCenter (777115c9cc675bd98127660712d2f784) C:\Program Files\Dell Support Center\bin\sprtsvc.exe
15:20:34.0625 1364 sprtsvc_DellSupportCenter - ok
15:20:34.0718 1364 SQLBrowser (86ebd8b1f23e743aad21f4d5b4d40985) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
15:20:34.0718 1364 SQLBrowser - ok
15:20:34.0718 1364 SQLWriter (d89083c4eb02daca8f944b0e05e57f9d) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
15:20:34.0718 1364 SQLWriter - ok
15:20:34.0734 1364 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
15:20:34.0734 1364 sr - ok
15:20:34.0796 1364 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
15:20:34.0796 1364 srservice - ok
15:20:34.0828 1364 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
15:20:34.0828 1364 Srv - ok
15:20:34.0906 1364 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
15:20:34.0906 1364 SSDPSRV - ok
15:20:34.0968 1364 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
15:20:34.0968 1364 stisvc - ok
15:20:35.0031 1364 stllssvr (1d0063597c3666404fcf97698abeb019) C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
15:20:35.0031 1364 stllssvr - ok
15:20:35.0078 1364 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
15:20:35.0078 1364 swenum - ok
15:20:35.0171 1364 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
15:20:35.0187 1364 swmidi - ok
15:20:35.0187 1364 SwPrv - ok
15:20:35.0234 1364 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
15:20:35.0265 1364 symc810 - ok
15:20:35.0343 1364 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
15:20:35.0343 1364 symc8xx - ok
15:20:35.0343 1364 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
15:20:35.0359 1364 sym_hi - ok
15:20:35.0359 1364 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
15:20:35.0359 1364 sym_u3 - ok
15:20:35.0390 1364 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
15:20:35.0390 1364 sysaudio - ok
15:20:35.0437 1364 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
15:20:35.0437 1364 SysmonLog - ok
15:20:35.0484 1364 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
15:20:35.0484 1364 TapiSrv - ok
15:20:35.0546 1364 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:20:35.0562 1364 Tcpip - ok
15:20:35.0578 1364 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
15:20:35.0578 1364 TDPIPE - ok
15:20:35.0593 1364 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
15:20:35.0593 1364 TDTCP - ok
15:20:35.0593 1364 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
15:20:35.0593 1364 TermDD - ok
15:20:35.0640 1364 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
15:20:35.0640 1364 TermService - ok
15:20:35.0703 1364 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
15:20:35.0703 1364 Themes - ok
15:20:35.0750 1364 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
15:20:35.0750 1364 TlntSvr - ok
15:20:35.0781 1364 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
15:20:35.0781 1364 TosIde - ok
15:20:35.0812 1364 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
15:20:35.0812 1364 TrkWks - ok
15:20:35.0828 1364 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
15:20:35.0828 1364 Udfs - ok
15:20:35.0859 1364 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
15:20:35.0859 1364 ultra - ok
15:20:35.0953 1364 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
15:20:35.0953 1364 Update - ok
15:20:36.0000 1364 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
15:20:36.0000 1364 upnphost - ok
15:20:36.0015 1364 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
15:20:36.0015 1364 UPS - ok
15:20:36.0062 1364 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:20:36.0062 1364 usbccgp - ok
15:20:36.0062 1364 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:20:36.0078 1364 usbehci - ok
15:20:36.0078 1364 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:20:36.0078 1364 usbhub - ok
15:20:36.0140 1364 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:20:36.0140 1364 usbprint - ok
15:20:36.0140 1364 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:20:36.0140 1364 usbscan - ok
15:20:36.0171 1364 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:20:36.0171 1364 USBSTOR - ok
15:20:36.0203 1364 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:20:36.0203 1364 usbuhci - ok
15:20:36.0218 1364 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
15:20:36.0218 1364 VgaSave - ok
15:20:36.0250 1364 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
15:20:36.0250 1364 viaagp - ok
15:20:36.0265 1364 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
15:20:36.0265 1364 ViaIde - ok
15:20:36.0296 1364 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
15:20:36.0296 1364 VolSnap - ok
15:20:36.0328 1364 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
15:20:36.0343 1364 VSS - ok
15:20:36.0390 1364 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
15:20:36.0390 1364 w32time - ok
15:20:36.0406 1364 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:20:36.0406 1364 Wanarp - ok
15:20:36.0406 1364 WDICA - ok
15:20:36.0468 1364 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
15:20:36.0468 1364 wdmaud - ok
15:20:36.0484 1364 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
15:20:36.0484 1364 WebClient - ok
15:20:36.0562 1364 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
15:20:36.0578 1364 winmgmt - ok
15:20:36.0640 1364 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
15:20:36.0656 1364 WinRM - ok
15:20:36.0796 1364 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
15:20:36.0812 1364 wlidsvc - ok
15:20:36.0906 1364 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
15:20:36.0906 1364 WmdmPmSN - ok
15:20:36.0968 1364 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
15:20:36.0984 1364 Wmi - ok
15:20:37.0046 1364 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
15:20:37.0046 1364 WmiApSrv - ok
15:20:37.0140 1364 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
15:20:37.0156 1364 WMPNetworkSvc - ok
15:20:37.0281 1364 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
15:20:37.0296 1364 WPFFontCache_v0400 - ok
15:20:37.0390 1364 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:20:37.0390 1364 WS2IFSL - ok
15:20:37.0453 1364 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
15:20:37.0453 1364 wscsvc - ok
15:20:37.0453 1364 WSearch - ok
15:20:37.0484 1364 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
15:20:37.0500 1364 wuauserv - ok
15:20:37.0515 1364 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:20:37.0515 1364 WudfPf - ok
15:20:37.0531 1364 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:20:37.0531 1364 WudfRd - ok
15:20:37.0546 1364 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
15:20:37.0546 1364 WudfSvc - ok
15:20:37.0609 1364 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
15:20:37.0625 1364 WZCSVC - ok
15:20:37.0656 1364 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
15:20:37.0656 1364 xmlprov - ok
15:20:37.0671 1364 MBR (0x1B8) (faee7e40dfb0440ad2cfc39befa1f4c2) \Device\Harddisk0\DR0
15:20:37.0703 1364 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
15:20:37.0703 1364 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
15:20:37.0703 1364 MBR (0x1B8) (607d2bb0c85e2cfeae4a071a4e34c800) \Device\Harddisk1\DR3
15:20:40.0703 1364 \Device\Harddisk1\DR3 - ok
15:20:40.0718 1364 Boot (0x1200) (14996e8c4a8cd794f5be947ff4a4c831) \Device\Harddisk0\DR0\Partition0
15:20:40.0734 1364 \Device\Harddisk0\DR0\Partition0 - ok
15:20:40.0750 1364 Boot (0x1200) (f71d7968b569f0a3333543e284bc947f) \Device\Harddisk1\DR3\Partition0
15:20:40.0750 1364 \Device\Harddisk1\DR3\Partition0 - ok
15:20:40.0750 1364 ============================================================
15:20:40.0750 1364 Scan finished
15:20:40.0750 1364 ============================================================
15:20:40.0750 1324 Detected object count: 1
15:20:40.0750 1324 Actual detected object count: 1
15:20:50.0734 1324 \Device\Harddisk0\DR0\# - copied to quarantine
15:20:50.0734 1324 \Device\Harddisk0\DR0 - copied to quarantine
15:20:50.0796 1324 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
15:20:50.0796 1324 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
15:20:50.0796 1324 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
15:20:50.0796 1324 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
15:20:50.0796 1324 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
15:20:50.0812 1324 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
15:20:50.0812 1324 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
15:20:50.0812 1324 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
15:20:50.0812 1324 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
15:20:50.0843 1324 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
15:20:50.0843 1324 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
15:20:50.0843 1324 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
15:20:50.0890 1324 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
15:20:50.0890 1324 \Device\Harddisk0\DR0 - ok
15:20:50.0890 1324 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
15:21:11.0171 0544 Deinitialize success


