Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Removal of S.M.A.R.T. Repair Virus


  • This topic is locked This topic is locked
18 replies to this topic

#1 dcon

dcon

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 21 June 2012 - 11:13 PM

After I got the S.M.A.R.T. Check/Repair pop up and diagnostic screen (and its multiple error messages), I was very fortunate to come across this site in looking for how to remove it.

I had run CCleaner and Avira, and then followed the Remove Smart HDD (Uninstall Guide): went into Safe Mode with Networking, and downloaded and ran RKill, TDSS, and Malwarebytes. I also disabled the CD Emulation Software with DeFogger.

When it looks like everything is removed, I reboot out of Safe Mode; but I get the same SMART pop up and multiple error messages.

I've repeated this several times (Safe Mode - RKill - TDSS - Malwarebytes) hoping I overlooked something the previous time, but each time I reboot out of Safe Mode it is still the same issue.

Below are the DDS logs; I also tried attaching them, but the Attachments option doesn't seem to be working for me. I would greatly appreciate your help and advice in removing this virus!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_14
Run by David at 20:27:58 on 2012-06-21
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.3008 [GMT -7:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\explorer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
uRun: [qutmdp] rundll32.exe
uRun: [werfau] rundll32.exe
uRun: [Wisdom-soft ScreenHunter 5.1 Free] 0
uRun: [Wisdom-soft ScreenHunter 6.0 Free] 0
uRun: [SPMTray] "C:\Program Files (x86)\PC Speed Maximizer\SPMTray.exe"
uRun: [MQtvEpTILjvJre.exe] C:\ProgramData\MQtvEpTILjvJre.exe
mRun: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRunOnce: [GrpConv] grpconv -o
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{A5776414-8827-4AC0-A523-F692C0CA8882} : DhcpNameServer = 192.168.0.1
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
mRun-x64: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
mRunOnce-x64: [GrpConv] grpconv -o
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\David\AppData\Roaming\Mozilla\Firefox\Profiles\f81diurf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1059861&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Wisdom-soft Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Google Updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\NPcol400.dll
FF - plugin: C:\Users\David\AppData\Roaming\Mozilla\plugins\npatgpc.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
.
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
.
============= SERVICES / DRIVERS ===============
.
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe [2010-5-31 136360]
S2 AntiVirService;Avira AntiVir Guard;C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe [2010-5-31 269480]
S2 avgntflt;avgntflt;C:\Windows\system32\DRIVERS\avgntflt.sys --> C:\Windows\system32\DRIVERS\avgntflt.sys [?]
S2 ezSharedSvc;Easybits Shared Services for Windows;C:\Windows\system32\svchost.exe -k netsvcs [2008-1-20 21504]
S2 gupdate1ca03405849f6a8;Google Update Service (gupdate1ca03405849f6a8);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-7-12 133104]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-7-12 89920]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2009-7-12 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-7-7 79360]
S3 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-7-12 133104]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\PC-Doctor for Windows\pcdsrvc_x64.pkms [2009-2-2 23536]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 t3;Sound Blaster X-Fi Xtreme Audio;C:\Windows\system32\drivers\t3.sys --> C:\Windows\system32\drivers\t3.sys [?]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-06-21 04:36:29 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-21 04:36:29 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-06-21 03:32:52 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-06-21 03:32:52 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-06-20 06:04:05 -------- d-----w- C:\TDSSKiller_Quarantine
2012-06-20 05:38:59 -------- d-----w- C:\Users\David\AppData\Roaming\Malwarebytes
2012-06-20 05:38:52 -------- d-----w- C:\ProgramData\Malwarebytes
2012-06-20 05:28:11 -------- d-----w- C:\Program Files\CCleaner
2012-06-20 03:46:05 16864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
2012-06-20 03:39:59 257160 ----a-w- C:\ProgramData\L6Y9Qsuzdhc0c3.exe
2012-06-20 03:24:31 350856 ----a-w- C:\ProgramData\MQtvEpTILjvJre.exe
2012-06-19 13:45:54 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3E3105FB-8E77-4DE9-AF32-A17C2A5CBE51}\mpengine.dll
2012-06-11 00:34:31 -------- d-----w- C:\ProgramData\Tarma Installer
2012-06-11 00:34:09 -------- d-----w- C:\ProgramData\blekko toolbars
2012-06-11 00:21:08 -------- d-----w- C:\Users\David\AppData\Local\Wisdom-soft
2012-06-10 23:43:42 2560 ----a-w- C:\Windows\_MSRSTRT.EXE
2012-06-10 23:41:45 -------- d-----w- C:\Users\David\AppData\Local\CRE
2012-06-10 23:41:39 -------- d-----w- C:\Program Files (x86)\Conduit
2012-06-10 23:41:38 -------- d-----w- C:\Users\David\AppData\Local\Conduit
.
==================== Find3M ====================
.
.
============= FINISH: 20:28:24.47 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 22 June 2012 - 01:57 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 dcon

dcon
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 22 June 2012 - 01:53 PM

Thank you Gringo - much appreciate your response and help!

In order to disable Avira so I could run combofix, I had to reboot out of safe mode. I had all the same SMART problems again, so I first re-ran Avira and Malwarebytes. Same as before, they again found issues which I had removed, and then I rebooted; but now for the first time I am not getting the SMART popup or multiple error messages! Hopefully that is a positive sign.


Here is the Combofix log:

ComboFix 12-06-21.03 - David 06/22/2012 10:54:35.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2356 [GMT -7:00]
Running from: c:\users\David\Downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - Windows: deleted 72 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Exp.Clean
c:\exp.clean\79D12379D81B3FF
c:\program files (x86)\Mozilla Firefox\searchplugins\search.xml
c:\programdata\L6Y9Qsuzdhc0c3
c:\users\David\AceMoneyLiteSetup.exe
c:\users\David\AppData\Roaming\698e8de9c79e614b8d6a96b5ce9682e6-i686.cache-2
c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\f81diurf.default\searchplugins\bing-zugo.xml
c:\users\David\Documents\~WRL0144.tmp
c:\users\David\Documents\~WRL0542.tmp
c:\users\David\Documents\~WRL0667.tmp
c:\users\David\Documents\~WRL0818.tmp
c:\users\David\Documents\~WRL1741.tmp
c:\users\David\Documents\~WRL1771.tmp
c:\users\David\Documents\~WRL1781.tmp
c:\users\David\Documents\~WRL2094.tmp
c:\users\David\Documents\~WRL2930.tmp
c:\users\David\Documents\~WRL3710.tmp
c:\users\David\Documents\~WRL4011.tmp
c:\windows\SysWow64\spool\prtprocs\w32x86\ppbiPr.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-22 to 2012-06-22 )))))))))))))))))))))))))))))))
.
.
2012-06-22 14:39 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 04:36 . 2012-06-21 04:36 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-21 04:36 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-19 13:45 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3E3105FB-8E77-4DE9-AF32-A17C2A5CBE51}\mpengine.dll
2012-06-11 00:34 . 2012-06-11 00:38 -------- d-----w- c:\programdata\Tarma Installer
2012-06-11 00:34 . 2012-06-11 00:36 -------- d-----w- c:\programdata\blekko toolbars
2012-06-11 00:21 . 2012-06-11 00:21 -------- d-----w- c:\users\David\AppData\Local\Wisdom-soft
2012-06-10 23:43 . 2012-06-10 23:43 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2012-06-10 23:41 . 2012-06-10 23:41 -------- d-----w- c:\users\David\AppData\Local\CRE
2012-06-10 23:41 . 2012-06-10 23:41 -------- d-----w- c:\users\AppData
2012-06-10 23:41 . 2012-06-10 23:41 -------- d-----w- c:\program files (x86)\Conduit
2012-06-10 23:41 . 2012-06-11 00:22 -------- d-----w- c:\users\David\AppData\Local\Conduit
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wisdom-soft ScreenHunter 5.1 Free"="0" [X]
"Wisdom-soft ScreenHunter 6.0 Free"="0" [X]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2009-10-16 289072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2008-11-24 237693]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-12 21:42]
.
2012-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-12 22:30]
.
2012-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-12 22:30]
.
2009-10-08 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
.
2012-06-22 c:\windows\Tasks\User_Feed_Synchronization-{D31572D4-87DE-4BCF-938C-0AB1A3322609}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\f81diurf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1059861&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Wisdom-soft Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{6dfc55bb-bfff-485a-9709-90c3fdf6db58} - (no file)
Wow6432Node-HKCU-Run-qutmdp - (no file)
Wow6432Node-HKCU-Run-werfau - (no file)
Wow6432Node-HKCU-Run-SPMTray - c:\program files (x86)\PC Speed Maximizer\SPMTray.exe
SafeBoot-04066360.sys
SafeBoot-mcmscsvc
SafeBoot-MCODS
HKLM-Run-Windows Defender - c:\program files (x86)\Windows Defender\MSASCui.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Avira\AntiVir Desktop\sched.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
.
**************************************************************************
.
Completion time: 2012-06-22 11:04:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-22 18:04
.
Pre-Run: 360,137,736,192 bytes free
Post-Run: 358,932,004,864 bytes free
.
- - End Of File - - B8F75E8C412E88620CD5C5D9C4E0CEDC



Here is the Security Check Log:

Results of screen317's Security Check version 0.99.42
Windows Vista Service Pack 2 x64
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AntiVir Desktop
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 14
Java version out of Date!
Adobe Flash Player 10 Flash Player out of Date!
Adobe Flash Player 10.3.183.11 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (13.0.1)
Google Chrome 19.0.1084.52
Google Chrome 19.0.1084.56
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 22 June 2012 - 02:07 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 dcon

dcon
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 22 June 2012 - 02:25 PM

Gringo - thank you for the quick response!

