Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

S.M.AR.T. HDD, Trojan Dropper, Google redirect & more


  • This topic is locked This topic is locked
28 replies to this topic

#1 slavabusy

slavabusy

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 26 May 2012 - 11:32 PM

It seems like I was able to get rid of some viruses with MBAM and Hitman-Pro scans,
was able to get my desktop shortcuts and start menu items back with system restore and .
But Google search still redirects and TDSS killer will not run in either normal or safe mode.
Please look at the log file.
Thank you in advance!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by slava at 23:37:02 on 2012-05-26
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6109.4358 [GMT -4:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\SysWOW64\svchost.exe -k Akamai
C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Users\slava\AppData\Local\Akamai\netsession_win.exe
C:\Windows\system32\SearchIndexer.exe
C:\Users\slava\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\REGSVR32.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - C:\Program Files (x86)\LastPass\LPBar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll
TB: RadioBar Toolbar: {5b291e6c-9a74-4034-971b-a4b007a0b315} -
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
uRun: [Speech Recognition] "C:\Windows\Speech\Common\sapisvr.exe" -SpeechUX -Startup
uRun: [Akamai NetSession Interface] "C:\Users\slava\AppData\Local\Akamai\netsession_win.exe"
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillforms
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: craigslist.org\post
Trusted Zone: taobao.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{0C25C74E-5418-4D60-A248-13F43CD275F7} : DhcpNameServer = 68.87.73.246 68.87.71.230
TCP: Interfaces\{0C25C74E-5418-4D60-A248-13F43CD275F7}\F6365616E6 : DhcpNameServer = 68.87.73.246 68.87.71.230
TCP: Interfaces\{DCDEC854-8F68-44B6-9433-0B3F49C4F731} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Canon Easy-WebPrint EX BHO: {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll
BHO-X64: Canon Easy-WebPrint EX BHO - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: LastPass Browser Helper Object: {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll
BHO-X64: LastPass Browser Helper Object - No File
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Canon Easy-WebPrint EX: {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll
TB-X64: RadioBar Toolbar: {5B291E6C-9A74-4034-971B-A4B007A0B315} -
EB-X64: {21347690-EC41-4F9A-8887-1F4AEE672439} - No File
mRun-x64: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun-x64: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
mRun-x64: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&affID=107763&mntrId=1c012b7100000000000000248cde0296&q=
FF - prefs.js: network.proxy.type - 0
FF - component: C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 Akamai;Akamai NetSession Interface;C:\Windows\System32\svchost.exe -k Akamai [2009-7-13 20992]
R2 PanService;PandoraService;C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe [2012-1-7 624856]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-29 136176]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-1-31 158856]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-29 136176]
S3 netr28x;Ralink 802.11n Extensible Wireless Driver;C:\Windows\system32\DRIVERS\netr28x.sys --> C:\Windows\system32\DRIVERS\netr28x.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 ssmirrdr;ssmirrdr;C:\Windows\system32\DRIVERS\ssmirrdr.sys --> C:\Windows\system32\DRIVERS\ssmirrdr.sys [?]
S3 SwitchBoard;Adobe SwitchBoard;C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-2-19 517096]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== File Associations ===============
.
.txt=FreeOpener
.
=============== Created Last 30 ================
.
2012-05-26 15:46:00 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-26 10:52:16 98816 ----a-w- C:\Windows\sed.exe
2012-05-26 10:52:16 518144 ----a-w- C:\Windows\SWREG.exe
2012-05-26 10:52:16 256000 ----a-w- C:\Windows\PEV.exe
2012-05-26 10:52:16 208896 ----a-w- C:\Windows\MBR.exe
2012-05-26 10:51:07 -------- d-----w- C:\Combo-Fix
2012-05-26 03:54:55 -------- d-----w- C:\Program Files (x86)\McAfee Security Scan
2012-05-25 04:50:45 -------- d-----w- C:\ProgramData\HitmanPro
2012-05-25 00:10:59 -------- d-----w- C:\Windows\SysWow64\%APPDATA%
2012-05-14 10:47:26 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{ACBA8227-86EB-484C-AF42-0A721B0FFC61}\offreg.dll
2012-05-12 07:14:15 1544704 ----a-w- C:\Windows\System32\DWrite.dll
2012-05-12 07:14:15 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
2012-05-12 07:14:13 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-12 07:14:13 3146240 ----a-w- C:\Windows\System32\win32k.sys
2012-05-12 07:14:12 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-12 07:14:11 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-12 07:13:56 75120 ----a-w- C:\Windows\System32\drivers\partmgr.sys
2012-05-12 07:13:56 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-05-12 07:13:55 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-12 07:13:55 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-05-12 07:13:55 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-05-12 07:13:55 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-12 07:13:54 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-05-03 01:59:44 -------- d-----w- C:\Users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}
.
==================== Find3M ====================
.
2012-03-01 06:46:16 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-03-01 06:38:27 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-03-01 06:33:50 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-03-01 06:28:47 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-03-01 05:37:41 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-03-01 00:32:21 14646304 ----a-w- C:\Program Files (x86)\Common Files\lpuninstall.exe
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2008-06-12 06:15:44 245408 ----a-w- C:\Program Files\unicows.dll
2008-05-06 10:23:10 189808 ----a-w- C:\Program Files\AutoPlay.exe
2011-09-26 01:23:24 2169856 --sha-w- C:\Windows\System32\hale.exe
.
============= FINISH: 23:46:04.84 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:37 PM

Posted 27 May 2012 - 06:29 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 slavabusy

slavabusy
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 27 May 2012 - 04:09 PM

Thank you for a quick response, Gringo!
I downloaded and ran Security Check, in the black box it said:
"Preparing Done!" No Instance(s)Available. No Instance(s)Available.
Then Box got closed, with no checkup.text file.
ComboFix ran smooth.
Computer: after about 15 minutes idling everything dissapears, just black screen and mouse pointer on it wich I can move. Google still redirects.




ComboFix 12-05-27.02 - slava 05/27/2012 15:12:56.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6109.4499 [GMT -4:00]
Running from: c:\users\slava\Desktop\Combo-Fix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-27 to 2012-05-27 )))))))))))))))))))))))))))))))
.
.
2012-05-27 19:42 . 2012-05-27 19:42 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-05-27 19:42 . 2012-05-27 19:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-26 10:51 . 2012-05-26 11:57 -------- d-----w- C:\Combo-Fix
2012-05-26 03:54 . 2012-05-26 05:31 -------- d-----w- c:\program files (x86)\McAfee Security Scan
2012-05-26 03:54 . 2012-05-26 03:54 -------- d-----w- c:\programdata\McAfee
2012-05-25 04:50 . 2012-05-26 06:48 -------- d-----w- c:\programdata\HitmanPro
2012-05-25 00:10 . 2012-05-25 00:10 -------- d-----w- c:\windows\SysWow64\%APPDATA%
2012-05-14 10:47 . 2012-05-15 08:44 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ACBA8227-86EB-484C-AF42-0A721B0FFC61}\offreg.dll
2012-05-12 22:41 . 2012-05-12 22:41 -------- d-----w- c:\users\slava\AppData\Roaming\Media Player Classic
2012-05-12 07:14 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-12 07:14 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-12 07:14 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 07:14 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-12 07:14 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-12 07:14 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-12 07:13 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-12 07:13 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-12 07:13 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-12 07:13 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-12 07:13 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-12 07:13 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-12 07:13 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-03 01:59 . 2012-05-26 05:32 -------- d-----w- c:\users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-04 03:32 . 2010-09-21 19:11 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-03-01 06:46 . 2012-04-24 07:00 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-24 07:00 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-24 07:00 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-24 07:00 5120 ----a-w- c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-24 07:00 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-24 07:00 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-24 07:00 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-03-01 00:32 . 2012-03-01 00:32 14646304 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
2012-02-28 06:56 . 2012-04-24 07:03 2311168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 06:49 . 2012-04-24 07:03 1390080 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 06:48 . 2012-04-24 07:03 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 06:42 . 2012-04-24 07:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-28 01:18 . 2012-04-24 07:03 1799168 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-02-28 01:11 . 2012-04-24 07:03 1427456 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-02-28 01:11 . 2012-04-24 07:03 1127424 ----a-w- c:\windows\SysWow64\wininet.dll
2012-02-28 01:03 . 2012-04-24 07:03 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2008-06-12 06:15 . 2010-07-29 18:21 245408 ----a-w- c:\program files\unicows.dll
2008-05-06 10:23 . 2010-07-29 18:21 189808 ----a-w- c:\program files\AutoPlay.exe
2011-09-26 01:23 2169856 --sha-w- c:\windows\System32\hale.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-26_11.35.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-01 03:05 . 2012-05-27 18:36 53082 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-05-27 18:36 38978 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-04-01 02:50 . 2012-05-27 04:08 13826 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4086009842-4173814806-1320277029-1000_UserData.bin
- 2012-05-26 11:33 . 2012-05-26 11:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-27 19:44 . 2012-05-27 19:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-27 19:44 . 2012-05-27 19:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-05-26 11:33 . 2012-05-26 11:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-05-26 10:47 627104 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-05-27 03:35 627104 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-05-26 10:47 107420 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-05-27 03:35 107420 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2012-05-27 19:43 538532 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-05-26 11:32 538532 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-11-01 23:31 . 2012-05-27 19:43 4503008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4086009842-4173814806-1320277029-1000-8192.dat
- 2010-11-01 23:31 . 2012-05-26 11:32 4503008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4086009842-4173814806-1320277029-1000-8192.dat
+ 2012-05-27 18:39 . 2012-05-27 18:39 53217792 c:\windows\Installer\45666.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Speech Recognition"="c:\windows\Speech\Common\sapisvr.exe" [2009-07-14 44544]
"Akamai NetSession Interface"="c:\users\slava\AppData\Local\Akamai\netsession_win.exe" [2012-05-08 3331872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-29 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-01-31 158856]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-29 136176]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 ssmirrdr;ssmirrdr;c:\windows\system32\DRIVERS\ssmirrdr.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 PanService;PandoraService;c:\program files (x86)\PANDORA.TV\PanService\PandoraService.exe [2012-04-06 624856]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-29 14:17]
.
2012-05-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-29 14:17]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-05-23 7833120]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-05-23 1833504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
IE: LastPass - file://c:\program files (x86)\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files (x86)\LastPass\context.html?cmd=fillforms
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: craigslist.org\post
Trusted Zone: taobao.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&affID=107763&mntrId=1c012b7100000000000000248cde0296&q=
FF - prefs.js: network.proxy.type - 0
.
.
------- File Associations -------
.
.txt=FreeOpener
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{5B291E6C-9A74-4034-971B-A4B007A0B315} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_6c825ce.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
.
**************************************************************************
.
Completion time: 2012-05-27 16:16:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-27 20:16
ComboFix2.txt 2012-05-26 11:57
.
Pre-Run: 261,154,627,584 bytes free
Post-Run: 260,862,472,192 bytes free
.
- - End Of File - - CB4DA4253FDF83A4DCCCA2AB81AD8255

Edited by slavabusy, 27 May 2012 - 04:41 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:37 PM

Posted 27 May 2012 - 04:24 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 slavabusy

slavabusy
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 27 May 2012 - 05:37 PM

Downloaded from the links in your post, copied them to the desktop of infected computer- none of them will run,
just user account control window pops up asking for permission to allow to make changes on this computer, I click "Yes" and nothing happens.
Same nothing in the safe mode with networking..