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-26 15:24:56
-----------------------------
15:24:56.296 OS Version: Windows 5.1.2600 Service Pack 3
15:24:56.296 Number of processors: 2 586 0x1706
15:24:56.296 ComputerName: DESKTOP UserName: Ken
15:24:57.203 Initialize success
15:38:28.656 AVAST engine defs: 12052601
15:39:32.671 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:39:32.671 Disk 0 Vendor: Hitachi_HDP725050GLA360 GM4OA5BA Size: 476940MB BusType: 3
15:39:32.703 Disk 0 MBR read successfully
15:39:32.703 Disk 0 MBR scan
15:39:32.734 Disk 0 Windows XP default MBR code
15:39:32.734 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
15:39:32.734 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 476866 MB offset 128520
15:39:32.750 Disk 0 scanning sectors +976752000
15:39:32.828 Disk 0 scanning C:\WINDOWS\system32\drivers
15:39:41.750 Service scanning
15:39:59.687 Modules scanning
15:40:04.671 Disk 0 trace - called modules:
15:40:04.687 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
15:40:04.687 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af4cab8]
15:40:04.687 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000064[0x8afd9520]
15:40:04.687 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8afbd940]
15:40:05.609 AVAST engine scan C:\WINDOWS
15:40:12.140 AVAST engine scan C:\WINDOWS\system32
15:42:38.468 AVAST engine scan C:\WINDOWS\system32\drivers
15:42:59.062 AVAST engine scan C:\Documents and Settings\Ken
15:44:15.046 AVAST engine scan C:\Documents and Settings\All Users
15:46:49.000 Scan finished successfully
15:54:35.140 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
15:54:35.234 The log file has been saved successfully to "E:\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:44 PM

Posted 26 May 2012 - 03:49 PM

Greetings

Do you think the problem is resolved? Can you share what the problem was?

We have more things to do but looks good at this time - Rootkit.Boot.Pihar.b

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 harvx

harvx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 26 May 2012 - 04:39 PM

Gringo,


I run WinPatrol and I just got a pop up about a change to a file type association. It says that .URL
Program currently associated with this type is
Run a DLL as an App
Microsoft Corp
c:\windows\system32\rundll32.exe c:\windows\system32\ieframe.dll,openURL %l
A change was made to use the following program for this file type
Run a DLL as an App
Microsoft Corp
rundll32.exe ieframe.dll, openURL %l

Is this change OK?

The computer is doing real good and appears to be fixed.