Below are the logs:

TDSSKiller Log
12:17:49.0361 3912 TDSS rootkit removing tool 2.7.41.0 Jun 20 2012 20:53:32
12:17:49.0751 3912 ============================================================
12:17:49.0751 3912 Current date / time: 2012/06/22 12:17:49.0751
12:17:49.0751 3912 SystemInfo:
12:17:49.0751 3912
12:17:49.0751 3912 OS Version: 6.0.6002 ServicePack: 2.0
12:17:49.0751 3912 Product type: Workstation
12:17:49.0751 3912 ComputerName: SCHOENBORN
12:17:49.0751 3912 UserName: David
12:17:49.0751 3912 Windows directory: C:\Windows
12:17:49.0751 3912 System windows directory: C:\Windows
12:17:49.0751 3912 Running under WOW64
12:17:49.0751 3912 Processor architecture: Intel x64
12:17:49.0751 3912 Number of processors: 2
12:17:49.0751 3912 Page size: 0x1000
12:17:49.0751 3912 Boot type: Normal boot
12:17:49.0751 3912 ============================================================
12:17:50.0765 3912 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
12:17:50.0781 3912 ============================================================
12:17:50.0781 3912 \Device\Harddisk0\DR0:
12:17:50.0781 3912 MBR partitions:
12:17:50.0781 3912 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x48B07E49
12:17:50.0781 3912 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x48B07E88, BlocksNum 0x1D4F039
12:17:50.0781 3912 ============================================================
12:17:50.0812 3912 C: <-> \Device\Harddisk0\DR0\Partition0
12:17:50.0874 3912 D: <-> \Device\Harddisk0\DR0\Partition1
12:17:50.0874 3912 ============================================================
12:17:50.0874 3912 Initialize success
12:17:50.0874 3912 ============================================================
12:18:01.0981 2776 ============================================================
12:18:01.0981 2776 Scan started
12:18:01.0981 2776 Mode: Manual;
12:18:01.0981 2776 ============================================================
12:18:02.0949 2776 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys
12:18:02.0964 2776 ACPI - ok
12:18:03.0011 2776 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
12:18:03.0027 2776 adp94xx - ok
12:18:03.0042 2776 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
12:18:03.0058 2776 adpahci - ok
12:18:03.0073 2776 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
12:18:03.0073 2776 adpu160m - ok
12:18:03.0105 2776 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
12:18:03.0120 2776 adpu320 - ok
12:18:03.0151 2776 AeLookupSvc (0f421175574bfe0bf2f4d8e910a253bb) C:\Windows\System32\aelupsvc.dll
12:18:03.0151 2776 AeLookupSvc - ok
12:18:03.0198 2776 AFD (12415ccfd3e7cec55b5184e67b039fe4) C:\Windows\system32\drivers\afd.sys
12:18:03.0229 2776 AFD - ok
12:18:03.0245 2776 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
12:18:03.0245 2776 agp440 - ok
12:18:03.0261 2776 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
12:18:03.0276 2776 aic78xx - ok
12:18:03.0292 2776 ALG (5922f4f59b7868f3d74bbbbeb7b825a3) C:\Windows\System32\alg.exe
12:18:03.0307 2776 ALG - ok
12:18:03.0307 2776 aliide (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys
12:18:03.0323 2776 aliide - ok
12:18:03.0339 2776 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
12:18:03.0339 2776 amdide - ok
12:18:03.0354 2776 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
12:18:03.0354 2776 AmdK8 - ok
12:18:03.0448 2776 AntiVirSchedulerService (b4837fe56d76b2e9ea90e5365cf6a2be) C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
12:18:03.0448 2776 AntiVirSchedulerService - ok
12:18:03.0495 2776 AntiVirService (df5a3016052755c910a206058b4a1729) C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
12:18:03.0495 2776 AntiVirService - ok
12:18:03.0526 2776 Appinfo (9c37b3fd5615477cb9a0cd116cf43f5c) C:\Windows\System32\appinfo.dll
12:18:03.0526 2776 Appinfo - ok
12:18:03.0557 2776 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
12:18:03.0557 2776 arc - ok
12:18:03.0588 2776 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
12:18:03.0604 2776 arcsas - ok
12:18:03.0635 2776 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
12:18:03.0635 2776 AsyncMac - ok
12:18:03.0666 2776 atapi (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys
12:18:03.0666 2776 atapi - ok
12:18:03.0775 2776 Ati External Event Utility (e42964dbdac0937617ae6021cf0875c7) C:\Windows\system32\Ati2evxx.exe
12:18:03.0775 2776 Ati External Event Utility - ok
12:18:03.0807 2776 AtiHdmiService (08fa104f07b243508ecd8d59007d2b2f) C:\Windows\system32\drivers\AtiHdmi.sys
12:18:03.0822 2776 AtiHdmiService - ok
12:18:04.0103 2776 atikmdag (feeb7d3a54d03dafdd9c6dfef2b55f31) C:\Windows\system32\DRIVERS\atikmdag.sys
12:18:04.0181 2776 atikmdag - ok
12:18:04.0321 2776 AudioEndpointBuilder (79318c744693ec983d20e9337a2f8196) C:\Windows\System32\Audiosrv.dll
12:18:04.0321 2776 AudioEndpointBuilder - ok
12:18:04.0321 2776 AudioSrv (79318c744693ec983d20e9337a2f8196) C:\Windows\System32\Audiosrv.dll
12:18:04.0337 2776 AudioSrv - ok
12:18:04.0368 2776 avgntflt (b1224e6b086cd6548315b04ab575a23e) C:\Windows\system32\DRIVERS\avgntflt.sys
12:18:04.0384 2776 avgntflt - ok
12:18:04.0399 2776 avipbb (ed45f12cfa62b83765c9c1496758cc87) C:\Windows\system32\DRIVERS\avipbb.sys
12:18:04.0399 2776 avipbb - ok
12:18:04.0431 2776 Beep - ok
12:18:04.0509 2776 BFE (ffb96c2589ffa60473ead78b39fbde29) C:\Windows\System32\bfe.dll
12:18:04.0509 2776 BFE - ok
12:18:04.0602 2776 BITS (6d316f4859634071cc25c4fd4589ad2c) C:\Windows\system32\qmgr.dll
12:18:04.0633 2776 BITS - ok
12:18:04.0665 2776 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
12:18:04.0665 2776 blbdrive - ok
12:18:04.0680 2776 bowser (8b2b19031d0aeade6e1b933df1acba7e) C:\Windows\system32\DRIVERS\bowser.sys
12:18:04.0696 2776 bowser - ok
12:18:04.0711 2776 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
12:18:04.0727 2776 BrFiltLo - ok
12:18:04.0743 2776 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
12:18:04.0743 2776 BrFiltUp - ok
12:18:04.0774 2776 Browser (a1b39de453433b115b4ea69ee0343816) C:\Windows\System32\browser.dll
12:18:04.0789 2776 Browser - ok
12:18:04.0821 2776 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\DRIVERS\BrSerId.sys
12:18:04.0821 2776 Brserid - ok
12:18:04.0836 2776 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
12:18:04.0852 2776 BrSerWdm - ok
12:18:04.0867 2776 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
12:18:04.0867 2776 BrUsbMdm - ok
12:18:04.0883 2776 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\DRIVERS\BrUsbSer.sys
12:18:04.0883 2776 BrUsbSer - ok
12:18:04.0899 2776 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
12:18:04.0899 2776 BTHMODEM - ok
12:18:04.0930 2776 catchme - ok
12:18:04.0945 2776 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
12:18:04.0945 2776 cdfs - ok
12:18:04.0992 2776 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys
12:18:04.0992 2776 cdrom - ok
12:18:05.0039 2776 CertPropSvc (5a268127633c7ee2a7fb87f39d748d56) C:\Windows\System32\certprop.dll
12:18:05.0039 2776 CertPropSvc - ok
12:18:05.0055 2776 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys
12:18:05.0055 2776 circlass - ok
12:18:05.0101 2776 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys
12:18:05.0117 2776 CLFS - ok
12:18:05.0164 2776 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:18:05.0164 2776 clr_optimization_v2.0.50727_32 - ok
12:18:05.0211 2776 clr_optimization_v2.0.50727_64 (ce07a466201096f021cd09d631b21540) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
12:18:05.0211 2776 clr_optimization_v2.0.50727_64 - ok
12:18:05.0242 2776 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
12:18:05.0242 2776 cmdide - ok
12:18:05.0257 2776 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\drivers\compbatt.sys
12:18:05.0257 2776 Compbatt - ok
12:18:05.0257 2776 COMSysApp - ok
12:18:05.0335 2776 cpuz134 - ok
12:18:05.0351 2776 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
12:18:05.0367 2776 crcdisk - ok
12:18:05.0429 2776 Creative ALchemy AL6 Licensing Service (c8bd651e13895b93ed9ec5b4f1df42bc) C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
12:18:05.0429 2776 Creative ALchemy AL6 Licensing Service - ok
12:18:05.0491 2776 Creative Audio Engine Licensing Service (c0ead9f8ab83d41ff07303c75589c2b8) C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
12:18:05.0491 2776 Creative Audio Engine Licensing Service - ok
12:18:05.0523 2776 CryptSvc (18918613e63f387cde4d95ca7d49dcf7) C:\Windows\system32\cryptsvc.dll
12:18:05.0523 2776 CryptSvc - ok
12:18:05.0585 2776 CTAudSvcService (69cdba2b9c397e349a04fa70dd9170a2) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
12:18:05.0601 2776 CTAudSvcService - ok
12:18:05.0663 2776 DcomLaunch (cf8b9a3a5e7dc57724a89d0c3e8cf9ef) C:\Windows\system32\rpcss.dll
12:18:05.0679 2776 DcomLaunch - ok
12:18:05.0710 2776 DfsC (36cd31121f228e7e79bae60aa45764c6) C:\Windows\system32\Drivers\dfsc.sys