Edited by slavabusy, 27 May 2012 - 05:44 PM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:37 PM

Posted 27 May 2012 - 08:41 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 slavabusy

slavabusy
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 27 May 2012 - 11:39 PM

FixTDSS did the trick, said infected MBR detected, repair was successful.
Here is TDSSkiller and aswMBR reports>

23:35:31.0576 2284 TDSS rootkit removing tool 2.7.37.0 May 23 2012 08:15:30
23:35:31.0864 2284 ============================================================
23:35:31.0864 2284 Current date / time: 2012/05/27 23:35:31.0864
23:35:31.0864 2284 SystemInfo:
23:35:31.0864 2284
23:35:31.0864 2284 OS Version: 6.1.7601 ServicePack: 1.0
23:35:31.0864 2284 Product type: Workstation
23:35:31.0864 2284 ComputerName: SLAVA-PC
23:35:31.0864 2284 UserName: slava
23:35:31.0864 2284 Windows directory: C:\Windows
23:35:31.0864 2284 System windows directory: C:\Windows
23:35:31.0864 2284 Running under WOW64
23:35:31.0864 2284 Processor architecture: Intel x64
23:35:31.0864 2284 Number of processors: 2
23:35:31.0864 2284 Page size: 0x1000
23:35:31.0864 2284 Boot type: Normal boot
23:35:31.0864 2284 ============================================================
23:35:33.0701 2284 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
23:35:33.0704 2284 ============================================================
23:35:33.0704 2284 \Device\Harddisk0\DR0:
23:35:33.0704 2284 MBR partitions:
23:35:33.0704 2284 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1402800, BlocksNum 0x32000
23:35:33.0704 2284 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1434800, BlocksNum 0x4941EAB0
23:35:33.0704 2284 ============================================================
23:35:33.0726 2284 C: <-> \Device\Harddisk0\DR0\Partition1
23:35:33.0726 2284 ============================================================
23:35:33.0726 2284 Initialize success
23:35:33.0726 2284 ============================================================
23:36:21.0352 1092 ============================================================
23:36:21.0352 1092 Scan started
23:36:21.0352 1092 Mode: Manual;
23:36:21.0352 1092 ============================================================
23:36:23.0040 1092 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
23:36:23.0043 1092 1394ohci - ok
23:36:23.0095 1092 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
23:36:23.0098 1092 ACPI - ok
23:36:23.0129 1092 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
23:36:23.0130 1092 AcpiPmi - ok
23:36:23.0182 1092 adfs (2f0683fd2df1d92e891caca14b45a8c1) C:\Windows\system32\drivers\adfs.sys
23:36:23.0183 1092 adfs - ok
23:36:23.0235 1092 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
23:36:23.0241 1092 adp94xx - ok
23:36:23.0258 1092 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
23:36:23.0263 1092 adpahci - ok
23:36:23.0298 1092 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
23:36:23.0301 1092 adpu320 - ok
23:36:23.0324 1092 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
23:36:23.0325 1092 AeLookupSvc - ok
23:36:23.0369 1092 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\Windows\system32\drivers\afd.sys
23:36:23.0375 1092 AFD - ok
23:36:23.0412 1092 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
23:36:23.0414 1092 agp440 - ok
23:36:23.0608 1092 Akamai (1125c7d9fb8898015829c387c1bc87c7) c:\program files (x86)\common files\akamai/netsession_win_6c825ce.dll
23:36:23.0609 1092 Suspicious file (Hidden): c:\program files (x86)\common files\akamai/netsession_win_6c825ce.dll. md5: 1125c7d9fb8898015829c387c1bc87c7
23:36:23.0617 1092 Akamai ( HiddenFile.Multi.Generic ) - warning
23:36:23.0617 1092 Akamai - detected HiddenFile.Multi.Generic (1)
23:36:23.0700 1092 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
23:36:23.0702 1092 ALG - ok
23:36:23.0741 1092 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
23:36:23.0743 1092 aliide - ok
23:36:23.0754 1092 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
23:36:23.0755 1092 amdide - ok
23:36:23.0786 1092 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
23:36:23.0787 1092 AmdK8 - ok
23:36:23.0796 1092 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
23:36:23.0798 1092 AmdPPM - ok
23:36:23.0825 1092 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
23:36:23.0827 1092 amdsata - ok
23:36:23.0859 1092 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
23:36:23.0861 1092 amdsbs - ok
23:36:23.0881 1092 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
23:36:23.0882 1092 amdxata - ok
23:36:23.0923 1092 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
23:36:23.0924 1092 AppID - ok
23:36:23.0940 1092 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
23:36:23.0941 1092 AppIDSvc - ok
23:36:23.0965 1092 Appinfo (3977d4a871ca0d4f2ed1e7db46829731) C:\Windows\System32\appinfo.dll
23:36:23.0966 1092 Appinfo - ok
23:36:23.0989 1092 AppMgmt (4aba3e75a76195a3e38ed2766c962899) C:\Windows\System32\appmgmts.dll
23:36:23.0991 1092 AppMgmt - ok
23:36:24.0022 1092 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
23:36:24.0024 1092 arc - ok
23:36:24.0040 1092 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
23:36:24.0042 1092 arcsas - ok
23:36:24.0056 1092 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
23:36:24.0057 1092 AsyncMac - ok
23:36:24.0084 1092 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
23:36:24.0084 1092 atapi - ok
23:36:24.0130 1092 AudioEndpointBuilder (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
23:36:24.0137 1092 AudioEndpointBuilder - ok
23:36:24.0145 1092 AudioSrv (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
23:36:24.0148 1092 AudioSrv - ok
23:36:24.0183 1092 AxInstSV (a6bf31a71b409dfa8cac83159e1e2aff) C:\Windows\System32\AxInstSV.dll
23:36:24.0186 1092 AxInstSV - ok
23:36:24.0232 1092 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
23:36:24.0239 1092 b06bdrv - ok
23:36:24.0264 1092 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
23:36:24.0268 1092 b57nd60a - ok
23:36:24.0296 1092 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll
23:36:24.0298 1092 BDESVC - ok
23:36:24.0312 1092 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
23:36:24.0313 1092 Beep - ok
23:36:24.0373 1092 BFE (82974d6a2fd19445cc5171fc378668a4) C:\Windows\System32\bfe.dll
23:36:24.0383 1092 BFE - ok
23:36:24.0438 1092 BITS (1ea7969e3271cbc59e1730697dc74682) C:\Windows\system32\qmgr.dll
23:36:24.0449 1092 BITS - ok
23:36:24.0495 1092 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
23:36:24.0496 1092 blbdrive - ok
23:36:24.0517 1092 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
23:36:24.0518 1092 bowser - ok
23:36:24.0533 1092 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
23:36:24.0534 1092 BrFiltLo - ok
23:36:24.0547 1092 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
23:36:24.0548 1092 BrFiltUp - ok
23:36:24.0584 1092 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
23:36:24.0586 1092 BridgeMP - ok
23:36:24.0614 1092 Browser (8ef0d5c41ec907751b8429162b1239ed) C:\Windows\System32\browser.dll
23:36:24.0616 1092 Browser - ok
23:36:24.0639 1092 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
23:36:24.0643 1092 Brserid - ok
23:36:24.0666 1092 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
23:36:24.0668 1092 BrSerWdm - ok
23:36:24.0679 1092 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
23:36:24.0680 1092 BrUsbMdm - ok
23:36:24.0687 1092 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
23:36:24.0688 1092 BrUsbSer - ok
23:36:24.0700 1092 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
23:36:24.0702 1092 BTHMODEM - ok
23:36:24.0729 1092 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll
23:36:24.0730 1092 bthserv - ok
23:36:24.0772 1092 catchme - ok
23:36:24.0803 1092 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
23:36:24.0804 1092 cdfs - ok
23:36:24.0846 1092 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\drivers\cdrom.sys
23:36:24.0848 1092 cdrom - ok
23:36:24.0886 1092 CertPropSvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
23:36:24.0888 1092 CertPropSvc - ok
23:36:24.0902 1092 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
23:36:24.0904 1092 circlass - ok
23:36:24.0931 1092 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
23:36:24.0935 1092 CLFS - ok
23:36:24.0968 1092 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
23:36:24.0971 1092 clr_optimization_v2.0.50727_32 - ok
23:36:25.0018 1092 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
23:36:25.0020 1092 clr_optimization_v2.0.50727_64 - ok
23:36:25.0082 1092 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
23:36:25.0100 1092 clr_optimization_v4.0.30319_32 - ok
23:36:25.0160 1092 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
23:36:25.0163 1092 clr_optimization_v4.0.30319_64 - ok
23:36:25.0190 1092 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
23:36:25.0191 1092 CmBatt - ok
23:36:25.0217 1092 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
23:36:25.0218 1092 cmdide - ok
23:36:25.0256 1092 CNG (c4943b6c962e4b82197542447ad599f4) C:\Windows\system32\Drivers\cng.sys
23:36:25.0262 1092 CNG - ok
23:36:25.0272 1092 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
23:36:25.0273 1092 Compbatt - ok
23:36:25.0310 1092 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
23:36:25.0312 1092 CompositeBus - ok
23:36:25.0322 1092 COMSysApp - ok
23:36:25.0345 1092 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
23:36:25.0346 1092 crcdisk - ok
23:36:25.0392 1092 CryptSvc (15597883fbe9b056f276ada3ad87d9af) C:\Windows\system32\cryptsvc.dll
23:36:25.0395 1092 CryptSvc - ok
23:36:25.0442 1092 CSC (54da3dfd29ed9f1619b6f53f3ce55e49) C:\Windows\system32\drivers\csc.sys
23:36:25.0448 1092 CSC - ok
23:36:25.0477 1092 CscService (3ab183ab4d2c79dcf459cd2c1266b043) C:\Windows\System32\cscsvc.dll
23:36:25.0485 1092 CscService - ok
23:36:25.0655 1092 DcomLaunch (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
23:36:25.0666 1092 DcomLaunch - ok
23:36:25.0787 1092 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll
23:36:25.0797 1092 defragsvc - ok
23:36:25.0881 1092 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
23:36:25.0892 1092 DfsC - ok
23:36:25.0952 1092 Dhcp (43d808f5d9e1a18e5eeb5ebc83969e4e) C:\Windows\system32\dhcpcore.dll
23:36:25.0957 1092 Dhcp - ok
23:36:25.0976 1092 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
23:36:25.0977 1092 discache - ok
23:36:25.0997 1092 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
23:36:25.0998 1092 Disk - ok
23:36:26.0032 1092 Dnscache (16835866aaa693c7d7fceba8fff706e4) C:\Windows\System32\dnsrslvr.dll
23:36:26.0035 1092 Dnscache - ok
23:36:26.0067 1092 dot3svc (b1fb3ddca0fdf408750d5843591afbc6) C:\Windows\System32\dot3svc.dll
23:36:26.0070 1092 dot3svc - ok
23:36:26.0106 1092 DPS (b26f4f737e8f9df4f31af6cf31d05820) C:\Windows\system32\dps.dll
23:36:26.0108 1092 DPS - ok
23:36:26.0134 1092 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
23:36:26.0135 1092 drmkaud - ok
23:36:26.0183 1092 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
23:36:26.0190 1092 DXGKrnl - ok
23:36:26.0206 1092 eamonm - ok
23:36:26.0234 1092 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll
23:36:26.0235 1092 EapHost - ok
23:36:26.0348 1092 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
23:36:26.0379 1092 ebdrv - ok
23:36:26.0451 1092 EFS (c118a82cd78818c29ab228366ebf81c3) C:\Windows\System32\lsass.exe
23:36:26.0453 1092 EFS - ok
23:36:26.0508 1092 ehRecvr (c4002b6b41975f057d98c439030cea07) C:\Windows\ehome\ehRecvr.exe
23:36:26.0518 1092 ehRecvr - ok
23:36:26.0534 1092 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe
23:36:26.0536 1092 ehSched - ok
23:36:26.0580 1092 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
23:36:26.0588 1092 elxstor - ok
23:36:26.0615 1092 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
23:36:26.0616 1092 ErrDev - ok
23:36:26.0665 1092 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll
23:36:26.0671 1092 EventSystem - ok
23:36:26.0693 1092 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
23:36:26.0697 1092 exfat - ok
23:36:26.0720 1092 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
23:36:26.0723 1092 fastfat - ok
23:36:26.0779 1092 Fax (dbefd454f8318a0ef691fdd2eaab44eb) C:\Windows\system32\fxssvc.exe
23:36:26.0790 1092 Fax - ok
23:36:26.0817 1092 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
23:36:26.0818 1092 fdc - ok
23:36:26.0847 1092 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll
23:36:26.0849 1092 fdPHost - ok
23:36:26.0861 1092 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll
23:36:26.0863 1092 FDResPub - ok
23:36:26.0872 1092 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
23:36:26.0874 1092 FileInfo - ok
23:36:26.0890 1092 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
23:36:26.0891 1092 Filetrace - ok
23:36:26.0991 1092 FLEXnet Licensing Service (1f63900e2eb00101b9aca2b7a870704e) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
23:36:27.0001 1092 FLEXnet Licensing Service - ok
23:36:27.0012 1092 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
23:36:27.0013 1092 flpydisk - ok
23:36:27.0055 1092 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
23:36:27.0058 1092 FltMgr - ok
23:36:27.0115 1092 FontCache (5c4cb4086fb83115b153e47add961a0c) C:\Windows\system32\FntCache.dll
23:36:27.0127 1092 FontCache - ok
23:36:27.0181 1092 FontCache3.0.0.0 (a8b7f3818ab65695e3a0bb3279f6dce6) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
23:36:27.0182 1092 FontCache3.0.0.0 - ok
23:36:27.0213 1092 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
23:36:27.0214 1092 FsDepends - ok
23:36:27.0229 1092 Fs_Rec (6bd9295cc032dd3077c671fccf579a7b) C:\Windows\system32\drivers\Fs_Rec.sys
23:36:27.0230 1092 Fs_Rec - ok
23:36:27.0267 1092 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
23:36:27.0271 1092 fvevol - ok
23:36:27.0287 1092 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
23:36:27.0288 1092 gagp30kx - ok
23:36:27.0343 1092 gpsvc (277bbc7e1aa1ee957f573a10eca7ef3a) C:\Windows\System32\gpsvc.dll
23:36:27.0355 1092 gpsvc - ok
23:36:27.0444 1092 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
23:36:27.0446 1092 gupdate - ok
23:36:27.0474 1092 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
23:36:27.0476 1092 gupdatem - ok
23:36:27.0492 1092 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
23:36:27.0493 1092 hcw85cir - ok
23:36:27.0543 1092 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
23:36:27.0547 1092 HdAudAddService - ok
23:36:27.0586 1092 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
23:36:27.0589 1092 HDAudBus - ok
23:36:27.0615 1092 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
23:36:27.0616 1092 HidBatt - ok
23:36:27.0634 1092 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
23:36:27.0636 1092 HidBth - ok
23:36:27.0650 1092 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
23:36:27.0651 1092 HidIr - ok
23:36:27.0672 1092 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\System32\hidserv.dll
23:36:27.0674 1092 hidserv - ok
23:36:27.0704 1092 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
23:36:27.0706 1092 HidUsb - ok
23:36:27.0742 1092 hkmsvc (387e72e739e15e3d37907a86d9ff98e2) C:\Windows\system32\kmsvc.dll
23:36:27.0744 1092 hkmsvc - ok
23:36:27.0777 1092 HomeGroupListener (efdfb3dd38a4376f93e7985173813abd) C:\Windows\system32\ListSvc.dll
23:36:27.0780 1092 HomeGroupListener - ok
23:36:27.0809 1092 HomeGroupProvider (908acb1f594274965a53926b10c81e89) C:\Windows\system32\provsvc.dll
23:36:27.0812 1092 HomeGroupProvider - ok
23:36:27.0839 1092 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
23:36:27.0840 1092 HpSAMD - ok
23:36:27.0914 1092 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
23:36:27.0923 1092 HTTP - ok
23:36:27.0934 1092 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
23:36:27.0935 1092 hwpolicy - ok
23:36:27.0982 1092 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
23:36:27.0991 1092 i8042prt - ok
23:36:28.0053 1092 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
23:36:28.0058 1092 iaStorV - ok
23:36:28.0147 1092 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
23:36:28.0150 1092 IDriverT - ok
23:36:28.0243 1092 idsvc (5988fc40f8db5b0739cd1e3a5d0d78bd) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