Thank you
Marc

ComboFix 12-05-26.02 - Ken 05/26/2012 17:06:44.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2569 [GMT -4:00]
Running from: c:\documents and settings\Ken\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ken\Desktop\cfscript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-26 to 2012-05-26 )))))))))))))))))))))))))))))))
.
.
2012-05-26 21:04 . 2012-05-26 21:04 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{568D4ED5-32DB-40F5-AEAC-0123C1027119}\MpKsl7205968a.sys
2012-05-26 21:04 . 2012-05-26 21:04 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{568D4ED5-32DB-40F5-AEAC-0123C1027119}\offreg.dll
2012-05-26 20:11 . 2012-05-15 05:43 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{568D4ED5-32DB-40F5-AEAC-0123C1027119}\mpengine.dll
2012-05-26 19:56 . 2012-05-15 05:43 6737808 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-26 19:22 . 2009-08-06 23:24 44768 ----a-w- c:\windows\system32\wups2.dll
2012-05-26 19:20 . 2012-05-26 19:20 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-19 18:11 . 2012-05-19 18:11 246740 ----a-w- C:\combo-setup.exe
2012-05-19 17:49 . 2012-05-19 17:49 -------- d-----w- c:\documents and settings\Ken\Application Data\WinPatrol
2012-05-19 17:48 . 2012-05-19 17:48 -------- d-----w- c:\program files\BillP Studios
2012-05-19 17:48 . 2012-05-19 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-05-18 15:47 . 2012-05-18 15:47 -------- d-----w- C:\7f94da7002412db2b7d7d2b1741135a7
2012-05-18 10:09 . 2012-05-18 10:09 -------- d-----w- c:\program files\CCleaner
2012-05-17 20:32 . 2012-05-17 20:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-17 20:32 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-12 14:42 . 2012-05-12 14:42 -------- d-----w- c:\documents and settings\Cindy\Local Settings\Application Data\visi_coupon
2012-05-12 14:42 . 2012-05-12 14:42 -------- d-----w- c:\documents and settings\Cindy\Application Data\Yahoo!
2012-05-08 15:49 . 2012-05-08 15:49 -------- d-----w- C:\Intel
2012-05-08 15:40 . 2012-05-08 15:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PC-Doctor
2012-05-08 15:22 . 2012-05-08 15:22 315392 ----a-w- c:\windows\HideWin.exe
2012-05-08 01:28 . 2012-05-08 01:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Optimizer Pro
2012-05-08 01:00 . 2012-05-08 01:00 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\visi_coupon
2012-05-08 00:59 . 2012-05-08 00:59 -------- d-----w- c:\program files\Free Offers from Freeze.com
2012-05-08 00:58 . 2012-05-08 02:54 -------- d-----w- c:\documents and settings\All Users\Application Data\WeCareReminder
2012-05-08 00:58 . 2012-05-19 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2012-05-08 00:58 . 2012-05-19 17:56 -------- d-----w- c:\documents and settings\Ken\Application Data\Yahoo!
2012-05-08 00:58 . 2012-05-19 17:56 -------- d-----w- c:\program files\Yahoo!
2012-05-08 00:42 . 2012-05-08 03:00 -------- d-----w- c:\program files\7-Zip
2012-05-08 00:42 . 2012-05-08 02:51 -------- d-----w- c:\program files\Bucksbee Loyalty Plugin - 100815
2012-05-08 00:42 . 2012-05-15 11:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer
2012-05-08 00:33 . 2012-05-15 23:26 -------- d-----w- C:\WinUnhide
2012-05-08 00:18 . 2012-05-08 00:18 -------- d-----w- c:\documents and settings\Ken\AppData
2012-05-07 22:06 . 2012-05-15 23:27 -------- d-----w- c:\program files\stinger
2012-04-29 13:07 . 2012-04-29 13:07 -------- d-----w- c:\documents and settings\Ken\Local Settings\Application Data\PCHealth
2012-04-29 00:12 . 2012-04-29 00:12 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-24 14:04 . 2012-04-04 03:45 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-24 14:04 . 2011-06-09 19:15 70304 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-11 13:14 . 2004-08-11 21:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2004-08-11 21:00 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-04 02:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-03-21 00:44 . 2012-03-21 00:44 171064 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2012-03-01 11:01 . 2004-08-11 21:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-11 21:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-11 21:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2004-08-11 21:00 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2004-08-11 21:00 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-11 21:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-26_18.01.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 21:00 . 2012-03-01 11:01 66560 c:\windows\system32\mshtmled.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 66560 c:\windows\system32\mshtmled.dll
- 2007-08-13 22:54 . 2011-12-17 19:46 55296 c:\windows\system32\msfeedsbs.dll
+ 2007-08-13 22:54 . 2012-03-01 11:01 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 25600 c:\windows\system32\jsproxy.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 25600 c:\windows\system32\jsproxy.dll
+ 2009-06-11 04:41 . 2012-03-01 11:01 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-06-11 04:41 . 2011-12-17 19:46 12800 c:\windows\system32\dllcache\xpshims.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-10 04:10 . 2011-12-17 19:46 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-10 04:10 . 2012-03-01 11:01 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2012-04-14 15:02 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466\update\spcustom.dll
- 2012-04-14 15:02 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466\spmsg.dll
- 2012-05-10 20:39 . 2012-04-11 13:53 30208 c:\windows\SoftwareDistribution\Download\888bd630a02581b550845dde5f47a0ee\update\w32ksign.dll
- 2012-05-10 20:39 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\888bd630a02581b550845dde5f47a0ee\update\spcustom.dll
- 2012-05-10 20:39 . 2012-04-11 13:53 16896 c:\windows\SoftwareDistribution\Download\888bd630a02581b550845dde5f47a0ee\update\mpsyschk.dll
- 2012-05-10 20:39 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\888bd630a02581b550845dde5f47a0ee\spmsg.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 12800 c:\windows\ie8updates\KB2675157-IE8\xpshims.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 66560 c:\windows\ie8updates\KB2675157-IE8\mshtmled.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 55296 c:\windows\ie8updates\KB2675157-IE8\msfeedsbs.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 43520 c:\windows\ie8updates\KB2675157-IE8\licmgr10.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 25600 c:\windows\ie8updates\KB2675157-IE8\jsproxy.dll
+ 2012-05-26 19:58 . 2010-07-05 13:15 26488 c:\windows\$hf_mig$\KB2653956\update\spcustom.dll
+ 2012-05-26 19:58 . 2010-07-05 13:15 17272 c:\windows\$hf_mig$\KB2653956\spmsg.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 105984 c:\windows\system32\url.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 105984 c:\windows\system32\url.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 206848 c:\windows\system32\occache.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 206848 c:\windows\system32\occache.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 611840 c:\windows\system32\mstime.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 611840 c:\windows\system32\mstime.dll
- 2007-08-13 22:54 . 2011-12-17 19:46 602112 c:\windows\system32\msfeeds.dll
+ 2007-08-13 22:54 . 2012-03-01 11:01 602112 c:\windows\system32\msfeeds.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 184320 c:\windows\system32\iepeers.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 184320 c:\windows\system32\iepeers.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-11 21:00 . 2012-02-29 12:17 174080 c:\windows\system32\ie4uinit.exe
- 2004-08-11 21:00 . 2011-12-16 12:23 174080 c:\windows\system32\ie4uinit.exe
- 2004-08-11 21:06 . 2012-04-04 00:07 338648 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-11 21:06 . 2012-05-26 20:02 338648 c:\windows\system32\FNTCACHE.DAT
- 2009-12-24 06:59 . 2009-12-24 06:59 177664 c:\windows\system32\dllcache\wintrust.dll
+ 2009-12-24 06:59 . 2012-02-29 14:10 177664 c:\windows\system32\dllcache\wintrust.dll
- 2008-10-08 00:26 . 2011-12-17 19:46 916992 c:\windows\system32\dllcache\wininet.dll
+ 2008-10-08 00:26 . 2012-03-01 11:01 916992 c:\windows\system32\dllcache\wininet.dll
- 2007-08-13 22:44 . 2011-12-17 19:46 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-13 22:44 . 2012-03-01 11:01 105984 c:\windows\system32\dllcache\url.dll
+ 2007-08-13 22:44 . 2012-03-01 11:01 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-13 22:44 . 2011-12-17 19:46 206848 c:\windows\system32\dllcache\occache.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 611840 c:\windows\system32\dllcache\mstime.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 611840 c:\windows\system32\dllcache\mstime.dll
- 2008-10-10 04:10 . 2011-12-17 19:46 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-10 04:10 . 2012-03-01 11:01 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2012-02-29 14:10 . 2012-02-29 14:10 148480 c:\windows\system32\dllcache\imagehlp.dll