12:18:05.0725 2776 DfsC - ok
12:18:05.0928 2776 DFSR (c647f468f7de343df8c143655c5557d4) C:\Windows\system32\DFSR.exe
12:18:05.0991 2776 DFSR - ok
12:18:06.0084 2776 Dhcp (3ed0321127ce70acdaabbf77e157c2a7) C:\Windows\System32\dhcpcsvc.dll
12:18:06.0084 2776 Dhcp - ok
12:18:06.0100 2776 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys
12:18:06.0115 2776 disk - ok
12:18:06.0131 2776 Dnscache (21d16b37257370975c7457c3a5efa530) C:\Windows\System32\dnsrslvr.dll
12:18:06.0131 2776 Dnscache - ok
12:18:06.0162 2776 dot3svc (1a7156dd1e850e9914e5e991e3225b94) C:\Windows\System32\dot3svc.dll
12:18:06.0178 2776 dot3svc - ok
12:18:06.0209 2776 Dot4 (74c02b1717740c3b8039539e23e4b53f) C:\Windows\system32\DRIVERS\Dot4.sys
12:18:06.0225 2776 Dot4 - ok
12:18:06.0240 2776 Dot4Print (08321d1860235bf42cf2854234337aea) C:\Windows\system32\DRIVERS\Dot4Prt.sys
12:18:06.0240 2776 Dot4Print - ok
12:18:06.0256 2776 Dot4Scan (8b73ca3010d7c5c5cb939686c637e5d1) C:\Windows\system32\DRIVERS\Dot4Scan.sys
12:18:06.0256 2776 Dot4Scan - ok
12:18:06.0271 2776 dot4usb (4adccf0124f2b6911d3786a5d0e779e5) C:\Windows\system32\DRIVERS\dot4usb.sys
12:18:06.0271 2776 dot4usb - ok
12:18:06.0303 2776 DPS (1583b39790db3eaec7edb0cb0140c708) C:\Windows\system32\dps.dll
12:18:06.0303 2776 DPS - ok
12:18:06.0318 2776 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
12:18:06.0334 2776 drmkaud - ok
12:18:06.0412 2776 DXGKrnl (1d96e28ebcd96ad1b44a3fd02ca6433d) C:\Windows\System32\drivers\dxgkrnl.sys
12:18:06.0427 2776 DXGKrnl - ok
12:18:06.0459 2776 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
12:18:06.0474 2776 E1G60 - ok
12:18:06.0505 2776 EapHost (c2303883fd9be49dc36a6400643002ea) C:\Windows\System32\eapsvc.dll
12:18:06.0505 2776 EapHost - ok
12:18:06.0537 2776 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys
12:18:06.0552 2776 Ecache - ok
12:18:06.0615 2776 ehRecvr (14ce384d2e27b64c256bda4dc39c312d) C:\Windows\ehome\ehRecvr.exe
12:18:06.0646 2776 ehRecvr - ok
12:18:06.0646 2776 ehSched (b93159c1313d66fdfbbe876f5189cd52) C:\Windows\ehome\ehsched.exe
12:18:06.0661 2776 ehSched - ok
12:18:06.0677 2776 ehstart (f5ee2527d74449868e3c3227a59bcd28) C:\Windows\ehome\ehstart.dll
12:18:06.0677 2776 ehstart - ok
12:18:06.0708 2776 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
12:18:06.0724 2776 elxstor - ok
12:18:06.0771 2776 EMDMgmt (a9b18b63a4fd6baab83326706d857fab) C:\Windows\system32\emdmgmt.dll
12:18:06.0786 2776 EMDMgmt - ok
12:18:06.0802 2776 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys
12:18:06.0802 2776 ErrDev - ok
12:18:06.0849 2776 EventSystem (e12f22b73f153dece721cd45ec05b4af) C:\Windows\system32\es.dll
12:18:06.0849 2776 EventSystem - ok
12:18:06.0880 2776 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys
12:18:06.0895 2776 exfat - ok
12:18:06.0895 2776 ezSharedSvc - ok
12:18:06.0911 2776 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys
12:18:06.0927 2776 fastfat - ok
12:18:06.0942 2776 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
12:18:06.0942 2776 fdc - ok
12:18:06.0973 2776 fdPHost (bb9267acacd8b7533dd936c34a0cba5e) C:\Windows\system32\fdPHost.dll
12:18:06.0973 2776 fdPHost - ok
12:18:06.0989 2776 FDResPub (300c80931eabbe1db7591c516efe8d0f) C:\Windows\system32\fdrespub.dll
12:18:06.0989 2776 FDResPub - ok
12:18:06.0989 2776 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
12:18:07.0005 2776 FileInfo - ok
12:18:07.0036 2776 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
12:18:07.0036 2776 Filetrace - ok
12:18:07.0051 2776 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
12:18:07.0051 2776 flpydisk - ok
12:18:07.0067 2776 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys
12:18:07.0067 2776 FltMgr - ok
12:18:07.0176 2776 FontCache (fdf5f06efc8f98bac5fe8b216f93aa5e) C:\Windows\system32\FntCache.dll
12:18:07.0192 2776 FontCache - ok
12:18:07.0254 2776 FontCache3.0.0.0 (bc5b0be5af3510b0fd8c140ee42c6d3e) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
12:18:07.0285 2776 FontCache3.0.0.0 - ok
12:18:07.0332 2776 Fs_Rec (29d99e860a1ca0a03c6a733fdd0da703) C:\Windows\system32\drivers\Fs_Rec.sys
12:18:07.0332 2776 Fs_Rec - ok
12:18:07.0363 2776 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
12:18:07.0363 2776 gagp30kx - ok
12:18:07.0441 2776 gpsvc (a0e1b575ba8f504968cd40c0faeb2384) C:\Windows\System32\gpsvc.dll
12:18:07.0441 2776 gpsvc - ok
12:18:07.0488 2776 gupdate1ca03405849f6a8 (626a24ed1228580b9518c01930936df9) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
12:18:07.0504 2776 gupdate1ca03405849f6a8 - ok
12:18:07.0551 2776 gupdatem (626a24ed1228580b9518c01930936df9) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
12:18:07.0551 2776 gupdatem - ok
12:18:07.0582 2776 gusvc (408ddd80eede47175f6844817b90213e) C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
12:18:07.0597 2776 gusvc - ok
12:18:07.0660 2776 HdAudAddService (68e732382b32417ff61fd663259b4b09) C:\Windows\system32\drivers\HdAudio.sys
12:18:07.0675 2776 HdAudAddService - ok
12:18:07.0800 2776 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys
12:18:07.0816 2776 HDAudBus - ok
12:18:07.0925 2776 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
12:18:07.0925 2776 HidBth - ok
12:18:07.0941 2776 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys
12:18:07.0941 2776 HidIr - ok
12:18:07.0972 2776 hidserv (59361d38a297755d46a540e450202b2a) C:\Windows\System32\hidserv.dll
12:18:07.0972 2776 hidserv - ok
12:18:08.0003 2776 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys
12:18:08.0003 2776 HidUsb - ok
12:18:08.0019 2776 hkmsvc (b12f367ea39c0795fd57e31242ce1a5a) C:\Windows\system32\kmsvc.dll
12:18:08.0034 2776 hkmsvc - ok
12:18:08.0050 2776 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
12:18:08.0050 2776 HpCISSs - ok
12:18:08.0112 2776 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys
12:18:08.0143 2776 HTTP - ok
12:18:08.0159 2776 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
12:18:08.0175 2776 i2omp - ok
12:18:08.0190 2776 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
12:18:08.0190 2776 i8042prt - ok
12:18:08.0221 2776 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
12:18:08.0237 2776 iaStorV - ok
12:18:08.0331 2776 idsvc (749f5f8cedca70f2a512945325fc489d) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
12:18:08.0377 2776 idsvc - ok
12:18:08.0393 2776 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
12:18:08.0393 2776 iirsp - ok
12:18:08.0455 2776 IKEEXT (0c9ea6e654e7b0471741e343a6c671af) C:\Windows\System32\ikeext.dll
12:18:08.0455 2776 IKEEXT - ok
12:18:08.0487 2776 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\DRIVERS\intelide.sys
12:18:08.0487 2776 intelide - ok
12:18:08.0502 2776 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
12:18:08.0502 2776 intelppm - ok
12:18:08.0533 2776 IPBusEnum (5624bc1bc5eeb49c0ab76a8114f05ea3) C:\Windows\system32\ipbusenum.dll
12:18:08.0549 2776 IPBusEnum - ok
12:18:08.0580 2776 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys
12:18:08.0596 2776 IpFilterDriver - ok
12:18:08.0627 2776 iphlpsvc (bf0dbfa9792c5c14fa00f61c75116c1b) C:\Windows\System32\iphlpsvc.dll
12:18:08.0643 2776 iphlpsvc - ok
12:18:08.0643 2776 IpInIp - ok
12:18:08.0674 2776 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
12:18:08.0674 2776 IPMIDRV - ok
12:18:08.0705 2776 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
12:18:08.0705 2776 IPNAT - ok
12:18:08.0721 2776 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
12:18:08.0736 2776 IRENUM - ok
12:18:08.0736 2776 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
12:18:08.0752 2776 isapnp - ok
12:18:08.0783 2776 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys
12:18:08.0783 2776 iScsiPrt - ok
12:18:08.0799 2776 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
12:18:08.0814 2776 iteatapi - ok
12:18:08.0845 2776 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
12:18:08.0845 2776 iteraid - ok
12:18:08.0861 2776 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
12:18:08.0877 2776 kbdclass - ok
12:18:08.0892 2776 kbdhid (dbdf75d51464fbc47d0104ec3d572c05) C:\Windows\system32\DRIVERS\kbdhid.sys
12:18:08.0892 2776 kbdhid - ok
12:18:08.0939 2776 KeyIso (40348dcec0712ed42231c5f90a69a690) C:\Windows\system32\lsass.exe
12:18:08.0939 2776 KeyIso - ok
12:18:09.0017 2776 KSecDD (476e2c1dcea45895994bef11c2a98715) C:\Windows\system32\Drivers\ksecdd.sys
12:18:09.0033 2776 KSecDD - ok
12:18:09.0048 2776 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
12:18:09.0048 2776 ksthunk - ok
12:18:09.0111 2776 KtmRm (1faf6926f3416d3da05c5b265491bdae) C:\Windows\system32\msdtckrm.dll
12:18:09.0111 2776 KtmRm - ok
12:18:09.0142 2776 LanmanServer (967d7cb076cd1969156247d03b92ceca) C:\Windows\System32\srvsvc.dll
12:18:09.0157 2776 LanmanServer - ok
12:18:09.0189 2776 LanmanWorkstation (caf86fc1388be1e470f1a7b43e348adb) C:\Windows\System32\wkssvc.dll