23:36:28.0256 1092 idsvc - ok
23:36:28.0643 1092 igfx (c6238c6abd6ac99f5d152da4e9439a3d) C:\Windows\system32\DRIVERS\igdkmd64.sys
23:36:28.0828 1092 igfx - ok
23:36:28.0905 1092 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
23:36:28.0906 1092 iirsp - ok
23:36:28.0953 1092 IKEEXT (fcd84c381e0140af901e58d48882d26b) C:\Windows\System32\ikeext.dll
23:36:28.0964 1092 IKEEXT - ok
23:36:29.0058 1092 IntcAzAudAddService (d42d651676883181400e22957a7e0b1e) C:\Windows\system32\drivers\RTKVHD64.sys
23:36:29.0071 1092 IntcAzAudAddService - ok
23:36:29.0167 1092 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
23:36:29.0168 1092 intelide - ok
23:36:29.0187 1092 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
23:36:29.0188 1092 intelppm - ok
23:36:29.0212 1092 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll
23:36:29.0215 1092 IPBusEnum - ok
23:36:29.0239 1092 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
23:36:29.0240 1092 IpFilterDriver - ok
23:36:29.0274 1092 iphlpsvc (a34a587fffd45fa649fba6d03784d257) C:\Windows\System32\iphlpsvc.dll
23:36:29.0281 1092 iphlpsvc - ok
23:36:29.0345 1092 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
23:36:29.0347 1092 IPMIDRV - ok
23:36:29.0368 1092 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
23:36:29.0372 1092 IPNAT - ok
23:36:29.0395 1092 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
23:36:29.0396 1092 IRENUM - ok
23:36:29.0416 1092 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
23:36:29.0417 1092 isapnp - ok
23:36:29.0438 1092 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
23:36:29.0442 1092 iScsiPrt - ok
23:36:29.0475 1092 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
23:36:29.0476 1092 kbdclass - ok
23:36:29.0502 1092 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
23:36:29.0503 1092 kbdhid - ok
23:36:29.0534 1092 KeyIso (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
23:36:29.0535 1092 KeyIso - ok
23:36:29.0547 1092 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\Windows\system32\Drivers\ksecdd.sys
23:36:29.0548 1092 KSecDD - ok
23:36:29.0579 1092 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\Windows\system32\Drivers\ksecpkg.sys
23:36:29.0581 1092 KSecPkg - ok
23:36:29.0597 1092 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
23:36:29.0598 1092 ksthunk - ok
23:36:29.0624 1092 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll
23:36:29.0629 1092 KtmRm - ok
23:36:29.0670 1092 LanmanServer (d9f42719019740baa6d1c6d536cbdaa6) C:\Windows\System32\srvsvc.dll
23:36:29.0674 1092 LanmanServer - ok
23:36:29.0707 1092 LanmanWorkstation (851a1382eed3e3a7476db004f4ee3e1a) C:\Windows\System32\wkssvc.dll
23:36:29.0710 1092 LanmanWorkstation - ok
23:36:29.0730 1092 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
23:36:29.0731 1092 lltdio - ok
23:36:29.0750 1092 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll
23:36:29.0755 1092 lltdsvc - ok
23:36:29.0770 1092 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll
23:36:29.0772 1092 lmhosts - ok
23:36:29.0800 1092 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
23:36:29.0802 1092 LSI_FC - ok
23:36:29.0825 1092 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
23:36:29.0826 1092 LSI_SAS - ok
23:36:29.0840 1092 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
23:36:29.0842 1092 LSI_SAS2 - ok
23:36:29.0852 1092 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
23:36:29.0854 1092 LSI_SCSI - ok
23:36:29.0872 1092 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
23:36:29.0874 1092 luafv - ok
23:36:29.0894 1092 Mcx2Svc (0be09cd858abf9df6ed259d57a1a1663) C:\Windows\system32\Mcx2Svc.dll
23:36:29.0896 1092 Mcx2Svc - ok
23:36:29.0908 1092 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
23:36:29.0910 1092 megasas - ok
23:36:29.0930 1092 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
23:36:29.0933 1092 MegaSR - ok
23:36:30.0014 1092 Microsoft Office Groove Audit Service (123271bd5237ab991dc5c21fdf8835eb) C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe
23:36:30.0040 1092 Microsoft Office Groove Audit Service - ok
23:36:30.0080 1092 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
23:36:30.0083 1092 MMCSS - ok
23:36:30.0101 1092 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
23:36:30.0102 1092 Modem - ok
23:36:30.0130 1092 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
23:36:30.0130 1092 monitor - ok
23:36:30.0162 1092 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
23:36:30.0163 1092 mouclass - ok
23:36:30.0180 1092 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
23:36:30.0181 1092 mouhid - ok
23:36:30.0211 1092 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
23:36:30.0212 1092 mountmgr - ok
23:36:30.0236 1092 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
23:36:30.0238 1092 mpio - ok
23:36:30.0244 1092 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
23:36:30.0245 1092 mpsdrv - ok
23:36:30.0290 1092 MpsSvc (54ffc9c8898113ace189d4aa7199d2c1) C:\Windows\system32\mpssvc.dll
23:36:30.0298 1092 MpsSvc - ok
23:36:30.0319 1092 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
23:36:30.0321 1092 MRxDAV - ok
23:36:30.0348 1092 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
23:36:30.0350 1092 mrxsmb - ok
23:36:30.0387 1092 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
23:36:30.0389 1092 mrxsmb10 - ok
23:36:30.0402 1092 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
23:36:30.0404 1092 mrxsmb20 - ok
23:36:30.0423 1092 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
23:36:30.0424 1092 msahci - ok
23:36:30.0444 1092 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
23:36:30.0446 1092 msdsm - ok
23:36:30.0467 1092 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe
23:36:30.0469 1092 MSDTC - ok
23:36:30.0499 1092 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
23:36:30.0500 1092 Msfs - ok
23:36:30.0510 1092 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
23:36:30.0510 1092 mshidkmdf - ok
23:36:30.0531 1092 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
23:36:30.0531 1092 msisadrv - ok
23:36:30.0562 1092 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll
23:36:30.0564 1092 MSiSCSI - ok
23:36:30.0569 1092 msiserver - ok
23:36:30.0586 1092 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
23:36:30.0587 1092 MSKSSRV - ok
23:36:30.0599 1092 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
23:36:30.0600 1092 MSPCLOCK - ok
23:36:30.0611 1092 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
23:36:30.0621 1092 MSPQM - ok
23:36:30.0661 1092 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
23:36:30.0664 1092 MsRPC - ok
23:36:30.0692 1092 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
23:36:30.0692 1092 mssmbios - ok
23:36:30.0703 1092 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
23:36:30.0704 1092 MSTEE - ok
23:36:30.0715 1092 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
23:36:30.0716 1092 MTConfig - ok
23:36:30.0750 1092 MTsensor (03b7145c889603537e9ffeabb1ad1089) C:\Windows\system32\DRIVERS\ASACPI.sys
23:36:30.0750 1092 MTsensor - ok
23:36:30.0772 1092 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
23:36:30.0773 1092 Mup - ok
23:36:30.0812 1092 napagent (582ac6d9873e31dfa28a4547270862dd) C:\Windows\system32\qagentRT.dll
23:36:30.0817 1092 napagent - ok
23:36:30.0865 1092 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
23:36:30.0868 1092 NativeWifiP - ok
23:36:30.0911 1092 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
23:36:30.0922 1092 NDIS - ok
23:36:30.0932 1092 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
23:36:30.0933 1092 NdisCap - ok
23:36:30.0951 1092 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
23:36:30.0952 1092 NdisTapi - ok
23:36:30.0975 1092 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
23:36:30.0976 1092 Ndisuio - ok
23:36:31.0009 1092 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
23:36:31.0011 1092 NdisWan - ok
23:36:31.0039 1092 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
23:36:31.0040 1092 NDProxy - ok
23:36:31.0182 1092 Nero BackItUp Scheduler 4.0 (7d2633295eb6ff2b938185874884059d) C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
23:36:31.0194 1092 Nero BackItUp Scheduler 4.0 - ok
23:36:31.0223 1092 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
23:36:31.0224 1092 NetBIOS - ok
23:36:31.0263 1092 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
23:36:31.0266 1092 NetBT - ok
23:36:31.0292 1092 Netlogon (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
23:36:31.0293 1092 Netlogon - ok
23:36:31.0331 1092 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll
23:36:31.0336 1092 Netman - ok
23:36:31.0376 1092 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll
23:36:31.0382 1092 netprofm - ok
23:36:31.0433 1092 netr28x (44d4bd55191624c82a2745296ba42814) C:\Windows\system32\DRIVERS\netr28x.sys
23:36:31.0441 1092 netr28x - ok
23:36:31.0503 1092 NetTcpPortSharing (3e5a36127e201ddf663176b66828fafe) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
23:36:31.0506 1092 NetTcpPortSharing - ok
23:36:31.0527 1092 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
23:36:31.0528 1092 nfrd960 - ok
23:36:31.0572 1092 NlaSvc (1ee99a89cc788ada662441d1e9830529) C:\Windows\System32\nlasvc.dll
23:36:31.0578 1092 NlaSvc - ok
23:36:31.0591 1092 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
23:36:31.0592 1092 Npfs - ok
23:36:31.0610 1092 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll
23:36:31.0612 1092 nsi - ok
23:36:31.0629 1092 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
23:36:31.0630 1092 nsiproxy - ok
23:36:31.0700 1092 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
23:36:31.0717 1092 Ntfs - ok
23:36:31.0785 1092 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
23:36:31.0786 1092 Null - ok
23:36:31.0826 1092 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
23:36:31.0828 1092 nvraid - ok
23:36:31.0844 1092 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
23:36:31.0847 1092 nvstor - ok
23:36:31.0870 1092 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
23:36:31.0872 1092 nv_agp - ok
23:36:31.0963 1092 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
23:36:31.0969 1092 odserv - ok
23:36:31.0994 1092 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
23:36:31.0996 1092 ohci1394 - ok
23:36:32.0025 1092 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
23:36:32.0028 1092 ose - ok
23:36:32.0061 1092 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
23:36:32.0067 1092 p2pimsvc - ok
23:36:32.0100 1092 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll
23:36:32.0105 1092 p2psvc - ok
23:36:32.0190 1092 PanService (77cdc6c43d8c3e05d0e21b36eaabebae) C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe
23:36:32.0196 1092 PanService - ok
23:36:32.0242 1092 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
23:36:32.0243 1092 Parport - ok
23:36:32.0270 1092 partmgr (e9766131eeade40a27dc27d2d68fba9c) C:\Windows\system32\drivers\partmgr.sys
23:36:32.0271 1092 partmgr - ok
23:36:32.0292 1092 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll
23:36:32.0296 1092 PcaSvc - ok
23:36:32.0323 1092 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
23:36:32.0325 1092 pci - ok
23:36:32.0344 1092 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
23:36:32.0344 1092 pciide - ok
23:36:32.0371 1092 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
23:36:32.0375 1092 pcmcia - ok
23:36:32.0393 1092 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
23:36:32.0394 1092 pcw - ok
23:36:32.0422 1092 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
23:36:32.0430 1092 PEAUTH - ok
23:36:32.0480 1092 PeerDistSvc (b9b0a4299dd2d76a4243f75fd54dc680) C:\Windows\system32\peerdistsvc.dll
23:36:32.0493 1092 PeerDistSvc - ok
23:36:32.0552 1092 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe
23:36:32.0555 1092 PerfHost - ok
23:36:32.0668 1092 pla (c7cf6a6e137463219e1259e3f0f0dd6c) C:\Windows\system32\pla.dll
23:36:32.0683 1092 pla - ok
23:36:32.0748 1092 PlugPlay (25fbdef06c4d92815b353f6e792c8129) C:\Windows\system32\umpnpmgr.dll
23:36:32.0753 1092 PlugPlay - ok
23:36:32.0774 1092 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll
23:36:32.0776 1092 PNRPAutoReg - ok
23:36:32.0793 1092 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
23:36:32.0796 1092 PNRPsvc - ok
23:36:32.0838 1092 PolicyAgent (4f15d75adf6156bf56eced6d4a55c389) C:\Windows\System32\ipsecsvc.dll
23:36:32.0844 1092 PolicyAgent - ok
23:36:32.0868 1092 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll
23:36:32.0871 1092 Power - ok
23:36:32.0922 1092 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
23:36:32.0924 1092 PptpMiniport - ok
23:36:32.0948 1092 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
23:36:32.0950 1092 Processor - ok
23:36:32.0982 1092 ProfSvc (5c78838b4d166d1a27db3a8a820c799a) C:\Windows\system32\profsvc.dll
23:36:32.0986 1092 ProfSvc - ok
23:36:33.0016 1092 ProtectedStorage (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
23:36:33.0018 1092 ProtectedStorage - ok
23:36:33.0053 1092 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
23:36:33.0055 1092 Psched - ok
23:36:33.0091 1092 PxHlpa64 (4712cc14e720ecccc0aa16949d18aaf1) C:\Windows\system32\Drivers\PxHlpa64.sys
23:36:33.0091 1092 PxHlpa64 - ok
23:36:33.0150 1092 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
23:36:33.0165 1092 ql2300 - ok
23:36:33.0243 1092 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
23:36:33.0246 1092 ql40xx - ok
23:36:33.0282 1092 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll
23:36:33.0288 1092 QWAVE - ok
23:36:33.0305 1092 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
23:36:33.0306 1092 QWAVEdrv - ok
23:36:33.0318 1092 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
23:36:33.0319 1092 RasAcd - ok
23:36:33.0333 1092 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
23:36:33.0334 1092 RasAgileVpn - ok
23:36:33.0352 1092 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll
23:36:33.0355 1092 RasAuto - ok
23:36:33.0382 1092 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
23:36:33.0383 1092 Rasl2tp - ok
23:36:33.0401 1092 RasMan (ee867a0870fc9e4972ba9eaad35651e2) C:\Windows\System32\rasmans.dll
23:36:33.0406 1092 RasMan - ok
23:36:33.0431 1092 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
23:36:33.0432 1092 RasPppoe - ok
23:36:33.0440 1092 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
23:36:33.0442 1092 RasSstp - ok
23:36:33.0459 1092 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
23:36:33.0462 1092 rdbss - ok
23:36:33.0476 1092 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
23:36:33.0477 1092 rdpbus - ok
23:36:33.0490 1092 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
23:36:33.0491 1092 RDPCDD - ok
23:36:33.0524 1092 RDPDR (1b6163c503398b23ff8b939c67747683) C:\Windows\system32\drivers\rdpdr.sys
23:36:33.0526 1092 RDPDR - ok
23:36:33.0549 1092 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
23:36:33.0549 1092 RDPENCDD - ok
23:36:33.0564 1092 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
23:36:33.0565 1092 RDPREFMP - ok
23:36:33.0594 1092 RdpVideoMiniport (70cba1a0c98600a2aa1863479b35cb90) C:\Windows\system32\drivers\rdpvideominiport.sys
23:36:33.0595 1092 RdpVideoMiniport - ok
23:36:33.0617 1092 RDPWD (6d76e6433574b058adcb0c50df834492) C:\Windows\system32\drivers\RDPWD.sys
23:36:33.0619 1092 RDPWD - ok
23:36:33.0662 1092 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
23:36:33.0664 1092 rdyboost - ok
23:36:33.0683 1092 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll
23:36:33.0685 1092 RemoteAccess - ok
23:36:33.0712 1092 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll
23:36:33.0715 1092 RemoteRegistry - ok
23:36:33.0732 1092 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll
23:36:33.0734 1092 RpcEptMapper - ok
23:36:33.0745 1092 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe
23:36:33.0746 1092 RpcLocator - ok
23:36:33.0780 1092 RpcSs (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
23:36:33.0784 1092 RpcSs - ok
23:36:33.0810 1092 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
23:36:33.0811 1092 rspndr - ok
23:36:33.0850 1092 RTL8167 (4b42bc58294e83a6a92ec8b88c14c4a3) C:\Windows\system32\DRIVERS\Rt64win7.sys
23:36:33.0852 1092 RTL8167 - ok