+ 2009-06-11 04:41 . 2012-03-01 11:01 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-06-11 04:41 . 2011-12-17 19:46 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2008-10-08 00:26 . 2011-12-17 19:46 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-08 00:26 . 2012-03-01 11:01 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-10 02:59 . 2012-03-01 11:01 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-10 02:59 . 2011-12-17 19:46 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-11 21:00 . 2012-02-29 12:17 174080 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-11 21:00 . 2011-12-16 12:23 174080 c:\windows\system32\dllcache\ie4uinit.exe
- 2012-04-14 15:02 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466\update\updspapi.dll
- 2012-04-14 15:02 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466\update\update.exe
- 2012-04-14 15:02 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\c656e6c592787a464f852186d6e0b466\spuninst.exe
- 2012-05-10 20:39 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\888bd630a02581b550845dde5f47a0ee\update\updspapi.dll
- 2012-05-10 20:39 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\888bd630a02581b550845dde5f47a0ee\update\update.exe
- 2012-05-10 20:39 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\888bd630a02581b550845dde5f47a0ee\spuninst.exe
+ 2012-05-26 19:58 . 2011-12-17 19:46 916992 c:\windows\ie8updates\KB2675157-IE8\wininet.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 105984 c:\windows\ie8updates\KB2675157-IE8\url.dll
+ 2012-05-26 19:58 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2675157-IE8\spuninst\updspapi.dll
+ 2012-05-26 19:58 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2675157-IE8\spuninst\spuninst.exe
+ 2012-05-26 19:58 . 2011-12-17 19:46 206848 c:\windows\ie8updates\KB2675157-IE8\occache.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 611840 c:\windows\ie8updates\KB2675157-IE8\mstime.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 602112 c:\windows\ie8updates\KB2675157-IE8\msfeeds.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 247808 c:\windows\ie8updates\KB2675157-IE8\ieproxy.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 184320 c:\windows\ie8updates\KB2675157-IE8\iepeers.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 743424 c:\windows\ie8updates\KB2675157-IE8\iedvtool.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 387584 c:\windows\ie8updates\KB2675157-IE8\iedkcs32.dll
+ 2012-05-26 19:58 . 2011-12-16 12:23 174080 c:\windows\ie8updates\KB2675157-IE8\ie4uinit.exe
+ 2012-05-26 19:58 . 2010-07-05 13:16 382840 c:\windows\$hf_mig$\KB2653956\update\updspapi.dll
+ 2012-05-26 19:58 . 2010-07-05 13:15 755576 c:\windows\$hf_mig$\KB2653956\update\update.exe
+ 2012-05-26 19:58 . 2010-07-05 13:15 231288 c:\windows\$hf_mig$\KB2653956\spuninst.exe
+ 2012-02-29 14:08 . 2012-02-29 14:08 178176 c:\windows\$hf_mig$\KB2653956\SP3QFE\wintrust.dll
+ 2012-02-29 14:08 . 2012-02-29 14:08 148480 c:\windows\$hf_mig$\KB2653956\SP3QFE\imagehlp.dll
+ 2012-05-26 19:57 . 2012-02-09 15:43 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22791_x-ww_c8dff154\GdiPlus.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 1212416 c:\windows\system32\urlmon.dll
- 2004-08-11 21:00 . 2011-12-17 19:46 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-11 21:00 . 2012-03-01 11:01 5978624 c:\windows\system32\mshtml.dll
- 2007-08-13 22:34 . 2011-12-17 19:46 2000384 c:\windows\system32\iertutil.dll
+ 2007-08-13 22:34 . 2012-03-01 11:01 2000384 c:\windows\system32\iertutil.dll
+ 2008-10-15 11:23 . 2012-04-11 13:12 1862272 c:\windows\system32\dllcache\win32k.sys
- 2008-10-08 00:26 . 2011-12-17 19:46 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-08 00:26 . 2012-03-01 11:01 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-15 11:22 . 2012-04-11 13:10 2192640 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2004-08-04 02:59 . 2012-04-11 12:35 2026496 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 11:22 . 2012-04-11 12:35 2069120 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2004-08-11 21:00 . 2012-04-11 13:14 2148352 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-10-08 00:26 . 2012-03-01 11:01 5978624 c:\windows\system32\dllcache\mshtml.dll
+ 2008-10-10 04:10 . 2012-03-01 11:01 2000384 c:\windows\system32\dllcache\iertutil.dll
- 2008-10-10 04:10 . 2011-12-17 19:46 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 1212416 c:\windows\ie8updates\KB2675157-IE8\urlmon.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 5979136 c:\windows\ie8updates\KB2675157-IE8\mshtml.dll
+ 2012-05-26 19:58 . 2011-12-17 19:46 2000384 c:\windows\ie8updates\KB2675157-IE8\iertutil.dll
+ 2008-10-15 11:22 . 2012-04-11 13:10 2192640 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2008-10-15 11:22 . 2012-04-11 12:35 2026496 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2008-10-15 11:22 . 2012-04-11 12:35 2069120 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2008-10-15 11:22 . 2012-04-11 13:14 2148352 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-08-13 22:54 . 2012-03-02 10:01 11082752 c:\windows\system32\ieframe.dll
+ 2008-10-10 04:10 . 2012-03-02 10:01 11082752 c:\windows\system32\dllcache\ieframe.dll
+ 2012-05-26 19:58 . 2011-12-18 19:46 11082240 c:\windows\ie8updates\KB2675157-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-04-15 374368]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
.
c:\documents and settings\Cindy\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]
easy gadget.lnk - c:\program files\easy gadget\easy gadget.exe [2011-8-14 95232]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Ken^Start Menu^Programs^Startup^easy gadget.lnk]
path=c:\documents and settings\Ken\Start Menu\Programs\Startup\easy gadget.lnk
backup=c:\windows\pss\easy gadget.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 15:07 843712 -c--a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2007-07-16 23:48 69632 -c--a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-22 04:28 47904 -c--a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-26 19:58 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2008-02-28 17:18 17920 -c----w- c:\dell\E-Center\EULALauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2007-07-16 23:45 162584 -c--a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-08-04 21:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2007-07-16 23:45 142104 -c--a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 22:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2012-03-26 21:08 931200 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2008-02-26 14:57 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2007-07-16 23:45 138008 -c--a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 -c--a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-07-16 23:48 16132608 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\CA Personal Firewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 MpKsl7205968a;MpKsl7205968a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{568D4ED5-32DB-40F5-AEAC-0123C1027119}\MpKsl7205968a.sys [5/26/2012 5:04 PM 29904]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 11:45 PM 257696]
S3 cpuz134;cpuz134;\??\c:\docume~1\Ken\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Ken\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\Dell Support Center\pcdsrvc.pkms [2/1/2012 5:53 PM 21744]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 5:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL7205968A
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-04 14:04]
.
2012-05-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-05-26 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
2012-05-26 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-03-26 21:03]
.
2012-05-26 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-02-07 23:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=type=W3i_SP,204,0_0,StartPage,20120519,16898,0,8,0
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: microsoft.com\www.update
Trusted Zone: windowsupdate.com\download
TCP: DhcpNameServer = 192.168.1.1 172.27.35.1
DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-26 17:11
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3247143723-386678728-3784697378-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:10,0b,c5,1c,c1,b3,28,06,de,43,3f,79,00,b8,7f,d4,7b,96,03,63,03,21,a8,
ae,ee,4d,18,26,30,9b,40,d6,ba,19,43,f7,8b,13,80,7e,aa,6e,70,b9,45,60,5a,b1,\
"??"=hex:47,ff,c2,27,98,58,12,62,a9,21,00,fb,f4,3d,f3,8f
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1388)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-05-26 17:12:28
ComboFix-quarantined-files.txt 2012-05-26 21:12
ComboFix2.txt 2012-05-26 18:04
ComboFix3.txt 2012-05-25 16:14
.
Pre-Run: 474,701,164,544 bytes free
Post-Run: 475,140,923,392 bytes free
.
- - End Of File - - E4736F3C3E2F273283E242D2D7534FC2