12:18:09.0189 2776 LanmanWorkstation - ok
12:18:09.0251 2776 LightScribeService (dfeff67508d3a9aeb1a85d7b0f513b24) c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
12:18:09.0267 2776 LightScribeService - ok
12:18:09.0267 2776 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
12:18:09.0282 2776 lltdio - ok
12:18:09.0313 2776 lltdsvc (961ccbd0b1ccb5675d64976fae37d092) C:\Windows\System32\lltdsvc.dll
12:18:09.0329 2776 lltdsvc - ok
12:18:09.0345 2776 lmhosts (a47f8080cacc23c91fe823ad19aa5612) C:\Windows\System32\lmhsvc.dll
12:18:09.0345 2776 lmhosts - ok
12:18:09.0376 2776 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
12:18:09.0376 2776 LSI_FC - ok
12:18:09.0391 2776 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
12:18:09.0407 2776 LSI_SAS - ok
12:18:09.0423 2776 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
12:18:09.0438 2776 LSI_SCSI - ok
12:18:09.0454 2776 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
12:18:09.0469 2776 luafv - ok
12:18:09.0485 2776 Mcx2Svc (76a58df02bd4ea29f189b82d0bef17f8) C:\Windows\system32\Mcx2Svc.dll
12:18:09.0501 2776 Mcx2Svc - ok
12:18:09.0516 2776 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
12:18:09.0516 2776 megasas - ok
12:18:09.0563 2776 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
12:18:09.0579 2776 MegaSR - ok
12:18:09.0610 2776 MMCSS (3cbe4995e80e13ccfbc42e5dcf3ac81a) C:\Windows\system32\mmcss.dll
12:18:09.0610 2776 MMCSS - ok
12:18:09.0625 2776 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
12:18:09.0625 2776 Modem - ok
12:18:09.0657 2776 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
12:18:09.0657 2776 monitor - ok
12:18:09.0672 2776 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
12:18:09.0672 2776 mouclass - ok
12:18:09.0688 2776 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
12:18:09.0688 2776 mouhid - ok
12:18:09.0703 2776 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
12:18:09.0703 2776 MountMgr - ok
12:18:09.0735 2776 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
12:18:09.0735 2776 mpio - ok
12:18:09.0766 2776 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
12:18:09.0766 2776 mpsdrv - ok
12:18:09.0813 2776 MpsSvc (897e3baf68ba406a61682ae39c83900c) C:\Windows\system32\mpssvc.dll
12:18:09.0828 2776 MpsSvc - ok
12:18:09.0844 2776 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
12:18:09.0859 2776 Mraid35x - ok
12:18:09.0859 2776 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys
12:18:09.0875 2776 MRxDAV - ok
12:18:09.0937 2776 mrxsmb (d58d129e26705e83a4deba7177eb7972) C:\Windows\system32\DRIVERS\mrxsmb.sys
12:18:09.0953 2776 mrxsmb - ok
12:18:09.0984 2776 mrxsmb10 (d5be5c14e0f1dc489f5bb2a67983f630) C:\Windows\system32\DRIVERS\mrxsmb10.sys
12:18:10.0000 2776 mrxsmb10 - ok
12:18:10.0031 2776 mrxsmb20 (09a2990c3b293c212816c9bc0d7c200e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
12:18:10.0031 2776 mrxsmb20 - ok
12:18:10.0047 2776 msahci (1ac860612b85d8e85ee257d372e39f4d) C:\Windows\system32\drivers\msahci.sys
12:18:10.0047 2776 msahci - ok
12:18:10.0078 2776 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
12:18:10.0078 2776 msdsm - ok
12:18:10.0109 2776 MSDTC (7ec02ce772f068ed0beafa3da341a9bc) C:\Windows\System32\msdtc.exe
12:18:10.0109 2776 MSDTC - ok
12:18:10.0140 2776 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
12:18:10.0140 2776 Msfs - ok
12:18:10.0156 2776 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
12:18:10.0156 2776 msisadrv - ok
12:18:10.0203 2776 MSiSCSI (366b0c1f4478b519c181e37d43dcda32) C:\Windows\system32\iscsiexe.dll
12:18:10.0218 2776 MSiSCSI - ok
12:18:10.0234 2776 msiserver - ok
12:18:10.0249 2776 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
12:18:10.0249 2776 MSKSSRV - ok
12:18:10.0265 2776 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
12:18:10.0265 2776 MSPCLOCK - ok
12:18:10.0281 2776 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
12:18:10.0281 2776 MSPQM - ok
12:18:10.0327 2776 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys
12:18:10.0343 2776 MsRPC - ok
12:18:10.0359 2776 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
12:18:10.0359 2776 mssmbios - ok
12:18:10.0390 2776 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
12:18:10.0390 2776 MSTEE - ok
12:18:10.0421 2776 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys
12:18:10.0421 2776 Mup - ok
12:18:10.0468 2776 napagent (a5b10c845e7538c60c0f5d87a57cb3f5) C:\Windows\system32\qagentRT.dll
12:18:10.0483 2776 napagent - ok
12:18:10.0515 2776 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys
12:18:10.0530 2776 NativeWifiP - ok
12:18:10.0608 2776 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys
12:18:10.0624 2776 NDIS - ok
12:18:10.0624 2776 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
12:18:10.0639 2776 NdisTapi - ok
12:18:10.0639 2776 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
12:18:10.0655 2776 Ndisuio - ok
12:18:10.0671 2776 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys
12:18:10.0686 2776 NdisWan - ok
12:18:10.0702 2776 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
12:18:10.0702 2776 NDProxy - ok
12:18:10.0717 2776 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
12:18:10.0717 2776 NetBIOS - ok
12:18:10.0749 2776 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys
12:18:10.0764 2776 netbt - ok
12:18:10.0780 2776 Netlogon (40348dcec0712ed42231c5f90a69a690) C:\Windows\system32\lsass.exe
12:18:10.0780 2776 Netlogon - ok
12:18:10.0827 2776 Netman (9b63b29defc0f3115a559d2597bf5d75) C:\Windows\System32\netman.dll
12:18:10.0827 2776 Netman - ok
12:18:10.0873 2776 netprofm (7846d0136cc2b264926a73047ba7688a) C:\Windows\System32\netprofm.dll
12:18:10.0889 2776 netprofm - ok
12:18:10.0936 2776 NetTcpPortSharing (74751dda198165947fd7454d83f49825) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
12:18:10.0936 2776 NetTcpPortSharing - ok
12:18:10.0983 2776 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
12:18:10.0998 2776 nfrd960 - ok
12:18:11.0061 2776 NlaSvc (f145bf4c4668e7e312069f81ef847cfc) C:\Windows\System32\nlasvc.dll
12:18:11.0061 2776 NlaSvc - ok
12:18:11.0076 2776 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys
12:18:11.0092 2776 Npfs - ok
12:18:11.0107 2776 nsi (acb62baa1c319b17752553df3026eeeb) C:\Windows\system32\nsisvc.dll
12:18:11.0107 2776 nsi - ok
12:18:11.0123 2776 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
12:18:11.0123 2776 nsiproxy - ok
12:18:11.0232 2776 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys
12:18:11.0279 2776 Ntfs - ok
12:18:11.0341 2776 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
12:18:11.0341 2776 Null - ok
12:18:11.0357 2776 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
12:18:11.0388 2776 nvraid - ok
12:18:11.0388 2776 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
12:18:11.0404 2776 nvstor - ok
12:18:11.0404 2776 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
12:18:11.0419 2776 nv_agp - ok
12:18:11.0419 2776 NwlnkFlt - ok
12:18:11.0435 2776 NwlnkFwd - ok
12:18:11.0466 2776 ohci1394 (7b58953e2f263421fdbb09a192712a85) C:\Windows\system32\drivers\ohci1394.sys
12:18:11.0466 2776 ohci1394 - ok
12:18:11.0529 2776 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
12:18:11.0544 2776 ose - ok
12:18:11.0622 2776 p2pimsvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
12:18:11.0653 2776 p2pimsvc - ok
12:18:11.0669 2776 p2psvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
12:18:11.0685 2776 p2psvc - ok
12:18:11.0700 2776 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
12:18:11.0700 2776 Parport - ok
12:18:11.0731 2776 partmgr (f9b5eda4c17a2be7663f064dbf0fe254) C:\Windows\system32\drivers\partmgr.sys
12:18:11.0747 2776 partmgr - ok
12:18:11.0778 2776 PcaSvc (9ab157b374192ff276c1628fbdba2b0e) C:\Windows\System32\pcasvc.dll
12:18:11.0778 2776 PcaSvc - ok
12:18:11.0903 2776 PCDSRVC{F36B3A4C-F95654BD-06000000}_0 (51209fbdb13a46e05c1b0077a9310264) c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms
12:18:11.0903 2776 PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - ok
12:18:11.0965 2776 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys
12:18:11.0965 2776 pci - ok
12:18:11.0981 2776 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys
12:18:11.0981 2776 pciide - ok
12:18:12.0012 2776 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
12:18:12.0028 2776 pcmcia - ok
12:18:12.0075 2776 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
12:18:12.0106 2776 PEAUTH - ok
12:18:12.0168 2776 PerfHost (0ed8727ea0172860f47258456c06caea) C:\Windows\SysWow64\perfhost.exe
12:18:12.0168 2776 PerfHost - ok
12:18:12.0262 2776 pla (e9e68c1a0f25cf4a7ac966eea74ee89e) C:\Windows\system32\pla.dll
12:18:12.0293 2776 pla - ok
12:18:12.0340 2776 PlugPlay (fe6b0f59215c9fd9f9d26539c58c8b82) C:\Windows\system32\umpnpmgr.dll
12:18:12.0340 2776 PlugPlay - ok