23:36:33.0870 1092 s3cap (e60c0a09f997826c7627b244195ab581) C:\Windows\system32\drivers\vms3cap.sys
23:36:33.0871 1092 s3cap - ok
23:36:33.0899 1092 SamSs (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
23:36:33.0901 1092 SamSs - ok
23:36:33.0922 1092 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
23:36:33.0924 1092 sbp2port - ok
23:36:33.0949 1092 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll
23:36:33.0953 1092 SCardSvr - ok
23:36:34.0003 1092 SCDEmu (b2f50286dc82b93c013e3fc57ba1a956) C:\Windows\system32\drivers\SCDEmu.sys
23:36:34.0004 1092 SCDEmu - ok
23:36:34.0027 1092 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
23:36:34.0028 1092 scfilter - ok
23:36:34.0089 1092 Schedule (262f6592c3299c005fd6bec90fc4463a) C:\Windows\system32\schedsvc.dll
23:36:34.0102 1092 Schedule - ok
23:36:34.0126 1092 SCPolicySvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
23:36:34.0127 1092 SCPolicySvc - ok
23:36:34.0142 1092 SDRSVC (6ea4234dc55346e0709560fe7c2c1972) C:\Windows\System32\SDRSVC.dll
23:36:34.0145 1092 SDRSVC - ok
23:36:34.0189 1092 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
23:36:34.0189 1092 secdrv - ok
23:36:34.0217 1092 seclogon (bc617a4e1b4fa8df523a061739a0bd87) C:\Windows\system32\seclogon.dll
23:36:34.0219 1092 seclogon - ok
23:36:34.0241 1092 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\system32\sens.dll
23:36:34.0243 1092 SENS - ok
23:36:34.0252 1092 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll
23:36:34.0254 1092 SensrSvc - ok
23:36:34.0269 1092 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
23:36:34.0270 1092 Serenum - ok
23:36:34.0283 1092 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
23:36:34.0285 1092 Serial - ok
23:36:34.0306 1092 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
23:36:34.0307 1092 sermouse - ok
23:36:34.0333 1092 SessionEnv (0b6231bf38174a1628c4ac812cc75804) C:\Windows\system32\sessenv.dll
23:36:34.0336 1092 SessionEnv - ok
23:36:34.0360 1092 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
23:36:34.0361 1092 sffdisk - ok
23:36:34.0374 1092 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
23:36:34.0375 1092 sffp_mmc - ok
23:36:34.0389 1092 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
23:36:34.0390 1092 sffp_sd - ok
23:36:34.0402 1092 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
23:36:34.0403 1092 sfloppy - ok
23:36:34.0439 1092 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\Windows\System32\ipnathlp.dll
23:36:34.0443 1092 SharedAccess - ok
23:36:34.0467 1092 ShellHWDetection (aaf932b4011d14052955d4b212a4da8d) C:\Windows\System32\shsvcs.dll
23:36:34.0473 1092 ShellHWDetection - ok
23:36:34.0487 1092 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
23:36:34.0488 1092 SiSRaid2 - ok
23:36:34.0505 1092 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
23:36:34.0507 1092 SiSRaid4 - ok
23:36:34.0588 1092 SkypeUpdate (17eab7852ff9f15fbaab4e95efc0b812) C:\Program Files (x86)\Skype\Updater\Updater.exe
23:36:34.0590 1092 SkypeUpdate - ok
23:36:34.0610 1092 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
23:36:34.0612 1092 Smb - ok
23:36:34.0657 1092 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe
23:36:34.0658 1092 SNMPTRAP - ok
23:36:34.0682 1092 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
23:36:34.0683 1092 spldr - ok
23:36:34.0722 1092 Spooler (b96c17b5dc1424d56eea3a99e97428cd) C:\Windows\System32\spoolsv.exe
23:36:34.0730 1092 Spooler - ok
23:36:34.0865 1092 sppsvc (e17e0188bb90fae42d83e98707efa59c) C:\Windows\system32\sppsvc.exe
23:36:34.0884 1092 sppsvc - ok
23:36:34.0940 1092 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll
23:36:34.0943 1092 sppuinotify - ok
23:36:34.0985 1092 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
23:36:34.0992 1092 srv - ok
23:36:35.0014 1092 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
23:36:35.0019 1092 srv2 - ok
23:36:35.0034 1092 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
23:36:35.0036 1092 srvnet - ok
23:36:35.0071 1092 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll
23:36:35.0075 1092 SSDPSRV - ok
23:36:35.0105 1092 ssmirrdr (1100066057fbf612b573efd3b21383f1) C:\Windows\system32\DRIVERS\ssmirrdr.sys
23:36:35.0106 1092 ssmirrdr - ok
23:36:35.0122 1092 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll
23:36:35.0124 1092 SstpSvc - ok
23:36:35.0146 1092 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
23:36:35.0147 1092 stexstor - ok
23:36:35.0195 1092 stisvc (8dd52e8e6128f4b2da92ce27402871c1) C:\Windows\System32\wiaservc.dll
23:36:35.0203 1092 stisvc - ok
23:36:35.0234 1092 storflt (7785dc213270d2fc066538daf94087e7) C:\Windows\system32\drivers\vmstorfl.sys
23:36:35.0235 1092 storflt - ok
23:36:35.0258 1092 storvsc (d34e4943d5ac096c8edeebfd80d76e23) C:\Windows\system32\drivers\storvsc.sys
23:36:35.0259 1092 storvsc - ok
23:36:35.0285 1092 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
23:36:35.0285 1092 swenum - ok
23:36:35.0408 1092 SwitchBoard (f577910a133a592234ebaad3f3afa258) C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
23:36:35.0416 1092 SwitchBoard - ok
23:36:35.0460 1092 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll
23:36:35.0469 1092 swprv - ok
23:36:35.0482 1092 Synth3dVsc - ok
23:36:35.0571 1092 SysMain (bf9ccc0bf39b418c8d0ae8b05cf95b7d) C:\Windows\system32\sysmain.dll
23:36:35.0590 1092 SysMain - ok
23:36:35.0670 1092 TabletInputService (e3c61fd7b7c2557e1f1b0b4cec713585) C:\Windows\System32\TabSvc.dll
23:36:35.0674 1092 TabletInputService - ok
23:36:35.0694 1092 TapiSrv (40f0849f65d13ee87b9a9ae3c1dd6823) C:\Windows\System32\tapisrv.dll
23:36:35.0700 1092 TapiSrv - ok
23:36:35.0719 1092 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll
23:36:35.0721 1092 TBS - ok
23:36:35.0810 1092 Tcpip (acb82bda8f46c84f465c1afa517dc4b9) C:\Windows\system32\drivers\tcpip.sys
23:36:35.0831 1092 Tcpip - ok
23:36:35.0939 1092 TCPIP6 (acb82bda8f46c84f465c1afa517dc4b9) C:\Windows\system32\DRIVERS\tcpip.sys
23:36:35.0950 1092 TCPIP6 - ok
23:36:35.0991 1092 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
23:36:35.0992 1092 tcpipreg - ok
23:36:36.0018 1092 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
23:36:36.0019 1092 TDPIPE - ok
23:36:36.0035 1092 TDTCP (51c5eceb1cdee2468a1748be550cfbc8) C:\Windows\system32\drivers\tdtcp.sys
23:36:36.0036 1092 TDTCP - ok
23:36:36.0074 1092 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
23:36:36.0075 1092 tdx - ok
23:36:36.0099 1092 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
23:36:36.0099 1092 TermDD - ok
23:36:36.0128 1092 TermService (2e648163254233755035b46dd7b89123) C:\Windows\System32\termsrv.dll
23:36:36.0136 1092 TermService - ok
23:36:36.0157 1092 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll
23:36:36.0159 1092 Themes - ok
23:36:36.0186 1092 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
23:36:36.0188 1092 THREADORDER - ok
23:36:36.0207 1092 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll
23:36:36.0210 1092 TrkWks - ok
23:36:36.0249 1092 TrustedInstaller (773212b2aaa24c1e31f10246b15b276c) C:\Windows\servicing\TrustedInstaller.exe
23:36:36.0252 1092 TrustedInstaller - ok
23:36:36.0290 1092 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
23:36:36.0291 1092 tssecsrv - ok
23:36:36.0326 1092 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
23:36:36.0328 1092 TsUsbFlt - ok
23:36:36.0339 1092 tsusbhub - ok
23:36:36.0379 1092 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
23:36:36.0381 1092 tunnel - ok
23:36:36.0410 1092 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
23:36:36.0412 1092 uagp35 - ok
23:36:36.0458 1092 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
23:36:36.0463 1092 udfs - ok
23:36:36.0492 1092 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe
23:36:36.0496 1092 UI0Detect - ok
23:36:36.0525 1092 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
23:36:36.0527 1092 uliagpkx - ok
23:36:36.0565 1092 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\drivers\umbus.sys
23:36:36.0566 1092 umbus - ok
23:36:36.0593 1092 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
23:36:36.0594 1092 UmPass - ok
23:36:36.0621 1092 UmRdpService (a293dcd756d04d8492a750d03b9a297c) C:\Windows\System32\umrdp.dll
23:36:36.0627 1092 UmRdpService - ok
23:36:36.0648 1092 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll
23:36:36.0655 1092 upnphost - ok
23:36:36.0686 1092 USBAAPL64 (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows\system32\Drivers\usbaapl64.sys
23:36:36.0688 1092 USBAAPL64 - ok
23:36:36.0715 1092 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
23:36:36.0716 1092 usbccgp - ok
23:36:36.0756 1092 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
23:36:36.0758 1092 usbcir - ok
23:36:36.0771 1092 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
23:36:36.0772 1092 usbehci - ok
23:36:36.0802 1092 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
23:36:36.0807 1092 usbhub - ok
23:36:36.0822 1092 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
23:36:36.0823 1092 usbohci - ok
23:36:36.0851 1092 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
23:36:36.0852 1092 usbprint - ok
23:36:36.0884 1092 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
23:36:36.0885 1092 usbscan - ok
23:36:36.0912 1092 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
23:36:36.0914 1092 USBSTOR - ok
23:36:36.0926 1092 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\DRIVERS\usbuhci.sys
23:36:36.0927 1092 usbuhci - ok
23:36:36.0971 1092 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows\System32\Drivers\usbvideo.sys
23:36:36.0974 1092 usbvideo - ok
23:36:36.0993 1092 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll
23:36:36.0996 1092 UxSms - ok
23:36:37.0024 1092 VaultSvc (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
23:36:37.0026 1092 VaultSvc - ok
23:36:37.0057 1092 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
23:36:37.0057 1092 vdrvroot - ok
23:36:37.0103 1092 vds (8d6b481601d01a456e75c3210f1830be) C:\Windows\System32\vds.exe
23:36:37.0111 1092 vds - ok
23:36:37.0136 1092 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
23:36:37.0137 1092 vga - ok
23:36:37.0154 1092 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
23:36:37.0155 1092 VgaSave - ok
23:36:37.0161 1092 VGPU - ok
23:36:37.0190 1092 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
23:36:37.0193 1092 vhdmp - ok
23:36:37.0219 1092 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
23:36:37.0220 1092 viaide - ok
23:36:37.0253 1092 vmbus (86ea3e79ae350fea5331a1303054005f) C:\Windows\system32\drivers\vmbus.sys
23:36:37.0255 1092 vmbus - ok
23:36:37.0278 1092 VMBusHID (7de90b48f210d29649380545db45a187) C:\Windows\system32\drivers\VMBusHID.sys
23:36:37.0279 1092 VMBusHID - ok
23:36:37.0301 1092 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
23:36:37.0302 1092 volmgr - ok
23:36:37.0336 1092 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
23:36:37.0339 1092 volmgrx - ok
23:36:37.0372 1092 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
23:36:37.0375 1092 volsnap - ok
23:36:37.0393 1092 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
23:36:37.0395 1092 vsmraid - ok
23:36:37.0466 1092 VSS (b60ba0bc31b0cb414593e169f6f21cc2) C:\Windows\system32\vssvc.exe
23:36:37.0483 1092 VSS - ok
23:36:37.0547 1092 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
23:36:37.0548 1092 vwifibus - ok
23:36:37.0573 1092 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
23:36:37.0574 1092 vwififlt - ok
23:36:37.0607 1092 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll
23:36:37.0614 1092 W32Time - ok
23:36:37.0645 1092 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
23:36:37.0646 1092 WacomPen - ok
23:36:37.0689 1092 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
23:36:37.0690 1092 WANARP - ok
23:36:37.0695 1092 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
23:36:37.0696 1092 Wanarpv6 - ok
23:36:37.0774 1092 WatAdminSvc (3cec96de223e49eaae3651fcf8faea6c) C:\Windows\system32\Wat\WatAdminSvc.exe
23:36:37.0790 1092 WatAdminSvc - ok
23:36:37.0863 1092 wbengine (78f4e7f5c56cb9716238eb57da4b6a75) C:\Windows\system32\wbengine.exe
23:36:37.0882 1092 wbengine - ok
23:36:37.0964 1092 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll
23:36:37.0968 1092 WbioSrvc - ok
23:36:38.0006 1092 wcncsvc (7368a2afd46e5a4481d1de9d14848edd) C:\Windows\System32\wcncsvc.dll
23:36:38.0012 1092 wcncsvc - ok
23:36:38.0025 1092 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
23:36:38.0028 1092 WcsPlugInService - ok
23:36:38.0052 1092 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
23:36:38.0053 1092 Wd - ok
23:36:38.0091 1092 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
23:36:38.0099 1092 Wdf01000 - ok
23:36:38.0110 1092 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
23:36:38.0113 1092 WdiServiceHost - ok
23:36:38.0116 1092 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
23:36:38.0118 1092 WdiSystemHost - ok
23:36:38.0137 1092 WebClient (3db6d04e1c64272f8b14eb8bc4616280) C:\Windows\System32\webclnt.dll
23:36:38.0141 1092 WebClient - ok
23:36:38.0167 1092 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
23:36:38.0170 1092 Wecsvc - ok
23:36:38.0177 1092 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
23:36:38.0179 1092 wercplsupport - ok
23:36:38.0205 1092 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
23:36:38.0208 1092 WerSvc - ok
23:36:38.0247 1092 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
23:36:38.0248 1092 WfpLwf - ok
23:36:38.0257 1092 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
23:36:38.0258 1092 WIMMount - ok
23:36:38.0298 1092 WinDefend - ok
23:36:38.0309 1092 WinHttpAutoProxySvc - ok
23:36:38.0357 1092 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
23:36:38.0361 1092 Winmgmt - ok
23:36:38.0449 1092 WinRM (bcb1310604aa415c4508708975b3931e) C:\Windows\system32\WsmSvc.dll
23:36:38.0478 1092 WinRM - ok
23:36:38.0585 1092 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUsb.sys
23:36:38.0586 1092 WinUsb - ok
23:36:38.0631 1092 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
23:36:38.0645 1092 Wlansvc - ok
23:36:38.0660 1092 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
23:36:38.0661 1092 WmiAcpi - ok
23:36:38.0703 1092 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
23:36:38.0706 1092 wmiApSrv - ok
23:36:38.0740 1092 WMPNetworkSvc - ok
23:36:38.0750 1092 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
23:36:38.0754 1092 WPCSvc - ok
23:36:38.0780 1092 WPDBusEnum (93221146d4ebbf314c29b23cd6cc391d) C:\Windows\system32\wpdbusenum.dll
23:36:38.0783 1092 WPDBusEnum - ok
23:36:38.0798 1092 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
23:36:38.0799 1092 ws2ifsl - ok
23:36:38.0828 1092 wscsvc (e8b1fe6669397d1772d8196df0e57a9e) C:\Windows\system32\wscsvc.dll
23:36:38.0830 1092 wscsvc - ok
23:36:38.0834 1092 WSearch - ok
23:36:38.0933 1092 wuauserv (9df12edbc698b0bc353b3ef84861e430) C:\Windows\system32\wuaueng.dll
23:36:38.0958 1092 wuauserv - ok
23:36:39.0042 1092 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
23:36:39.0044 1092 WudfPf - ok
23:36:39.0072 1092 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
23:36:39.0076 1092 WUDFRd - ok
23:36:39.0101 1092 wudfsvc (7a95c95b6c4cf292d689106bcae49543) C:\Windows\System32\WUDFSvc.dll
23:36:39.0105 1092 wudfsvc - ok
23:36:39.0130 1092 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
23:36:39.0136 1092 WwanSvc - ok
23:36:39.0166 1092 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
23:36:39.0317 1092 \Device\Harddisk0\DR0 - ok
23:36:39.0321 1092 Boot (0x1200) (d6c7090fc5ba2c6b628ba1f4c128bc21) \Device\Harddisk0\DR0\Partition0
23:36:39.0322 1092 \Device\Harddisk0\DR0\Partition0 - ok
23:36:39.0341 1092 Boot (0x1200) (d5755e725d6051c399b2189bb87c0459) \Device\Harddisk0\DR0\Partition1
23:36:39.0342 1092 \Device\Harddisk0\DR0\Partition1 - ok
23:36:39.0343 1092 ============================================================
23:36:39.0343 1092 Scan finished
23:36:39.0343 1092 ============================================================
23:36:39.0355 0892 Detected object count: 1
23:36:39.0355 0892 Actual detected object count: 1
23:37:16.0243 0892 Akamai ( HiddenFile.Multi.Generic ) - skipped by user
23:37:16.0243 0892 Akamai ( HiddenFile.Multi.Generic ) - User select action: Skip




aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-28 00:03:33
-----------------------------
00:03:33.683 OS Version: Windows x64 6.1.7601 Service Pack 1
00:03:33.683 Number of processors: 2 586 0x170A
00:03:33.684 ComputerName: SLAVA-PC UserName: slava
00:03:34.727 Initialize success
00:03:38.433 AVAST engine defs: 12052702
00:03:49.379 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
00:03:49.383 Disk 0 Vendor: Hitachi_HDT721064SLA360 STDOA31B Size: 610480MB BusType: 3
00:03:49.416 Disk 0 MBR read successfully
00:03:49.420 Disk 0 MBR scan
00:03:49.427 Disk 0 Windows 7 default MBR code
00:03:49.433 Disk 0 Partition 1 00 1B Hidd FAT32 NTFS 10244 MB offset 63
00:03:49.445 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 20981760
00:03:49.465 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 600125 MB offset 21186560
00:03:49.488 Disk 0 scanning C:\Windows\system32\drivers
00:04:01.259 Service scanning
00:04:20.338 Modules scanning
00:04:20.353 Disk 0 trace - called modules:
00:04:20.369 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
00:04:20.376 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005e4c060]
00:04:20.382 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa80058e6e40]
00:04:20.388 5 ACPI.sys[fffff88000f9f7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80058f6060]
00:04:21.554 AVAST engine scan C:\Windows
00:04:25.388 AVAST engine scan C:\Windows\system32
00:06:35.363 AVAST engine scan C:\Windows\system32\drivers
00:06:45.054 AVAST engine scan C:\Users\slava
00:08:03.614 File: C:\Users\slava\AppData\Local\VirtualStore\Windows\SysWOW64\winiot32.rom **INFECTED** Win32:Nebuler-X [Trj]
00:08:03.663 File: C:\Users\slava\AppData\Local\VirtualStore\Windows\SysWOW64\winrgx32.rom **INFECTED** Win32:Nebuler-X [Trj]
00:08:03.837 File: C:\Users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\L\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
00:08:03.881 File: C:\Users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\n **INFECTED** Win32:Sirefef-PL [Rtk]
00:08:03.971 File: C:\Users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\U\80000000.@ **INFECTED** Win32:Malware-gen
00:08:04.007 File: C:\Users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
00:09:04.566 Disk 0 MBR has been saved successfully to "C:\Users\slava\Desktop\MBR.dat"
00:09:04.576 The log file has been saved successfully to "C:\Users\slava\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-28 00:16:27
-----------------------------
00:16:27.582 OS Version: Windows x64 6.1.7601 Service Pack 1
00:16:27.582 Number of processors: 2 586 0x170A
00:16:27.582 ComputerName: SLAVA-PC UserName: slava
00:16:28.547 Initialize success
00:16:35.080 AVAST engine defs: 12052702
00:16:39.434 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
00:16:39.439 Disk 0 Vendor: Hitachi_HDT721064SLA360 STDOA31B Size: 610480MB BusType: 3
00:16:39.449 Disk 0 MBR read successfully
00:16:39.454 Disk 0 MBR scan
00:16:39.461 Disk 0 Windows 7 default MBR code
00:16:39.466 Disk 0 Partition 1 00 1B Hidd FAT32 NTFS 10244 MB offset 63
00:16:39.478 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 20981760
00:16:39.490 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 600125 MB offset 21186560
00:16:39.511 Disk 0 scanning C:\Windows\system32\drivers
00:16:47.313 Service scanning
00:17:09.465 Modules scanning
00:17:09.480 Disk 0 trace - called modules:
00:17:09.503 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
00:17:09.511 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005e32420]
00:17:09.523 3 CLASSPNP.SYS[fffff8800160143f] -> nt!IofCallDriver -> [0xfffffa80058db580]
00:17:09.534 5 ACPI.sys[fffff88000ec17a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80058dd060]
00:17:10.338 AVAST engine scan C:\Windows
00:17:12.883 AVAST engine scan C:\Windows\system32
00:19:28.905 AVAST engine scan C:\Windows\system32\drivers
00:19:38.828 AVAST engine scan C:\Users\slava
00:21:13.025 File: C:\Users\slava\AppData\Local\VirtualStore\Windows\SysWOW64\winiot32.rom **INFECTED** Win32:Nebuler-X [Trj]
00:21:13.075 File: C:\Users\slava\AppData\Local\VirtualStore\Windows\SysWOW64\winrgx32.rom **INFECTED** Win32:Nebuler-X [Trj]
00:21:13.249 File: C:\Users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\L\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
00:21:13.279 File: C:\Users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\n **INFECTED** Win32:Sirefef-PL [Rtk]
00:21:13.364 File: C:\Users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\U\80000000.@ **INFECTED** Win32:Malware-gen
00:21:13.433 File: C:\Users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\U\80000032.@ **INFECTED** Win32:DNSChanger-VJ [Trj]
00:26:08.195 AVAST engine scan C:\ProgramData
00:27:10.929 Scan finished successfully
00:27:41.727 Disk 0 MBR has been saved successfully to "C:\Users\slava\Desktop\MBR.dat"
00:27:41.733 The log file has been saved successfully to "C:\Users\slava\Desktop\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:37 PM