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:44 PM

Posted 26 May 2012 - 04:51 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.5.1
Java™ 6 Update 7
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 harvx

harvx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 26 May 2012 - 08:59 PM

No problems encountered and the computer is running just fine.


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.26.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ken :: DESKTOP [administrator]

5/26/2012 9:47:48 PM
mbam-log-2012-05-26 (21-47-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 244197
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:53:57 PM, on 5/26/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=type=W3i_SP,204,0_0,StartPage,20120519,16898,0,8,0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4081008
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 94.63.147.17 www.bing.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre7\bin\jp2iexp.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {682C59F5-478C-4421-9070-AD170D143B77} (Launcher Class) - http://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223654519171
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} (CPlayFirstzenerchiControl Object) - http://pogo.oberon-media.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7394 bytes

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:44 PM

Posted 26 May 2012 - 09:02 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 harvx

harvx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 27 May 2012 - 11:24 AM

Gringo,

Computer is still running good. A question -


I run WinPatrol and I just got a pop up about a change detected to a file type association. It says that .URL
Program currently associated with this type is
Run a DLL as an App
Microsoft Corp
c:\windows\system32\rundll32.exe c:\windows\system32\ieframe.dll,openURL %l

A change was made to use the following program for this file type
Run a DLL as an App
Microsoft Corp
rundll32.exe ieframe.dll, openURL %l

Marc


C:\Documents and Settings\NetworkService\Local Settings\Application Data\{162cf827-1c59-7a71-f400-085774d5d0ee}\n a variant of

Win32/Kryptik.AFZT trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0003387.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0003407.exe a variant of Win32/Kryptik.AGAC trojan
C:\TDSSKiller_Quarantine\26.05.2012_15.20.09\mbr0000\tdlfs0000\tsk0001.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\26.05.2012_15.20.09\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\26.05.2012_15.20.09\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AYH trojan
C:\TDSSKiller_Quarantine\26.05.2012_15.20.09\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AG trojan
C:\TDSSKiller_Quarantine\26.05.2012_15.20.09\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.KS trojan
C:\TDSSKiller_Quarantine\26.05.2012_15.20.09\mbr0000\tdlfs0000\tsk0007.dta Win64/Olmarik.AF trojan
C:\TDSSKiller_Quarantine\26.05.2012_15.20.09\mbr0000\tdlfs0000\tsk0010.dta Win32/Olmarik.AWO trojan
C:\TDSSKiller_Quarantine\26.05.2012_15.20.09\mbr0000\tdlfs0000\tsk0011.dta Win64/Olmarik.X trojan