12:18:12.0387 2776 Pml Driver HPZ12 (5c42fa1fcea58c6f7d6614504bf88f4f) C:\Windows\system32\HPZipm12.dll
12:18:12.0387 2776 Pml Driver HPZ12 - ok
12:18:12.0465 2776 PNRPAutoReg (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
12:18:12.0480 2776 PNRPAutoReg - ok
12:18:12.0496 2776 PNRPsvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
12:18:12.0496 2776 PNRPsvc - ok
12:18:12.0558 2776 PolicyAgent (89a5560671c2d8b4a4b51f3e1aa069d8) C:\Windows\System32\ipsecsvc.dll
12:18:12.0574 2776 PolicyAgent - ok
12:18:12.0621 2776 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys
12:18:12.0636 2776 PptpMiniport - ok
12:18:12.0652 2776 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
12:18:12.0667 2776 Processor - ok
12:18:12.0714 2776 ProfSvc (e058ce4fc2449d8bfa14739c83b7ff2a) C:\Windows\system32\profsvc.dll
12:18:12.0714 2776 ProfSvc - ok
12:18:12.0745 2776 ProtectedStorage (40348dcec0712ed42231c5f90a69a690) C:\Windows\system32\lsass.exe
12:18:12.0745 2776 ProtectedStorage - ok
12:18:12.0792 2776 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys
12:18:12.0792 2776 PSched - ok
12:18:12.0870 2776 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
12:18:12.0933 2776 ql2300 - ok
12:18:12.0948 2776 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
12:18:12.0964 2776 ql40xx - ok
12:18:13.0011 2776 QWAVE (90574842c3da781e279061a3eff91f07) C:\Windows\system32\qwave.dll
12:18:13.0026 2776 QWAVE - ok
12:18:13.0042 2776 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
12:18:13.0042 2776 QWAVEdrv - ok
12:18:13.0042 2776 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
12:18:13.0057 2776 RasAcd - ok
12:18:13.0104 2776 RasAuto (b2ae18f847d07f0044404ddf7cb04497) C:\Windows\System32\rasauto.dll
12:18:13.0120 2776 RasAuto - ok
12:18:13.0167 2776 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys
12:18:13.0182 2776 Rasl2tp - ok
12:18:13.0229 2776 RasMan (3ad83e4046c43be510de681588acb8af) C:\Windows\System32\rasmans.dll
12:18:13.0229 2776 RasMan - ok
12:18:13.0260 2776 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys
12:18:13.0276 2776 RasPppoe - ok
12:18:13.0291 2776 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys
12:18:13.0291 2776 RasSstp - ok
12:18:13.0323 2776 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys
12:18:13.0338 2776 rdbss - ok
12:18:13.0354 2776 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
12:18:13.0354 2776 RDPCDD - ok
12:18:13.0385 2776 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
12:18:13.0401 2776 rdpdr - ok
12:18:13.0401 2776 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
12:18:13.0416 2776 RDPENCDD - ok
12:18:13.0447 2776 RDPWD (b1d741c87cea8d7282146366cc9c3f81) C:\Windows\system32\drivers\RDPWD.sys
12:18:13.0463 2776 RDPWD - ok
12:18:13.0494 2776 RemoteAccess (c612b9557da73f70d41f8a6fbc8e5344) C:\Windows\System32\mprdim.dll
12:18:13.0510 2776 RemoteAccess - ok
12:18:13.0541 2776 RemoteRegistry (44b9d8ec2f3ef3a0efb00857af70d861) C:\Windows\system32\regsvc.dll
12:18:13.0557 2776 RemoteRegistry - ok
12:18:13.0572 2776 RpcLocator (f46c457840d4b7a4daafee739ce04102) C:\Windows\system32\locator.exe
12:18:13.0588 2776 RpcLocator - ok
12:18:13.0650 2776 RpcSs (cf8b9a3a5e7dc57724a89d0c3e8cf9ef) C:\Windows\System32\rpcss.dll
12:18:13.0666 2776 RpcSs - ok
12:18:13.0681 2776 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
12:18:13.0681 2776 rspndr - ok
12:18:13.0728 2776 RTL8169 (d53c84ec99ab4d78a90001e5ce5386ec) C:\Windows\system32\DRIVERS\Rtlh64.sys
12:18:13.0744 2776 RTL8169 - ok
12:18:13.0775 2776 SamSs (40348dcec0712ed42231c5f90a69a690) C:\Windows\system32\lsass.exe
12:18:13.0791 2776 SamSs - ok
12:18:13.0806 2776 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
12:18:13.0822 2776 sbp2port - ok
12:18:13.0853 2776 SCardSvr (fd1cdcf108d5ef3366f00d18b70fb89b) C:\Windows\System32\SCardSvr.dll
12:18:13.0869 2776 SCardSvr - ok
12:18:13.0947 2776 Schedule (717c12df4b7c93fec97d146ac1342b25) C:\Windows\system32\schedsvc.dll
12:18:13.0962 2776 Schedule - ok
12:18:14.0056 2776 SCPolicySvc (5a268127633c7ee2a7fb87f39d748d56) C:\Windows\System32\certprop.dll
12:18:14.0056 2776 SCPolicySvc - ok
12:18:14.0181 2776 SDRSVC (4ff71b076a7760fe75ea5ae2d0ee0018) C:\Windows\System32\SDRSVC.dll
12:18:14.0196 2776 SDRSVC - ok
12:18:14.0212 2776 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
12:18:14.0212 2776 secdrv - ok
12:18:14.0227 2776 seclogon (5acdcbc67fcf894a1815b9f96d704490) C:\Windows\system32\seclogon.dll
12:18:14.0227 2776 seclogon - ok
12:18:14.0243 2776 SENS (90973a64b96cd647ff81c79443618eed) C:\Windows\system32\sens.dll
12:18:14.0243 2776 SENS - ok
12:18:14.0259 2776 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys
12:18:14.0259 2776 Serenum - ok
12:18:14.0274 2776 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys
12:18:14.0274 2776 Serial - ok
12:18:14.0290 2776 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
12:18:14.0290 2776 sermouse - ok
12:18:14.0321 2776 SessionEnv (a8e4a4407a09f35dccc3771af590b0c4) C:\Windows\system32\sessenv.dll
12:18:14.0321 2776 SessionEnv - ok
12:18:14.0337 2776 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
12:18:14.0337 2776 sffdisk - ok
12:18:14.0352 2776 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
12:18:14.0352 2776 sffp_mmc - ok
12:18:14.0368 2776 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
12:18:14.0368 2776 sffp_sd - ok
12:18:14.0383 2776 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
12:18:14.0399 2776 sfloppy - ok
12:18:14.0430 2776 SharedAccess (4c5aee179da7e1ee9a9ccb9da289af34) C:\Windows\System32\ipnathlp.dll
12:18:14.0446 2776 SharedAccess - ok
12:18:14.0493 2776 ShellHWDetection (2ad15758174dcc7993ff3c00a955dd66) C:\Windows\System32\shsvcs.dll
12:18:14.0508 2776 ShellHWDetection - ok
12:18:14.0524 2776 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
12:18:14.0539 2776 SiSRaid2 - ok
12:18:14.0539 2776 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
12:18:14.0555 2776 SiSRaid4 - ok
12:18:14.0711 2776 slsvc (a9a27a8e257b45a604fdad4f26fe7241) C:\Windows\system32\SLsvc.exe
12:18:14.0742 2776 slsvc - ok
12:18:14.0820 2776 SLUINotify (fd74b4b7c2088e390a30c85a896fc3af) C:\Windows\system32\SLUINotify.dll
12:18:14.0820 2776 SLUINotify - ok
12:18:14.0867 2776 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys
12:18:14.0867 2776 Smb - ok
12:18:14.0883 2776 SNMPTRAP (f8f47f38909823b1af28d60b96340cff) C:\Windows\System32\snmptrap.exe
12:18:14.0898 2776 SNMPTRAP - ok
12:18:14.0929 2776 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys
12:18:14.0945 2776 spldr - ok
12:18:14.0976 2776 Spooler (eada445eaedd1d7df4c5eb42b3612729) C:\Windows\System32\spoolsv.exe
12:18:14.0976 2776 Spooler - ok
12:18:15.0023 2776 srv (b905f2549517ec427d3e74c52fafe735) C:\Windows\system32\DRIVERS\srv.sys
12:18:15.0054 2776 srv - ok
12:18:15.0085 2776 srv2 (4bd25bf8666ce3f089579e05fe659ed2) C:\Windows\system32\DRIVERS\srv2.sys
12:18:15.0101 2776 srv2 - ok
12:18:15.0148 2776 srvnet (caea15e0e52fb15a2c8b505643228057) C:\Windows\system32\DRIVERS\srvnet.sys
12:18:15.0163 2776 srvnet - ok
12:18:15.0195 2776 SSDPSRV (192c74646ec5725aef3f80d19ff75f6a) C:\Windows\System32\ssdpsrv.dll
12:18:15.0195 2776 SSDPSRV - ok
12:18:15.0210 2776 SstpSvc (2ee3fa0308e6185ba64a9a7f2e74332b) C:\Windows\system32\sstpsvc.dll
12:18:15.0210 2776 SstpSvc - ok
12:18:15.0257 2776 stisvc (15825c1fbfb8779992cb65087f316af5) C:\Windows\System32\wiaservc.dll
12:18:15.0257 2776 stisvc - ok
12:18:15.0288 2776 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
12:18:15.0288 2776 swenum - ok
12:18:15.0351 2776 swprv (6de37f4de19d4efd9c48c43addbc949a) C:\Windows\System32\swprv.dll
12:18:15.0351 2776 swprv - ok
12:18:15.0366 2776 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
12:18:15.0382 2776 Symc8xx - ok
12:18:15.0413 2776 SymIM (4ec2bef14eb5c6f5c621894f46d057b5) C:\Windows\system32\DRIVERS\SymIMv.sys
12:18:15.0413 2776 SymIM - ok
12:18:15.0429 2776 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
12:18:15.0444 2776 Sym_hi - ok
12:18:15.0460 2776 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
12:18:15.0460 2776 Sym_u3 - ok
12:18:15.0538 2776 SysMain (92d7a8b0f87b036f17d25885937897a6) C:\Windows\system32\sysmain.dll
12:18:15.0553 2776 SysMain - ok
12:18:15.0616 2776 t3 (6b153e518dbe6ef59191152e1ecf7ed4) C:\Windows\system32\drivers\t3.sys
12:18:15.0631 2776 t3 - ok
12:18:15.0647 2776 TabletInputService (005ce42567f9113a3bccb3b20073b029) C:\Windows\System32\TabSvc.dll
12:18:15.0647 2776 TabletInputService - ok
12:18:15.0694 2776 TapiSrv (cc2562b4d55e0b6a4758c65407f63b79) C:\Windows\System32\tapisrv.dll
12:18:15.0694 2776 TapiSrv - ok
12:18:15.0725 2776 TBS (cdbe8d7c1e201b911cdc346d06617fb5) C:\Windows\System32\tbssvc.dll
12:18:15.0725 2776 TBS - ok
12:18:15.0834 2776 Tcpip (b4b7b375fdd672af79b0cbe9b9a48b47) C:\Windows\system32\drivers\tcpip.sys
12:18:15.0865 2776 Tcpip - ok