Posted 27 May 2012 - 11:48 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
C:\Users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}

File::
C:\Users\slava\AppData\Local\VirtualStore\Windows\SysWOW64\winiot32.rom
C:\Users\slava\AppData\Local\VirtualStore\Windows\SysWOW64\winrgx32.rom

FireFox::
FF - ProfilePath - c:\users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: keyword.URL - hxxp://search.babylon.com/?babsrc=adbartrp&affID=107763&mntrId=1c012b7100000000000000248cde0296&q=

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 slavabusy

slavabusy
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 28 May 2012 - 03:18 AM

Gringo, You are awesome! It is much better now, no redirection everything seem to work fine.
Also, I saw a few weird-named folders under Users/slava/Appdata/*** such Alibaba, Babylon and few others.
Is it safe for a Windows operation to delete any folders there?

ComboFix 12-05-27.03 - slava 05/28/2012 1:43.3.2 - x64
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.6109.4837 [GMT -4:00]
Running from: c:\users\slava\Desktop\Combo-Fix.exe
Command switches used :: c:\users\slava\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\slava\AppData\Local\VirtualStore\Windows\SysWOW64\winiot32.rom"
"c:\users\slava\AppData\Local\VirtualStore\Windows\SysWOW64\winrgx32.rom"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\@
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\L\00000004.@
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\L\1afb2d56
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\L\80000032.@
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\n
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\U\00000004.@
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\U\000000cb.@
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\U\80000000.@
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\U\80000032.@
c:\users\slava\AppData\Local\{8b643262-c77b-1011-41ef-128122dcde78}\U\80000064.@
c:\users\slava\AppData\Local\VirtualStore\Windows\SysWOW64\winiot32.rom
c:\users\slava\AppData\Local\VirtualStore\Windows\SysWOW64\winrgx32.rom
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-28 )))))))))))))))))))))))))))))))
.
.
2012-05-28 05:49 . 2012-05-28 05:49 -------- d-----w- c:\users\Guest\AppData\Local\temp
2012-05-28 05:49 . 2012-05-28 05:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-26 10:51 . 2012-05-26 11:57 -------- d-----w- C:\Combo-Fix
2012-05-26 03:54 . 2012-05-26 05:31 -------- d-----w- c:\program files (x86)\McAfee Security Scan
2012-05-26 03:54 . 2012-05-26 03:54 -------- d-----w- c:\programdata\McAfee
2012-05-25 04:50 . 2012-05-26 06:48 -------- d-----w- c:\programdata\HitmanPro
2012-05-25 00:10 . 2012-05-25 00:10 -------- d-----w- c:\windows\SysWow64\%APPDATA%
2012-05-14 10:47 . 2012-05-15 08:44 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{ACBA8227-86EB-484C-AF42-0A721B0FFC61}\offreg.dll
2012-05-12 22:41 . 2012-05-12 22:41 -------- d-----w- c:\users\slava\AppData\Roaming\Media Player Classic
2012-05-12 07:14 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-12 07:14 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-12 07:14 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-12 07:14 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-12 07:14 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-12 07:14 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-12 07:13 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-12 07:13 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-12 07:13 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-12 07:13 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-12 07:13 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-12 07:13 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-12 07:13 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-03 01:59 . 2012-05-26 05:32 -------- d-----w- c:\users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-04 03:32 . 2010-09-21 19:11 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-03-01 06:46 . 2012-04-24 07:00 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 06:38 . 2012-04-24 07:00 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 06:33 . 2012-04-24 07:00 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 06:28 . 2012-04-24 07:00 5120 ----a-w- c:\windows\system32\wmi.dll
2012-03-01 05:37 . 2012-04-24 07:00 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-03-01 05:33 . 2012-04-24 07:00 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-03-01 05:29 . 2012-04-24 07:00 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-03-01 00:32 . 2012-03-01 00:32 14646304 ----a-w- c:\program files (x86)\Common Files\lpuninstall.exe
2012-02-28 06:56 . 2012-04-24 07:03 2311168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 06:49 . 2012-04-24 07:03 1390080 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 06:48 . 2012-04-24 07:03 1493504 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 06:42 . 2012-04-24 07:03 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2008-06-12 06:15 . 2010-07-29 18:21 245408 ----a-w- c:\program files\unicows.dll
2008-05-06 10:23 . 2010-07-29 18:21 189808 ----a-w- c:\program files\AutoPlay.exe
2011-09-26 01:23 2169856 --sha-w- c:\windows\System32\hale.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-05-26_11.35.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-01 03:05 . 2012-05-28 05:53 53868 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-05-28 05:53 39102 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-04-01 02:50 . 2012-05-28 05:53 14444 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4086009842-4173814806-1320277029-1000_UserData.bin
- 2012-05-26 11:33 . 2012-05-26 11:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-28 05:51 . 2012-05-28 05:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-05-28 05:51 . 2012-05-28 05:51 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-05-26 11:33 . 2012-05-26 11:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2012-05-26 10:47 627104 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-05-27 03:35 627104 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-05-26 10:47 107420 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2012-05-27 03:35 107420 c:\windows\system32\perfc009.dat
+ 2009-07-14 05:01 . 2012-05-28 05:50 538532 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-05-26 11:32 538532 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-11-01 23:31 . 2012-05-28 03:29 4503008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4086009842-4173814806-1320277029-1000-8192.dat
- 2010-11-01 23:31 . 2012-05-26 11:32 4503008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4086009842-4173814806-1320277029-1000-8192.dat
+ 2012-05-27 18:39 . 2012-05-27 18:39 53217792 c:\windows\Installer\45666.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Akamai NetSession Interface"="c:\users\slava\AppData\Local\Akamai\netsession_win.exe" [2012-05-08 3331872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
"Adobe Acrobat Speed Launcher"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]
"Acrobat Assistant 8.0"="c:\program files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 eamonm;eamonm;c:\windows\system32\DRIVERS\eamonm.sys [x]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-29 136176]
R2 SkypeUpdate;Skype Updater;c:\program files (x86)\Skype\Updater\Updater.exe [2012-01-31 158856]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-29 136176]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\DRIVERS\netr28x.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 ssmirrdr;ssmirrdr;c:\windows\system32\DRIVERS\ssmirrdr.sys [x]
R3 SwitchBoard;Adobe SwitchBoard;c:\program files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2010-02-19 517096]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 27136]
S2 PanService;PandoraService;c:\program files (x86)\PANDORA.TV\PanService\PandoraService.exe [2012-04-06 624856]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{2D46B6DC-2207-486B-B523-A557E6D54B47}]
2010-11-20 12:17 302592 ----a-w- c:\windows\System32\cmd.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-29 14:17]
.
2012-05-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-29 14:17]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-02 2710856]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-05-23 7833120]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-05-23 1833504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-11 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-11 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-11 417304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1:9421;<local>
IE: LastPass - file://c:\program files (x86)\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files (x86)\LastPass\context.html?cmd=fillforms
Trusted Zone: alipay.com
Trusted Zone: alisoft.com
Trusted Zone: craigslist.org\post
Trusted Zone: taobao.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
FF - ProfilePath - c:\users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{5B291E6C-9A74-4034-971B-A4B007A0B315} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Akamai]
"ServiceDll"="c:\program files (x86)\common files\akamai/netsession_win_6c825ce.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil11e_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash11e.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
.
**************************************************************************
.
Completion time: 2012-05-28 01:56:50 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-28 05:56
ComboFix2.txt 2012-05-27 20:16
ComboFix3.txt 2012-05-26 11:57
.
Pre-Run: 264,464,564,224 bytes free
Post-Run: 264,287,948,800 bytes free
.
- - End Of File - - 5F46A3284ECEAB384C3902D0E240202E

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:37 PM

Posted 28 May 2012 - 03:23 AM

Hello

such Alibaba, Babylon and few others. - I will take care of them next

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 slavabusy

slavabusy
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 28 May 2012 - 04:19 AM

OTL - it is


OTL logfile created on: 5/28/2012 5:09:23 AM - Run 1
OTL by OldTimer - Version 3.2.43.2 Folder = C:\Users\slava\Desktop
64bit- Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

5.97 Gb Total Physical Memory | 3.46 Gb Available Physical Memory | 57.95% Memory free
11.93 Gb Paging File | 9.43 Gb Available in Paging File | 79.07% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 586.06 Gb Total Space | 245.40 Gb Free Space | 41.87% Space Free | Partition Type: NTFS
Drive D: | 4.38 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: SLAVA-PC | User Name: slava | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Users\slava\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Users\slava\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc)
PRC - C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe (Pandora.TV)
PRC - C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe (Adobe Systems Inc.)
PRC - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV:64bit: - (WinDefend) -- C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SRV:64bit: - (AppMgmt) -- C:\Windows\SysNative\appmgmts.dll (Microsoft Corporation)
SRV - (PanService) -- C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe (Pandora.TV)
SRV - (Akamai) -- c:\program files (x86)\common files\akamai/netsession_win_6c825ce.dll ()
SRV - (SkypeUpdate) -- C:\Program Files (x86)\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (FLEXnet Licensing Service) -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (Acresso Software Inc.)
SRV - (clr_optimization_v4.0.30319_32) -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (Microsoft Corporation)
SRV - (SwitchBoard) -- C:\Program Files (x86)\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (Nero BackItUp Scheduler 4.0) -- C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe (Nero AG)
SRV - (clr_optimization_v2.0.50727_32) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV:64bit: - (Fs_Rec) -- C:\Windows\SysNative\drivers\fs_rec.sys (Microsoft Corporation)
DRV:64bit: - (SCDEmu) -- C:\Windows\SysNative\drivers\scdemu.sys (PowerISO Computing, Inc.)
DRV:64bit: - (USBAAPL64) -- C:\Windows\SysNative\drivers\usbaapl64.sys (Apple, Inc.)
DRV:64bit: - (ssmirrdr) -- C:\Windows\SysNative\drivers\ssmirrdr.sys (support.com, Inc)
DRV:64bit: - (amdsata) -- C:\Windows\SysNative\drivers\amdsata.sys (Advanced Micro Devices)
DRV:64bit: - (amdxata) -- C:\Windows\SysNative\drivers\amdxata.sys (Advanced Micro Devices)
DRV:64bit: - (igfx) -- C:\Windows\SysNative\drivers\igdkmd64.sys (Intel Corporation)
DRV:64bit: - (HpSAMD) -- C:\Windows\SysNative\drivers\HpSAMD.sys (Hewlett-Packard Company)
DRV:64bit: - (TsUsbFlt) -- C:\Windows\SysNative\drivers\TsUsbFlt.sys (Microsoft Corporation)
DRV:64bit: - (RdpVideoMiniport) -- C:\Windows\SysNative\drivers\rdpvideominiport.sys (Microsoft Corporation)
DRV:64bit: - (RTL8167) -- C:\Windows\SysNative\drivers\Rt64win7.sys (Realtek )
DRV:64bit: - (amdsbs) -- C:\Windows\SysNative\drivers\amdsbs.sys (AMD Technologies Inc.)
DRV:64bit: - (LSI_SAS2) -- C:\Windows\SysNative\drivers\lsi_sas2.sys (LSI Corporation)
DRV:64bit: - (stexstor) -- C:\Windows\SysNative\drivers\stexstor.sys (Promise Technology)
DRV:64bit: - (PxHlpa64) -- C:\Windows\SysNative\drivers\PxHlpa64.sys (Sonic Solutions)
DRV:64bit: - (ebdrv) -- C:\Windows\SysNative\drivers\evbda.sys (Broadcom Corporation)
DRV:64bit: - (b06bdrv) -- C:\Windows\SysNative\drivers\bxvbda.sys (Broadcom Corporation)
DRV:64bit: - (b57nd60a) -- C:\Windows\SysNative\drivers\b57nd60a.sys (Broadcom Corporation)
DRV:64bit: - (hcw85cir) -- C:\Windows\SysNative\drivers\hcw85cir.sys (Hauppauge Computer Works, Inc.)
DRV:64bit: - (netr28x) -- C:\Windows\SysNative\drivers\netr28x.sys (Ralink Technology, Corp.)
DRV:64bit: - (adfs) -- C:\Windows\SysNative\drivers\adfs.sys (Adobe Systems, Inc.)
DRV:64bit: - (MTsensor) -- C:\Windows\SysNative\drivers\ASACPI.sys ()
DRV - (WIMMount) -- C:\Windows\SysWOW64\drivers\wimmount.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE:64bit: - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\..\SearchScopes,DefaultScope = Yandex
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\Yandex: "URL" = http://yandex.ru/yandsearch?clid=163298&text={searchTerms}