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:44 PM

Posted 27 May 2012 - 11:35 AM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 harvx

harvx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 27 May 2012 - 12:07 PM

OTL logfile created on: 5/27/2012 1:02:45 PM - Run 1
OTL by OldTimer - Version 3.2.43.2 Folder = C:\Documents and Settings\Ken\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.34 Gb Available Physical Memory | 78.08% Memory free
4.84 Gb Paging File | 4.36 Gb Available in Paging File | 90.17% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.69 Gb Total Space | 442.01 Gb Free Space | 94.91% Space Free | Partition Type: NTFS
Drive E: | 249.70 Mb Total Space | 244.67 Mb Free Space | 97.99% Space Free | Partition Type: FAT

Computer Name: DESKTOP | User Name: Ken | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Ken\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe (BillP Studios)
PRC - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe (Oracle Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\BillP Studios\WinPatrol\sqlite3.dll ()
MOD - C:\Program Files\FileZilla FTP Client\fzshellext.dll ()


========== Win32 Services (SafeList) ==========

SRV - (getPlusHelper) getPlus® -- C:\Program Files\NOS\bin\getPlus_Helper.dll File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (JavaQuickStarterService) -- C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe (Oracle Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (FLEXnet Licensing Service) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe (SupportSoft, Inc.)
SRV - (BcmSqlStartupSvc) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe (Microsoft Corporation)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\hpzipm12.exe (HP)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (mbr) -- C:\ComboFix\mbr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (cpuz134) -- C:\DOCUME~1\Ken\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\DOCUME~1\Ken\LOCALS~1\Temp\catchme.sys File not found
DRV - (PCDSRVC{E9D79540-57D5953E-06020101}_0) -- c:\Program Files\Dell Support Center\pcdsrvc.pkms (PC-Doctor, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4081008
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4081008
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4081008
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4081008
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://us.yhs4.search.yahoo.com/web/partner?&hspart=w3i&hsimp=yhs-syctransfer&type=type=W3i_SP,204,0_0,StartPage,20120519,16898,0,8,0
IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\URLSearchHook: - No CLSID value found
IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\SearchScopes,DefaultScope = {E90007E0-886C-4F2B-BAE6-92B10F947D6F}
IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\SearchScopes\{1697ECD4-BEA4-4B31-866D-C8D122FE6E6D}: "URL" = http://search.yahoo.com/search?p={searchterms}&ei=UTF-8&fr=w3i&type=W3i_DS,136,0_0,Search,20120519,6901,0,8,0
IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3201318
IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\SearchScopes\{E90007E0-886C-4F2B-BAE6-92B10F947D6F}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.4.1: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.4.1: C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Cindy\Application Data\Move Networks\plugins\npqmp071500000347.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)