12:18:15.0881 2776 Tcpip6 (b4b7b375fdd672af79b0cbe9b9a48b47) C:\Windows\system32\DRIVERS\tcpip.sys
12:18:15.0897 2776 Tcpip6 - ok
12:18:15.0928 2776 tcpipreg (c7e72a4071ee0200e3c075dacfb2b334) C:\Windows\system32\drivers\tcpipreg.sys
12:18:15.0943 2776 tcpipreg - ok
12:18:15.0975 2776 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
12:18:15.0975 2776 TDPIPE - ok
12:18:15.0990 2776 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
12:18:15.0990 2776 TDTCP - ok
12:18:16.0006 2776 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys
12:18:16.0021 2776 tdx - ok
12:18:16.0053 2776 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys
12:18:16.0068 2776 TermDD - ok
12:18:16.0115 2776 TermService (5cdd30bc217082dac71a9878d9bfd566) C:\Windows\System32\termsrv.dll
12:18:16.0131 2776 TermService - ok
12:18:16.0177 2776 Themes (2ad15758174dcc7993ff3c00a955dd66) C:\Windows\system32\shsvcs.dll
12:18:16.0177 2776 Themes - ok
12:18:16.0193 2776 THREADORDER (3cbe4995e80e13ccfbc42e5dcf3ac81a) C:\Windows\system32\mmcss.dll
12:18:16.0209 2776 THREADORDER - ok
12:18:16.0209 2776 TrkWks (f4689f05af472a651a7b1b7b02d200e7) C:\Windows\System32\trkwks.dll
12:18:16.0209 2776 TrkWks - ok
12:18:16.0240 2776 TrustedInstaller (66328b08ef5a9305d8ede36b93930369) C:\Windows\servicing\TrustedInstaller.exe
12:18:16.0240 2776 TrustedInstaller - ok
12:18:16.0271 2776 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
12:18:16.0271 2776 tssecsrv - ok
12:18:16.0287 2776 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
12:18:16.0287 2776 tunmp - ok
12:18:16.0333 2776 tunnel (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys
12:18:16.0333 2776 tunnel - ok
12:18:16.0349 2776 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
12:18:16.0349 2776 uagp35 - ok
12:18:16.0396 2776 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys
12:18:16.0411 2776 udfs - ok
12:18:16.0443 2776 UI0Detect (060507c4113391394478f6953a79eedc) C:\Windows\system32\UI0Detect.exe
12:18:16.0443 2776 UI0Detect - ok
12:18:16.0458 2776 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
12:18:16.0458 2776 uliagpkx - ok
12:18:16.0489 2776 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
12:18:16.0505 2776 uliahci - ok
12:18:16.0521 2776 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
12:18:16.0536 2776 UlSata - ok
12:18:16.0567 2776 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
12:18:16.0583 2776 ulsata2 - ok
12:18:16.0599 2776 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
12:18:16.0599 2776 umbus - ok
12:18:16.0630 2776 upnphost (7093799ff80e9deca0680d2e3535be60) C:\Windows\System32\upnphost.dll
12:18:16.0630 2776 upnphost - ok
12:18:16.0677 2776 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
12:18:16.0692 2776 usbccgp - ok
12:18:16.0708 2776 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
12:18:16.0723 2776 usbcir - ok
12:18:16.0755 2776 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys
12:18:16.0755 2776 usbehci - ok
12:18:16.0801 2776 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys
12:18:16.0817 2776 usbhub - ok
12:18:16.0833 2776 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
12:18:16.0848 2776 usbohci - ok
12:18:16.0864 2776 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys
12:18:16.0879 2776 usbprint - ok
12:18:16.0926 2776 usbscan (ea0bf666868964fbe8cb10e50c97b9f1) C:\Windows\system32\DRIVERS\usbscan.sys
12:18:16.0926 2776 usbscan - ok
12:18:16.0957 2776 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:18:16.0957 2776 USBSTOR - ok
12:18:16.0973 2776 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
12:18:16.0973 2776 usbuhci - ok
12:18:17.0004 2776 UxSms (d76e231e4850bb3f88a3d9a78df191e3) C:\Windows\System32\uxsms.dll
12:18:17.0004 2776 UxSms - ok
12:18:17.0067 2776 vds (294945381dfa7ce58cecf0a9896af327) C:\Windows\System32\vds.exe
12:18:17.0082 2776 vds - ok
12:18:17.0098 2776 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
12:18:17.0098 2776 vga - ok
12:18:17.0113 2776 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
12:18:17.0113 2776 VgaSave - ok
12:18:17.0129 2776 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
12:18:17.0129 2776 viaide - ok
12:18:17.0160 2776 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys
12:18:17.0176 2776 volmgr - ok
12:18:17.0207 2776 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys
12:18:17.0223 2776 volmgrx - ok
12:18:17.0254 2776 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys
12:18:17.0269 2776 volsnap - ok
12:18:17.0285 2776 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
12:18:17.0301 2776 vsmraid - ok
12:18:17.0379 2776 VSS (b75232dad33bfd95bf6f0a3e6bff51e1) C:\Windows\system32\vssvc.exe
12:18:17.0394 2776 VSS - ok
12:18:17.0425 2776 W32Time (f14a7de2ea41883e250892e1e5230a9a) C:\Windows\system32\w32time.dll
12:18:17.0425 2776 W32Time - ok
12:18:17.0457 2776 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
12:18:17.0457 2776 WacomPen - ok
12:18:17.0472 2776 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
12:18:17.0472 2776 Wanarp - ok
12:18:17.0488 2776 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
12:18:17.0488 2776 Wanarpv6 - ok
12:18:17.0550 2776 wcncsvc (b4e4c37d0aa6100090a53213ee2bf1c1) C:\Windows\System32\wcncsvc.dll
12:18:17.0581 2776 wcncsvc - ok
12:18:17.0613 2776 WcsPlugInService (ea4b369560e986f19d93f45a881484ac) C:\Windows\System32\WcsPlugInService.dll
12:18:17.0613 2776 WcsPlugInService - ok
12:18:17.0628 2776 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
12:18:17.0628 2776 Wd - ok
12:18:17.0675 2776 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys
12:18:17.0706 2776 Wdf01000 - ok
12:18:17.0722 2776 WdiServiceHost (c5efda73ebfca8b02a094898de0a9276) C:\Windows\system32\wdi.dll
12:18:17.0722 2776 WdiServiceHost - ok
12:18:17.0722 2776 WdiSystemHost (c5efda73ebfca8b02a094898de0a9276) C:\Windows\system32\wdi.dll
12:18:17.0722 2776 WdiSystemHost - ok
12:18:17.0769 2776 WebClient (3e6d05381cf35f75ebb055544a8ed9ac) C:\Windows\System32\webclnt.dll
12:18:17.0815 2776 WebClient - ok
12:18:17.0831 2776 Wecsvc (bd9a749f36710ffa02e0e530f7451936) C:\Windows\system32\wecsvc.dll
12:18:17.0847 2776 Wecsvc - ok
12:18:17.0862 2776 wercplsupport (9c980351d7e96288ea0c23ae232bd065) C:\Windows\System32\wercplsupport.dll
12:18:17.0862 2776 wercplsupport - ok
12:18:17.0878 2776 WerSvc (66b9ecebc46683f47edc06333c075fef) C:\Windows\System32\WerSvc.dll
12:18:17.0878 2776 WerSvc - ok
12:18:17.0909 2776 WinDefend - ok
12:18:17.0909 2776 WinHttpAutoProxySvc - ok
12:18:17.0956 2776 Winmgmt (d2e7296ed1bd26d8db2799770c077a02) C:\Windows\system32\wbem\WMIsvc.dll
12:18:17.0971 2776 Winmgmt - ok
12:18:18.0049 2776 WinRM (42717db2be3a075d0f0cd5c927c27a43) C:\Windows\system32\WsmSvc.dll
12:18:18.0096 2776 WinRM - ok
12:18:18.0143 2776 Wlansvc (ec339c8115e91baed835957e9a677f16) C:\Windows\System32\wlansvc.dll
12:18:18.0174 2776 Wlansvc - ok
12:18:18.0221 2776 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\drivers\wmiacpi.sys
12:18:18.0221 2776 WmiAcpi - ok
12:18:18.0268 2776 wmiApSrv (21fa389e65a852698b6a1341f36ee02d) C:\Windows\system32\wbem\WmiApSrv.exe
12:18:18.0268 2776 wmiApSrv - ok
12:18:18.0283 2776 WMPNetworkSvc - ok
12:18:18.0315 2776 WPCSvc (cbc156c913f099e6680d1df9307db7a8) C:\Windows\System32\wpcsvc.dll
12:18:18.0330 2776 WPCSvc - ok
12:18:18.0361 2776 WPDBusEnum (490a18b4e4d53dc10879deaa8e8b70d9) C:\Windows\system32\wpdbusenum.dll
12:18:18.0361 2776 WPDBusEnum - ok
12:18:18.0393 2776 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys
12:18:18.0393 2776 WpdUsb - ok
12:18:18.0408 2776 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
12:18:18.0408 2776 ws2ifsl - ok
12:18:18.0424 2776 wscsvc (9ea3e6d0ef7a5c2b9181961052a4b01a) C:\Windows\system32\wscsvc.dll
12:18:18.0439 2776 wscsvc - ok
12:18:18.0439 2776 WSearch - ok
12:18:18.0564 2776 wuauserv (d9ef901dca379cfe914e9fa13b73b4c4) C:\Windows\system32\wuaueng.dll
12:18:18.0595 2776 wuauserv - ok
12:18:18.0689 2776 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
12:18:18.0705 2776 WUDFRd - ok
12:18:18.0720 2776 wudfsvc (6cbd51ff913c851d56ed9dc7f2a27dde) C:\Windows\System32\WUDFSvc.dll
12:18:18.0720 2776 wudfsvc - ok
12:18:18.0736 2776 MBR (0x1B8) (81cd5ec01db0ce57edd853f82462ef27) \Device\Harddisk0\DR0
12:18:19.0204 2776 \Device\Harddisk0\DR0 - ok
12:18:19.0219 2776 Boot (0x1200) (c219f142fe990208b8c9729ea6067be3) \Device\Harddisk0\DR0\Partition0
12:18:19.0219 2776 \Device\Harddisk0\DR0\Partition0 - ok
12:18:19.0219 2776 Boot (0x1200) (ec60d02fa24099755aab70f3c66fcf45) \Device\Harddisk0\DR0\Partition1
12:18:19.0219 2776 \Device\Harddisk0\DR0\Partition1 - ok
12:18:19.0219 2776 ============================================================
12:18:19.0219 2776 Scan finished
12:18:19.0219 2776 ============================================================
12:18:19.0235 2836 Detected object count: 0
12:18:19.0235 2836 Actual detected object count: 0