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>



IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7E F9 FE FE C7 77 CB 01 [binary data]
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\SearchScopes,DefaultScope = {D4F96DD4-1691-4CCA-AA18-6D1F9F9139A7}
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=107763&mntrId=1c012b7100000000000000248cde0296
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\SearchScopes\{1E54CAE4-9F5D-42DB-B21F-6FA36A8E7C43}: "URL" = http://en.wikipedia.org/w/index.php?title=Special:Search&search={searchTerms}
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\SearchScopes\{645701DB-0A59-AE3F-8D62-BAA040AFB663}: "URL" = http://www.bing.com/search?q={searchTerms}&pc=Z007&form=ZGAIDF
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\SearchScopes\{BE5BF1BE-D2EF-4A36-9152-E1CEF08D2BE0}: "URL" = http://rover.ebay.com/rover/1/711-43047-14818-1/4?satitle={searchTerms}
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\SearchScopes\{D4F96DD4-1691-4CCA-AA18-6D1F9F9139A7}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\SearchScopes\Yandex: "URL" = http://yandex.ru/yandsearch?clid=163298&text={searchTerms}
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1:9421;<local>

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/?ilc=1"
FF - prefs.js..extensions.enabledItems: support@lastpass.com:1.70.0
FF - prefs.js..extensions.enabledItems: yasearch@yandex.ru:5.0.3
FF - prefs.js..network.proxy.type: 0
FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
FF - user.js - File not found

FF:64bit: - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF:64bit: - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF:64bit: - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@canon.com/EPPEX: C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL (CANON INC.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: C:\Windows\system32\Wat\npWatWeb.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Acrobat: C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\{@alibaba.com/alisetup;version=1.0}: C:\Users\slava\AppData\Local\Alibaba\AliSetup\0.1.0.52\npAliSetupOneClick.dll (alibaba)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2012/05/26 01:31:48 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2012/05/26 01:31:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}: C:\Users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}\ [2012/05/26 01:32:35 | 000,000,000 | ---D | M]

[2010/11/02 04:47:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\slava\AppData\Roaming\Mozilla\Extensions
[2012/05/26 02:56:27 | 000,000,000 | ---D | M] (No name found) -- C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions
[2012/05/26 01:32:41 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\ffxtlbr@babylon.com
[2012/05/26 01:32:41 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\support@lastpass.com
[2012/05/26 01:32:42 | 000,000,000 | ---D | M] (Яндекс.Бар) -- C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\yasearch@yandex.ru
[2011/02/23 17:56:01 | 000,000,000 | ---D | M] (No name found) -- C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\yasearch@yandex.ru\chrome\skin\extensions-hacks
[2012/05/26 01:31:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/05/26 01:31:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2012/05/26 01:31:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2012/05/26 01:31:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA}
[2011/10/03 06:06:04 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npdeployJava1.dll
[2011/07/29 09:33:40 | 000,108,480 | ---- | M] ( ) -- C:\Program Files (x86)\mozilla firefox\plugins\npwangwang.dll
[2011/09/25 21:16:33 | 000,002,288 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.52\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.52\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\19.0.1084.52\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Users\slava\AppData\Local\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
CHR - plugin: registryAccess (Enabled) = C:\Users\slava\AppData\Local\Google\Chrome\User Data\Default\Extensions\aaaaoggiphohkihibdkcnhnokmkfmhnj\7.14.0.0_0\background/registryAccess.dll
CHR - plugin: NPLastPass (Enabled) = C:\Users\slava\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\1.90.3_0\nplastpass.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.7 (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: AliWangWang Plug-In For Firefox and Netscape (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npwangwang.dll
CHR - plugin: Google Earth Plugin (Enabled) = C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: CANON iMAGE GATEWAY Album Plugin Utility (Enabled) = C:\Program Files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
CHR - plugin: alibaba setup one click (Enabled) = C:\Users\slava\AppData\Local\Alibaba\AliSetup\0.1.0.52\npAliSetupOneClick.dll
CHR - plugin: Windows Activation Technologies (Enabled) = C:\Windows\system32\Wat\npWatWeb.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - Extension: YouTube = C:\Users\slava\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Users\slava\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: LastPass = C:\Users\slava\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\1.90.7_0\
CHR - Extension: Gmail = C:\Users\slava\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/05/28 01:52:18 | 000,000,027 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2:64bit: - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O2 - BHO: (Canon Easy-WebPrint EX BHO) - {3785D0AD-BFFF-47F6-BF5B-A587C162FED9} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexbho.dll (CANON INC.)
O2 - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Program Files (x86)\LastPass\LPBar.dll (LastPass)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3:64bit: - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Program Files (x86)\LastPass\LPBar.dll (LastPass)
O3 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\Toolbar\WebBrowser: (Canon Easy-WebPrint EX) - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} - C:\Program Files (x86)\Canon\Easy-WebPrint EX\ewpexhlp.dll (CANON INC.)
O4:64bit: - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4:64bit: - HKLM..\Run: [HotKeysCmds] C:\Windows\SysNative\hkcmd.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [IgfxTray] C:\Windows\SysNative\igfxtray.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [Persistence] C:\Windows\SysNative\igfxpers.exe (Intel Corporation)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4:64bit: - HKLM..\Run: [Skytel] C:\Program Files\Realtek\Audio\HDA\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000..\Run: [Akamai NetSession Interface] C:\Users\slava\AppData\Local\Akamai\netsession_win.exe (Akamai Technologies, Inc)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutorun = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutorun = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8:64bit: - Extra context menu item: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpass File not found
O8:64bit: - Extra context menu item: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillforms File not found
O8 - Extra context menu item: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpass File not found
O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillforms File not found
O9:64bit: - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O9:64bit: - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar64.dll (LastPass)
O9 - Extra Button: LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar.dll (LastPass)
O9 - Extra 'Tools' menuitem : LastPass - {43699cd0-e34f-11de-8a39-0800200c9a66} - C:\Program Files (x86)\LastPass\LPBar.dll (LastPass)
O15 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..Trusted Domains: alipay.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..Trusted Domains: alipay.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..Trusted Domains: alisoft.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..Trusted Domains: alisoft.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..Trusted Domains: craigslist.org ([post] https in Trusted sites)
O15 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..Trusted Domains: taobao.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..Trusted Domains: taobao.com ([]https in Trusted sites)
O16:64bit: - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16:64bit: - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Key error.)
O16:64bit: - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 75.75.75.75 75.75.76.76
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{0C25C74E-5418-4D60-A248-13F43CD275F7}: DhcpNameServer = 68.87.73.246 68.87.71.230
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DCDEC854-8F68-44B6-9433-0B3F49C4F731}: DhcpNameServer = 75.75.75.75 75.75.76.76
O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - AppInit_DLLs: (C:\Windows\System32\acaptuser64.dll) - C:\Windows\SysNative\acaptuser64.dll (Adobe Systems, Inc.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysNative\userinit.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\SysWOW64\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20:64bit: - Winlogon\Notify\igfxcui: DllName - (igfxdev.dll) - C:\Windows\SysNative\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2012/01/16 23:45:56 | 000,000,000 | RH-- | M] () - D:\autorun.wbcat -- [ UDF ]
O32 - AutoRun File - [2012/01/16 23:45:56 | 000,000,128 | ---- | M] () - D:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = ComFile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2012/05/28 05:05:32 | 000,595,968 | ---- | C] (OldTimer Tools) -- C:\Users\slava\Desktop\OTL.exe
[2012/05/28 02:18:14 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2012/05/28 01:56:52 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2012/05/27 23:29:02 | 001,932,256 | ---- | C] (Symantec Corporation) -- C:\Users\slava\Desktop\FixTDSS.exe
[2012/05/27 18:28:55 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Users\slava\Desktop\aswMBR.exe
[2012/05/27 18:28:45 | 002,126,936 | ---- | C] (Kaspersky Lab ZAO) -- C:\Users\slava\Desktop\tdsskiller.exe
[2012/05/27 15:06:45 | 000,000,000 | ---D | C] -- C:\Combo-Fix14731C
[2012/05/26 23:34:43 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\slava\Desktop\dds.scr
[2012/05/26 06:52:16 | 000,518,144 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2012/05/26 06:52:16 | 000,406,528 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2012/05/26 06:52:16 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2012/05/26 06:51:07 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2012/05/26 06:48:29 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2012/05/26 06:46:14 | 004,529,739 | R--- | C] (Swearware) -- C:\Users\slava\Desktop\Combo-Fix.exe
[2012/05/26 04:29:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPlay 3
[2012/05/26 04:26:45 | 000,000,000 | ---D | C] -- C:\Users\slava\Desktop\RK_Quarantine
[2012/05/26 04:22:56 | 000,000,000 | ---D | C] -- C:\Users\slava\Desktop\Tweaking.com - Unhide Non System Files
[2012/05/26 01:47:13 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/05/26 00:02:19 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/05/25 23:54:55 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\McAfee Security Scan
[2012/05/25 23:54:52 | 000,000,000 | ---D | C] -- C:\ProgramData\McAfee
[2012/05/25 00:50:45 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2012/05/24 23:54:44 | 000,000,000 | ---D | C] -- C:\Users\slava\Desktop\Chameleon
[2012/05/24 20:10:59 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\%APPDATA%
[2012/05/24 18:20:30 | 000,000,000 | ---D | C] -- C:\Users\slava\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data Recovery
[2012/05/12 18:41:00 | 000,000,000 | ---D | C] -- C:\Users\slava\AppData\Roaming\Media Player Classic
[2012/05/12 03:14:15 | 001,544,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\DWrite.dll
[2012/05/12 03:14:13 | 005,559,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\ntoskrnl.exe
[2012/05/12 03:14:12 | 003,913,072 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntoskrnl.exe
[2012/05/12 03:14:11 | 003,968,368 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\ntkrnlpa.exe
[2012/05/02 21:59:44 | 000,000,000 | ---D | C] -- C:\Users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}
[2012/02/29 20:32:20 | 014,646,304 | ---- | C] (LastPass) -- C:\Program Files (x86)\Common Files\lpuninstall.exe
[2010/07/29 14:21:54 | 000,245,408 | ---- | C] (Microsoft Corporation) -- C:\Program Files\unicows.dll
[2010/07/29 14:21:54 | 000,189,808 | ---- | C] (Adobe Systems Incorporated) -- C:\Program Files\AutoPlay.exe
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/05/28 05:07:00 | 000,000,896 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/05/28 05:06:15 | 000,036,544 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2012/05/28 05:06:15 | 000,036,544 | ---- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2012/05/28 05:02:08 | 000,595,968 | ---- | M] (OldTimer Tools) -- C:\Users\slava\Desktop\OTL.exe
[2012/05/28 03:10:40 | 000,000,512 | ---- | M] () -- C:\Users\slava\Desktop\MBR.dat
[2012/05/28 03:02:55 | 000,744,410 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2012/05/28 03:02:55 | 000,627,104 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2012/05/28 03:02:55 | 000,107,420 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2012/05/28 02:18:12 | 000,000,892 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/05/28 02:06:08 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/05/28 02:06:02 | 509,435,903 | -HS- | M] () -- C:\hiberfil.sys
[2012/05/28 01:52:18 | 000,000,027 | ---- | M] () -- C:\Windows\SysNative\drivers\etc\hosts
[2012/05/28 01:42:28 | 004,529,739 | R--- | M] (Swearware) -- C:\Users\slava\Desktop\Combo-Fix.exe
[2012/05/27 23:26:22 | 001,932,256 | ---- | M] (Symantec Corporation) -- C:\Users\slava\Desktop\FixTDSS.exe
[2012/05/27 18:25:38 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Users\slava\Desktop\aswMBR.exe
[2012/05/27 18:25:04 | 002,126,936 | ---- | M] (Kaspersky Lab ZAO) -- C:\Users\slava\Desktop\tdsskiller.exe
[2012/05/26 23:36:28 | 000,000,000 | ---- | M] () -- C:\Users\slava\defogger_reenable
[2012/05/26 04:24:52 | 001,489,920 | ---- | M] () -- C:\Users\slava\Desktop\RogueKiller.exe
[2012/05/26 04:22:24 | 000,463,787 | ---- | M] () -- C:\Users\slava\Desktop\Tweaking.com-UnhideNonSystemFiles.exe
[2012/05/26 02:48:45 | 000,000,580 | ---- | M] () -- C:\Windows\SysNative\.crusader
[2012/05/26 01:47:14 | 000,001,113 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/13 04:11:25 | 005,063,624 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2012/05/11 03:47:43 | 000,005,120 | ---- | M] () -- C:\Users\slava\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012/05/06 23:43:15 | 000,000,291 | ---- | M] () -- C:\Users\slava\AppData\Roaming\default.rss
[2012/05/06 23:43:15 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini
[2012/05/03 15:44:01 | 000,743,538 | ---- | M] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/05/28 00:09:04 | 000,000,512 | ---- | C] () -- C:\Users\slava\Desktop\MBR.dat
[2012/05/27 14:39:18 | 000,852,401 | ---- | C] () -- C:\Users\slava\Desktop\SecurityCheck.exe
[2012/05/26 23:36:28 | 000,000,000 | ---- | C] () -- C:\Users\slava\defogger_reenable
[2012/05/26 23:34:35 | 000,050,477 | ---- | C] () -- C:\Users\slava\Desktop\Defogger.exe
[2012/05/26 06:52:16 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2012/05/26 06:52:16 | 000,208,896 | ---- | C] () -- C:\Windows\MBR.exe
[2012/05/26 06:52:16 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2012/05/26 06:52:16 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2012/05/26 06:52:16 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2012/05/26 04:24:52 | 001,489,920 | ---- | C] () -- C:\Users\slava\Desktop\RogueKiller.exe
[2012/05/26 04:22:24 | 000,463,787 | ---- | C] () -- C:\Users\slava\Desktop\Tweaking.com-UnhideNonSystemFiles.exe
[2012/05/26 02:48:45 | 000,000,580 | ---- | C] () -- C:\Windows\SysNative\.crusader
[2012/05/26 01:47:14 | 000,001,113 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2012/05/24 23:41:33 | 001,012,656 | ---- | C] () -- C:\Users\slava\Desktop\rkill.exe
[2012/05/03 15:44:01 | 000,743,538 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI
[2012/03/05 00:10:49 | 000,165,376 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll
[2012/02/27 20:54:56 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2012/01/07 12:23:30 | 000,085,504 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll
[2012/01/06 19:30:26 | 000,007,606 | ---- | C] () -- C:\Users\slava\AppData\Local\Resmon.ResmonCfg
[2011/11/29 14:14:32 | 000,098,304 | ---- | C] () -- C:\Windows\SysWow64\redmonnt.dll
[2011/07/12 19:55:52 | 000,005,120 | ---- | C] () -- C:\Users\slava\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/04/19 05:16:46 | 000,007,103 | ---- | C] () -- C:\Windows\mgxoschk.ini
[2011/03/22 16:04:10 | 000,010,622 | --S- | C] () -- C:\Users\slava\AppData\Local\cb5pbb6b8p5u6747fhi54qr7f673l
[2011/03/22 16:04:10 | 000,010,618 | --S- | C] () -- C:\ProgramData\cb5pbb6b8p5u6747fhi54qr7f673l
[2011/02/10 05:07:21 | 000,010,379 | ---- | C] () -- C:\Users\slava\AppData\Roaming\TheHunterSettings_live.bin
[2011/02/10 05:05:40 | 000,000,043 | ---- | C] () -- C:\Users\slava\AppData\Roaming\TheHunterSettings_live.cfg
[2010/11/02 04:46:50 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/08/25 20:34:30 | 000,982,240 | ---- | C] () -- C:\Windows\SysWow64\igkrng500.bin
[2010/08/25 20:34:30 | 000,439,308 | ---- | C] () -- C:\Windows\SysWow64\igcompkrng500.bin
[2010/08/25 20:34:30 | 000,092,356 | ---- | C] () -- C:\Windows\SysWow64\igfcg500m.bin
[2010/07/29 14:21:50 | 000,018,183 | ---- | C] () -- C:\Program Files\Lisezmoi.htm
[2010/07/29 14:21:50 | 000,017,015 | ---- | C] () -- C:\Program Files\Liesmich.htm
[2010/07/29 14:21:50 | 000,015,557 | ---- | C] () -- C:\Program Files\ReadMe.htm
[2010/06/09 01:02:28 | 000,320,000 | ---- | C] () -- C:\Windows\tsnp2uvc.exe
[2010/06/09 01:02:28 | 000,180,224 | ---- | C] ( ) -- C:\Windows\SysWow64\rsnp2uvc.dll