[2012/05/07 20:39:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

========== Chrome ==========


O1 HOSTS File: ([2012/05/14 19:08:53 | 000,000,855 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 94.63.147.17 www.bing.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
O3 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe (BillP Studios)
O4 - Startup: C:\Documents and Settings\Cindy\Start Menu\Programs\Startup\DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe (Southwest Airlines)
O4 - Startup: C:\Documents and Settings\Cindy\Start Menu\Programs\Startup\easy gadget.lnk = C:\Program Files\easy gadget\easy gadget.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BackupNoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..Trusted Domains: microsoft.com ([www.update] http in Trusted sites)
O15 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..Trusted Domains: microsoft.com ([www.update] https in Trusted sites)
O15 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..Trusted Domains: windowsupdate.com ([download] http in Trusted sites)
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} http://download.macromedia.com/pub/shockwave/cabs/authorware/awswax70.cab (Macromedia Authorware Web Player Control)
O16 - DPF: {682C59F5-478C-4421-9070-AD170D143B77} http://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab (Launcher Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1223654519171 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} http://www.worldwinner.com/games/v57/wof/wof.cab (WoF Control)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {BAC761D3-DFFD-4DB4-A01D-173346E090A7} http://pogo.oberon-media.com/online2/pogo/zenerchi/ZenerchiWeb.1.0.0.10.cab (CPlayFirstzenerchiControl Object)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 172.27.35.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A69D410B-3103-4C28-96D7-C6F0CCFCED21}: DhcpNameServer = 192.168.1.1 172.27.35.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Ken\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Ken\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 17:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/27 13:00:59 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
[2012/05/27 07:12:23 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/05/26 21:53:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Start Menu\Programs\HiJackThis
[2012/05/26 21:53:11 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2012/05/26 21:46:51 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Ken\Recent
[2012/05/26 21:44:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Local Settings\Application Data\Sun
[2012/05/26 21:43:04 | 000,000,000 | ---D | C] -- C:\Program Files\Oracle
[2012/05/26 21:42:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Application Data\Oracle
[2012/05/26 21:42:54 | 000,772,504 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/05/26 21:42:54 | 000,227,720 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/05/26 21:41:15 | 000,892,360 | ---- | C] (Oracle Corporation) -- C:\Documents and Settings\Ken\Desktop\JavaSetup7u4.exe
[2012/05/26 21:30:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2012/05/26 21:26:39 | 000,000,000 | ---D | C] -- C:\Program Files\VS Revo Group
[2012/05/26 21:26:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Start Menu\Programs\Revo Uninstaller
[2012/05/26 21:26:03 | 002,617,648 | ---- | C] (VS Revo Group Ltd.) -- C:\Documents and Settings\Ken\Desktop\revosetup.exe
[2012/05/26 17:12:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/05/26 15:22:33 | 000,044,768 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\wups2.dll
[2012/05/26 15:20:50 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/05/26 13:48:50 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/05/26 13:48:50 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/05/26 13:48:50 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/05/26 13:48:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/26 13:47:10 | 004,528,808 | R--- | C] (Swearware) -- C:\Documents and Settings\Ken\Desktop\ComboFix.exe
[2012/05/25 13:02:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Application Data\ElevatedDiagnostics
[2012/05/24 20:44:22 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2012/05/24 12:45:11 | 006,776,168 | ---- | C] (Microsoft Corporation) -- C:\WindowsUpdateAgent30-x86.exe
[2012/05/24 10:00:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Desktop\drivers
[2012/05/19 15:34:40 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/05/19 14:40:26 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/05/19 14:39:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/05/19 13:49:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Application Data\WinPatrol
[2012/05/19 13:48:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\WinPatrol
[2012/05/19 13:48:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\InstallMate
[2012/05/19 13:48:51 | 000,000,000 | ---D | C] -- C:\Program Files\BillP Studios
[2012/05/18 11:47:46 | 000,000,000 | ---D | C] -- C:\7f94da7002412db2b7d7d2b1741135a7
[2012/05/18 06:09:46 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/05/17 16:32:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/05/17 16:32:42 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/05/17 16:32:42 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/05/15 22:53:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2012/05/08 11:49:20 | 000,000,000 | ---D | C] -- C:\Intel
[2012/05/08 11:40:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC-Doctor
[2012/05/08 11:37:06 | 000,741,376 | ---- | C] (Foxconn Technology Group) -- C:\Documents and Settings\Ken\My Documents\530_1018.EXE
[2012/05/08 11:36:20 | 031,370,824 | ---- | C] (Dell) -- C:\Documents and Settings\Ken\My Documents\R198174-1.exe
[2012/05/08 11:35:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Start Menu\Programs\Dell Inc
[2012/05/08 11:22:48 | 000,315,392 | ---- | C] (Realtek Semiconductor Corp.) -- C:\WINDOWS\HideWin.exe
[2012/05/07 21:28:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\PC Optimizer Pro
[2012/05/07 21:00:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Local Settings\Application Data\visi_coupon
[2012/05/07 20:59:13 | 000,000,000 | ---D | C] -- C:\Program Files\Free Offers from Freeze.com
[2012/05/07 20:58:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\WeCareReminder
[2012/05/07 20:58:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo!
[2012/05/07 20:58:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Application Data\Yahoo!
[2012/05/07 20:58:46 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2012/05/07 20:42:51 | 000,000,000 | ---D | C] -- C:\Program Files\7-Zip
[2012/05/07 20:42:17 | 000,000,000 | ---D | C] -- C:\Program Files\Bucksbee Loyalty Plugin - 100815
[2012/05/07 20:42:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2012/05/07 20:39:40 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2012/05/07 20:33:36 | 000,000,000 | ---D | C] -- C:\WinUnhide
[2012/05/07 20:18:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\AppData
[2012/05/07 18:06:19 | 000,000,000 | ---D | C] -- C:\Program Files\stinger
[2012/04/29 09:07:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Ken\Local Settings\Application Data\PCHealth
[2012/04/28 20:12:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/27 13:03:00 | 000,000,564 | ---- | M] () -- C:\WINDOWS\tasks\PCDoctorBackgroundMonitorTask.job
[2012/05/27 13:01:00 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Ken\Desktop\OTL.exe
[2012/05/27 12:50:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/05/27 12:45:03 | 000,000,366 | -H-- | M] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2012/05/27 07:04:47 | 000,002,443 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\HiJackThis.lnk
[2012/05/26 21:52:30 | 001,402,880 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\HiJackThis.msi
[2012/05/26 21:42:40 | 000,174,024 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/05/26 21:42:40 | 000,174,024 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/05/26 21:41:23 | 000,892,360 | ---- | M] (Oracle Corporation) -- C:\Documents and Settings\Ken\Desktop\JavaSetup7u4.exe
[2012/05/26 21:26:40 | 000,000,917 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\Revo Uninstaller.lnk
[2012/05/26 21:26:10 | 002,617,648 | ---- | M] (VS Revo Group Ltd.) -- C:\Documents and Settings\Ken\Desktop\revosetup.exe
[2012/05/26 21:24:31 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/05/26 17:02:16 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/05/26 17:01:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/05/26 16:02:34 | 000,338,648 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/05/26 15:21:20 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/26 13:47:10 | 004,528,808 | R--- | M] (Swearware) -- C:\Documents and Settings\Ken\Desktop\ComboFix.exe
[2012/05/25 16:15:33 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Ken\defogger_reenable
[2012/05/25 12:45:00 | 000,590,976 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/05/25 12:45:00 | 000,121,456 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/05/24 20:45:30 | 000,001,945 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2012/05/24 12:45:21 | 006,776,168 | ---- | M] (Microsoft Corporation) -- C:\WindowsUpdateAgent30-x86.exe
[2012/05/24 10:04:39 | 000,419,488 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/05/24 10:04:39 | 000,070,304 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/05/24 09:59:55 | 000,000,417 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\Drivers and Downloads Dell [United States].url
[2012/05/19 15:34:50 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/05/19 14:11:03 | 000,246,740 | ---- | M] () -- C:\combo-setup.exe
[2012/05/19 13:46:55 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2012/05/15 21:28:11 | 000,002,433 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Dell Support Center.lnk
[2012/05/14 19:08:53 | 000,000,855 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/05/13 14:31:33 | 000,000,325 | ---- | M] () -- C:\WINDOWS\reimage.ini
[2012/05/09 18:20:49 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\Ken\Desktop\Microsoft Office Word 2007.lnk
[2012/05/08 20:44:35 | 000,000,178 | ---- | M] () -- C:\WINDOWS\wwwbatch.ini
[2012/05/08 11:37:31 | 014,176,256 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\R186378.exe
[2012/05/08 11:37:26 | 031,370,824 | ---- | M] (Dell) -- C:\Documents and Settings\Ken\My Documents\R198174-1.exe
[2012/05/08 11:37:18 | 001,719,760 | ---- | M] () -- C:\Documents and Settings\Ken\My Documents\R195191.EXE
[2012/05/08 11:37:11 | 000,741,376 | ---- | M] (Foxconn Technology Group) -- C:\Documents and Settings\Ken\My Documents\530_1018.EXE
[2012/05/08 11:22:48 | 000,315,392 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\HideWin.exe
[2012/05/07 13:12:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/26 21:53:12 | 000,002,443 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\HiJackThis.lnk
[2012/05/26 21:52:21 | 001,402,880 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\HiJackThis.msi
[2012/05/26 21:39:52 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2012/05/26 21:26:40 | 000,000,917 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\Revo Uninstaller.lnk
[2012/05/26 13:48:50 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/05/26 13:48:50 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/05/26 13:48:50 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/05/26 13:48:50 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/05/26 13:48:50 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/05/25 16:15:33 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Ken\defogger_reenable
[2012/05/24 20:54:37 | 000,000,366 | -H-- | C] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2012/05/24 20:44:39 | 000,001,698 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Security Essentials.lnk
[2012/05/24 09:59:55 | 000,000,417 | ---- | C] () -- C:\Documents and Settings\Ken\Desktop\Drivers and Downloads Dell [United States].url
[2012/05/19 15:34:49 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/05/19 15:34:45 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/05/19 14:11:02 | 000,246,740 | ---- | C] () -- C:\combo-setup.exe
[2012/05/18 16:30:25 | 000,000,384 | -H-- | C] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/05/15 07:01:22 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/05/08 20:44:35 | 000,000,178 | ---- | C] () -- C:\WINDOWS\wwwbatch.ini
[2012/05/08 11:40:21 | 000,002,433 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Dell Support Center.lnk
[2012/05/08 11:37:11 | 014,176,256 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\R186378.exe
[2012/05/08 11:37:10 | 001,719,760 | ---- | C] () -- C:\Documents and Settings\Ken\My Documents\R195191.EXE
[2012/05/07 20:19:45 | 000,000,325 | ---- | C] () -- C:\WINDOWS\reimage.ini
[2012/02/15 01:44:51 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/04/23 21:40:31 | 000,014,558 | -HS- | C] () -- C:\Documents and Settings\Ken\Local Settings\Application Data\828h7p051q38067h7b2q1y6py
[2011/04/23 21:40:31 | 000,014,558 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\828h7p051q38067h7b2q1y6py
[2010/09/11 19:00:48 | 000,000,007 | ---- | C] () -- C:\WINDOWS\System32\mkghj.dll
[2010/06/14 10:07:37 | 000,000,204 | ---- | C] () -- C:\WINDOWS\HECELM.INI