aswMBR Log
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-22 12:19:12
-----------------------------
12:19:12.462 OS Version: Windows x64 6.0.6002 Service Pack 2
12:19:12.462 Number of processors: 2 586 0x170A
12:19:12.462 ComputerName: SCHOENBORN UserName: David
12:19:14.584 Initialize success
12:19:40.183 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
12:19:40.183 Disk 0 Vendor: WDC_WD6400AAKS-65A7B2 01.03B01 Size: 610480MB BusType: 3
12:19:40.199 Disk 0 MBR read successfully
12:19:40.199 Disk 0 MBR scan
12:19:40.199 Disk 0 unknown MBR code
12:19:40.199 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 595471 MB offset 63
12:19:40.246 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15006 MB offset 1219526280
12:19:40.293 Disk 0 scanning C:\Windows\system32\drivers
12:19:44.567 Service scanning
12:19:52.788 Modules scanning
12:19:52.788 Disk 0 trace - called modules:
12:19:52.804 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
12:19:52.804 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b42790]
12:19:52.819 3 CLASSPNP.SYS[fffffa6000b9bc33] -> nt!IofCallDriver -> [0xfffffa800489b930]
12:19:52.819 5 acpi.sys[fffffa60008f6fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80048a0060]
12:19:52.835 Scan finished successfully
12:20:09.496 Disk 0 MBR has been saved successfully to "C:\Users\David\Documents\MBR.dat"
12:20:09.511 The log file has been saved successfully to "C:\Users\David\Documents\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-06-22 12:19:12
-----------------------------
12:19:12.462 OS Version: Windows x64 6.0.6002 Service Pack 2
12:19:12.462 Number of processors: 2 586 0x170A
12:19:12.462 ComputerName: SCHOENBORN UserName: David
12:19:14.584 Initialize success
12:19:40.183 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
12:19:40.183 Disk 0 Vendor: WDC_WD6400AAKS-65A7B2 01.03B01 Size: 610480MB BusType: 3
12:19:40.199 Disk 0 MBR read successfully
12:19:40.199 Disk 0 MBR scan
12:19:40.199 Disk 0 unknown MBR code
12:19:40.199 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 595471 MB offset 63
12:19:40.246 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15006 MB offset 1219526280
12:19:40.293 Disk 0 scanning C:\Windows\system32\drivers
12:19:44.567 Service scanning
12:19:52.788 Modules scanning
12:19:52.788 Disk 0 trace - called modules:
12:19:52.804 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS intelide.sys PCIIDEX.SYS hal.dll atapi.sys
12:19:52.804 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b42790]
12:19:52.819 3 CLASSPNP.SYS[fffffa6000b9bc33] -> nt!IofCallDriver -> [0xfffffa800489b930]
12:19:52.819 5 acpi.sys[fffffa60008f6fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80048a0060]
12:19:52.835 Scan finished successfully
12:20:09.496 Disk 0 MBR has been saved successfully to "C:\Users\David\Documents\MBR.dat"
12:20:09.511 The log file has been saved successfully to "C:\Users\David\Documents\aswMBR.txt"
12:23:14.465 Disk 0 MBR has been saved successfully to "C:\Users\David\Documents\MBR.dat"
12:23:14.465 The log file has been saved successfully to "C:\Users\David\Documents\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 22 June 2012 - 06:43 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\program files (x86)\Conduit
c:\users\David\AppData\Local\Conduit