========== Files - Unicode (All) ==========
[2012/05/27 18:42:44 | 000,000,000 | ---D | M](C:\Users\slava\Desktop\?????????? ????) -- C:\Users\slava\Desktop\Личностный Рост
[2012/05/26 01:32:50 | 000,000,000 | ---D | M](C:\Users\slava\Documents\????????? Windows 7 Build 7600 RTM) -- C:\Users\slava\Documents\Активатор Windows 7 Build 7600 RTM
[2012/05/24 02:14:03 | 000,000,000 | ---D | C](C:\Users\slava\Desktop\?????????? ????) -- C:\Users\slava\Desktop\Личностный Рост
[2011/09/25 21:18:02 | 000,000,000 | ---D | C](C:\Users\slava\Documents\????????? Windows 7 Build 7600 RTM) -- C:\Users\slava\Documents\Активатор Windows 7 Build 7600 RTM

========== Alternate Data Streams ==========

@Alternate Data Stream - 188 bytes -> C:\ProgramData\TEMP:66633281
@Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:DFC5A2B2
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
@Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:0888F409

< End of report >

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:37 PM

Posted 28 May 2012 - 10:35 AM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    FF - user.js - File not found
    O8:64bit: - Extra context menu item: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpass File not found
    O8:64bit: - Extra context menu item: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillforms File not found
    O8 - Extra context menu item: LastPass - file://C:\Program Files (x86)\LastPass\context.html?cmd=lastpass File not found
    O8 - Extra context menu item: LastPass Fill Forms - file://C:\Program Files (x86)\LastPass\context.html?cmd=fillforms File not found
    O16:64bit: - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB (Reg Error: Key error.)
    O18:64bit: - Protocol\Handler\grooveLocalGWS - No CLSID value found
    O18:64bit: - Protocol\Handler\ms-help - No CLSID value found
    O18:64bit: - Protocol\Handler\skype4com - No CLSID value found
    O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
    @Alternate Data Stream - 188 bytes -> C:\ProgramData\TEMP:66633281
    @Alternate Data Stream - 150 bytes -> C:\ProgramData\TEMP:DFC5A2B2
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:430C6D84
    @Alternate Data Stream - 108 bytes -> C:\ProgramData\TEMP:0888F409    
    IE - HKU\S-1-5-21-4086009842-4173814806-1320277029-1000\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/web/{searchTerms}?babsrc=SP_ss&affID=107763&mntrId=1c012b7100000000000000248cde0296
    FF - prefs.js..browser.search.order.1: "Search the web (Babylon)"
    FF - HKCU\Software\MozillaPlugins\{@alibaba.com/alisetup;version=1.0}: C:\Users\slava\AppData\Local\Alibaba\AliSetup\0.1.0.52\npAliSetupOneClick.dll (alibaba)
    FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}: C:\Users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}\ [2012/05/26 01:32:35 | 000,000,000 | ---D | M]
    [2012/05/26 01:32:41 | 000,000,000 | ---D | M] (Babylon) -- C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\ffxtlbr@babylon.com
    [2011/09/25 21:16:33 | 000,002,288 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
    [2012/05/02 21:59:44 | 000,000,000 | ---D | C] -- C:\Users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}
    [2011/03/22 16:04:10 | 000,010,622 | --S- | C] () -- C:\Users\slava\AppData\Local\cb5pbb6b8p5u6747fhi54qr7f673l
    [2011/03/22 16:04:10 | 000,010,618 | --S- | C] () -- C:\ProgramData\cb5pbb6b8p5u6747fhi54qr7f673l
    :Files
    C:\Users\slava\AppData\Local\Alibaba
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 slavabusy

slavabusy
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 28 May 2012 - 09:51 PM

Hello, Gringo!
computer is wortking well so far, Thank to You!
I have a question: when I right-click on any folder on my desktop and click on security tab, in the "Group or user names" box there is total of 4 user accounts and one of them is "Account Unknown(S-1-5-21-4086009842-4173814806-1320277029-...) Is it normal to have?




========== OTL ==========
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\LastPass\ deleted successfully.
64bit-Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\LastPass Fill Forms\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\LastPass\ not found.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\LastPass Fill Forms\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
C:\Windows\Downloaded Program Files\QTPlugin.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Starting removal of ActiveX control Garmin Communicator Plug-In
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\Garmin Communicator Plug-In\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Garmin Communicator Plug-In\ not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\grooveLocalGWS\ deleted successfully.
File Protocol\Handler\grooveLocalGWS - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
File Protocol\Handler\ms-help - No CLSID value found not found.
64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\skype4com\ deleted successfully.
File Protocol\Handler\skype4com - No CLSID value found not found.
64bit-Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet:/pagefile deleted successfully.
ADS C:\ProgramData\TEMP:66633281 deleted successfully.
ADS C:\ProgramData\TEMP:DFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:430C6D84 deleted successfully.
ADS C:\ProgramData\TEMP:0888F409 deleted successfully.
Registry key HKEY_USERS\S-1-5-21-4086009842-4173814806-1320277029-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\ not found.
Prefs.js: "Search the web (Babylon)" removed from browser.search.order.1
Registry key HKEY_CURRENT_USER\Software\MozillaPlugins\{@alibaba.com/alisetup;version=1.0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{@alibaba.com/alisetup;version=1.0}\ not found.
C:\Users\slava\AppData\Local\Alibaba\AliSetup\0.1.0.52\npAliSetupOneClick.dll moved successfully.
File HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}: C:\Users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}\ not found.
C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\ffxtlbr@babylon.com\defaults\preferences folder moved successfully.
C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\ffxtlbr@babylon.com\defaults folder moved successfully.
C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\ffxtlbr@babylon.com\content\imgs\mnRadio folder moved successfully.
C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\ffxtlbr@babylon.com\content\imgs\flgs folder moved successfully.
C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\ffxtlbr@babylon.com\content\imgs folder moved successfully.
C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\ffxtlbr@babylon.com\content folder moved successfully.
C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\ffxtlbr@babylon.com\components folder moved successfully.
C:\Users\slava\AppData\Roaming\Mozilla\Firefox\Profiles\0towfyud.default\extensions\ffxtlbr@babylon.com folder moved successfully.
C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml moved successfully.
C:\Users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}\chrome\content folder moved successfully.
C:\Users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26}\chrome folder moved successfully.
C:\Users\slava\AppData\Local\{A5669FDC-94C3-11E1-826D-B8AC6F996F26} folder moved successfully.
C:\Users\slava\AppData\Local\cb5pbb6b8p5u6747fhi54qr7f673l moved successfully.
C:\ProgramData\cb5pbb6b8p5u6747fhi54qr7f673l moved successfully.
========== FILES ==========
C:\Users\slava\AppData\Local\Alibaba\AliSetup\download\atmww folder moved successfully.
C:\Users\slava\AppData\Local\Alibaba\AliSetup\download\Alisetup folder moved successfully.
C:\Users\slava\AppData\Local\Alibaba\AliSetup\download folder moved successfully.
C:\Users\slava\AppData\Local\Alibaba\AliSetup\0.1.0.52\language folder moved successfully.
C:\Users\slava\AppData\Local\Alibaba\AliSetup\0.1.0.52 folder moved successfully.
C:\Users\slava\AppData\Local\Alibaba\AliSetup folder moved successfully.
C:\Users\slava\AppData\Local\Alibaba folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\slava\Desktop\cmd.bat deleted successfully.
C:\Users\slava\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: All Users

User: Default

User: Default User

User: Guest
->Java cache emptied: 0 bytes

User: Public

User: slava
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 56466 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Guest
->Flash cache emptied: 3417 bytes

User: Public

User: slava
->Flash cache emptied: 92054 bytes

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.43.2 log created on 05282012_133409

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:37 PM

Posted 28 May 2012 - 10:14 PM

Hello

http://www.pcreview.co.uk/forums/security-tab-displays-unknown-account-s-1-5-21-s-t2417651.html

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 slavabusy

slavabusy
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 PM

Posted 28 May 2012 - 10:37 PM

Update for Microsoft Office 2007 (KB2508958)
AC3Filter 1.63b
Adobe Acrobat 9 Pro Extended - English, Franais, Deutsch
Adobe Acrobat 9.4.7 - CPSID_83708
Adobe AIR
Adobe Community Help
Adobe Flash Player 10 Plugin
Adobe Media Player
Advertising Center
Akamai NetSession Interface
Akamai NetSession Interface Service
Canon Easy-WebPrint EX
Canon MP Navigator EX 2.1
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
CCleaner
DolbyFiles
Garmin USB Drivers
Garmin WebUpdater
Google Chrome
Google Earth
Google Update Helper
ImagXpress
InstaCodecs
Java Auto Updater
Java™ 6 Update 29
K-Lite Codec Pack 7.0.0 (Standard)
LastPass (uninstall only)
Malwarebytes Anti-Malware version 1.61.0.1400
Menu Templates - Starter Kit
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Project 2007 Service Pack 3 (SP3)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio 2007 Service Pack 3 (SP3)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Miro
Movie Templates - Starter Kit
Mozilla Firefox (3.6.12)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 9 Trial
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero Disc Copy Gadget
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
neroxml
Opera 10.63
Pandora Service
PowerISO
PxMergeModule
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Skype 5.8
SoundTrax
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2598290) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Project 2007 Help (KB963668)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Visio 2007 Help (KB963666)
Update for Microsoft Office Word 2007 Help (KB963665)
WebCam Play
Winamp
Windows Installer Clean Up
WinRAR archiver
Yawcam 0.3.7




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users