< End of report >

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:44 PM

Posted 27 May 2012 - 01:18 PM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\URLSearchHook: - No CLSID value found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O3 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
    O3 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key error. File not found
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    IE - HKU\S-1-5-21-3247143723-386678728-3784697378-1008\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3201318
    [2011/04/23 21:40:31 | 000,014,558 | -HS- | C] () -- C:\Documents and Settings\Ken\Local Settings\Application Data\828h7p051q38067h7b2q1y6py
    [2011/04/23 21:40:31 | 000,014,558 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\828h7p051q38067h7b2q1y6py
    [2010/09/11 19:00:48 | 000,000,007 | ---- | C] () -- C:\WINDOWS\System32\mkghj.dll
    :Files
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\{162cf827-1c59-7a71-f400-085774d5d0ee}
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 harvx

harvx
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 27 May 2012 - 03:17 PM

Gringo,

The computer still seems to be doing fine. Do you suspect there is still malware on the computer?

Marc


========== OTL ==========
Registry value HKEY_USERS\S-1-5-21-3247143723-386678728-3784697378-1008\Software\Microsoft\Internet Explorer\URLSearchHooks\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\

deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry value HKEY_USERS\S-1-5-21-3247143723-386678728-3784697378-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{10134636-E7AF-

4AC5-A1DC-C7C44BB97D81} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10134636-E7AF-4AC5-A1DC-C7C44BB97D81}\ not found.
Registry value HKEY_USERS\S-1-5-21-3247143723-386678728-3784697378-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-

4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Registry value HKEY_USERS\S-1-5-21-3247143723-386678728-3784697378-1008\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-

11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ deleted successfully.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted

successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted

successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_USERS\S-1-5-21-3247143723-386678728-3784697378-1008\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-

185a7020515b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{afdbddaa-5d3f-42ee-b79c-185a7020515b}\ not found.
C:\Documents and Settings\Ken\Local Settings\Application Data\828h7p051q38067h7b2q1y6py moved successfully.
C:\Documents and Settings\All Users\Application Data\828h7p051q38067h7b2q1y6py moved successfully.
C:\WINDOWS\system32\mkghj.dll moved successfully.
========== FILES ==========
C:\Documents and Settings\NetworkService\Local Settings\Application Data\{162cf827-1c59-7a71-f400-085774d5d0ee}\U folder moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\{162cf827-1c59-7a71-f400-085774d5d0ee}\L folder moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\{162cf827-1c59-7a71-f400-085774d5d0ee} folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Ken\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Ken\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Cindy
->Java cache emptied: 0 bytes

User: Default User

User: Ken
->Java cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 321 bytes

User: All Users

User: Cindy
->Flash cache emptied: 56941 bytes

User: Default User
->Flash cache emptied: 56787 bytes

User: Ken
->Flash cache emptied: 59775 bytes

User: LocalService
->Flash cache emptied: 37859 bytes

User: NetworkService
->Flash cache emptied: 161547 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.43.2 log created on 05272012_161157




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users