Firefox::
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\f81diurf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1059861&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Wisdom-soft Customized Web Search

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 dcon

dcon
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 22 June 2012 - 09:45 PM

Thanks Gringo - really appreciate your time on this!

Things seem to be fine after running the script - no visible problems (except that I need to correct the background and hidden start menu that the SMART virus changed).

Below is the new ComboFix log:

ComboFix 12-06-21.03 - David 06/22/2012 19:25:58.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2690 [GMT -7:00]
Running from: c:\users\David\Downloads\ComboFix.exe
Command switches used :: c:\users\David\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\Conduit
c:\program files (x86)\Conduit\Community Alerts\Alert.dll
c:\users\David\AppData\Local\Conduit
.
.
((((((((((((((((((((((((( Files Created from 2012-05-23 to 2012-06-23 )))))))))))))))))))))))))))))))
.
.
2012-06-23 02:30 . 2012-06-23 02:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-22 18:04 . 2012-06-23 02:31 -------- d-----w- c:\users\David\AppData\Local\temp
2012-06-21 04:36 . 2012-06-21 04:36 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-21 04:36 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-19 13:45 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3E3105FB-8E77-4DE9-AF32-A17C2A5CBE51}\mpengine.dll
2012-06-11 00:34 . 2012-06-11 00:38 -------- d-----w- c:\programdata\Tarma Installer
2012-06-11 00:34 . 2012-06-11 00:36 -------- d-----w- c:\programdata\blekko toolbars
2012-06-11 00:21 . 2012-06-11 00:21 -------- d-----w- c:\users\David\AppData\Local\Wisdom-soft
2012-06-10 23:43 . 2012-06-10 23:43 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2012-06-10 23:41 . 2012-06-10 23:41 -------- d-----w- c:\users\David\AppData\Local\CRE
2012-06-10 23:41 . 2012-06-22 18:04 -------- d-----w- c:\users\AppData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wisdom-soft ScreenHunter 5.1 Free"="0" [X]
"Wisdom-soft ScreenHunter 6.0 Free"="0" [X]
"uTorrent"="c:\program files (x86)\uTorrent\uTorrent.exe" [2009-10-16 289072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2008-11-24 237693]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-12 21:42]
.
2012-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-12 22:30]
.
2012-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-12 22:30]
.
2009-10-08 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
.
2012-06-23 c:\windows\Tasks\User_Feed_Synchronization-{D31572D4-87DE-4BCF-938C-0AB1A3322609}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\f81diurf.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Avira\AntiVir Desktop\sched.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
.
**************************************************************************
.
Completion time: 2012-06-22 19:35:33 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-23 02:35
ComboFix2.txt 2012-06-22 18:04
.
Pre-Run: 358,966,169,600 bytes free
Post-Run: 358,844,628,992 bytes free
.
- - End Of File - - 0CAB5D9A468A6904BD7F69B3DACDC95A

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 23 June 2012 - 08:10 AM

Hello


I would like you to run this first to see if they are hidden - http://download.bleepingcomputer.com/grinler/unhide.exe



Now I would like you to run this next to replace the defualt folders in the start menu


http://download.bleepingcomputer.com/grinler/fakehdd/vista-64-sm-reset.exe - vista 64


If running unhide did not work then the shortcuts are going to have to be remade

Using Avast as an example it can be done this way

Posted Image

  • Open Windows Explorer, navigate to Avast folder in Program Files
  • Right click on Avast ".exe" file, click "Create shortcut":

Posted Image

  • Copy that shortcut, go back to Start menu.
  • Right click on avast!Free Antivirus, click "Paste".
  • You'll see Avast shortcut recreated replacing (empty) entry.

Alternatively....
...you paste that shortcut in:
(XP) - C:\Documents and Settings\All Users\Start Menu\Programs\Avast
(Vista/7) - C:\Program Data\Start Menu\Programs\Avast
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 dcon

dcon
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 June 2012 - 08:58 AM

Thank you so much Gringo! Everything seems to be working now - I really appreciate all your help and time!

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 23 June 2012 - 11:38 AM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 dcon

dcon
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 23 June 2012 - 10:03 PM

Thank you Gringo!

Below is the report; I wasn't sure if you also wanted a Combofix report as well, so I added that below just in case. How do things look?

Add/Remove Programs Report:
µTorrent
Acrobat.com
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.2
Avira AntiVir Personal - Free Antivirus
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-static
CCC Help Czech
CCC Help Danish
CCC Help English
Compatibility Pack for the 2007 Office system
Creative ALchemy
Creative Audio Control Panel
Creative Diagnostics
Creative MediaSource 5
Creative Software AutoUpdate
Creative Sound Blaster Properties x64 Edition
Creative WaveStudio 7
CyberLink DVD Suite Deluxe
DirectX for Managed Code Update (Summer 2004)
DVDFab 8.1.3.8 (09/12/2011) Qt
Google Chrome
Google Earth
Google Talk (remove only)
Google Update Helper
Google Updater
HandBrake 0.9.5
Host OpenAL
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP MediaSmart DVD
HP Odometer
HP Picasso Media Center Add-In
HP Recovery Manager RSS
HP Support Information
HPAsset component for HP Active Support Library
Java™ 6 Update 14
K-Lite Codec Pack 5.0.0 (Full)
LabelPrint
LightScribe System Software
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Works
Mozilla Firefox 13.0.1 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PaperPort
Picasa 3
Power2Go
PowerDirector
Python 2.6 pywin32-212
Python 2.6.1
Sound Blaster X-Fi
Spelling Dictionaries Support For Adobe Reader 9
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VLC media player 1.0.0
WebEx
Windows Essentials Media Codec Pack 2.3d


ComboFix Report:
ComboFix 12-06-23.06 - David 06/23/2012 19:41:18.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4094.2888 [GMT -7:00]
Running from: c:\users\David\Downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-05-24 to 2012-06-24 )))))))))))))))))))))))))))))))
.
.
2012-06-24 02:45 . 2012-06-24 02:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-23 03:08 . 2012-06-23 03:08 -------- d-----w- c:\users\David\AppData\Roaming\PeerNetworking
2012-06-23 03:01 . 2012-06-23 03:01 -------- d-----w- c:\users\David\AppData\Local\Hewlett-Packard
2012-06-23 03:01 . 2012-06-23 03:01 -------- d-----w- c:\programdata\Hewlett-Packard
2012-06-23 02:35 . 2012-06-24 02:47 -------- d-----w- c:\users\David\AppData\Local\temp
2012-06-21 04:36 . 2012-06-21 04:36 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-06-21 04:36 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-19 13:45 . 2012-05-31 04:04 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3E3105FB-8E77-4DE9-AF32-A17C2A5CBE51}\mpengine.dll
2012-06-11 00:34 . 2012-06-11 00:38 -------- d-----w- c:\programdata\Tarma Installer
2012-06-11 00:34 . 2012-06-11 00:36 -------- d-----w- c:\programdata\blekko toolbars
2012-06-11 00:21 . 2012-06-11 00:21 -------- d-----w- c:\users\David\AppData\Local\Wisdom-soft
2012-06-10 23:43 . 2012-06-10 23:43 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2012-06-10 23:41 . 2012-06-10 23:41 -------- d-----w- c:\users\David\AppData\Local\CRE
2012-06-10 23:41 . 2012-06-22 18:04 -------- d-----w- c:\users\AppData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wisdom-soft ScreenHunter 5.1 Free"="0" [X]
"Wisdom-soft ScreenHunter 6.0 Free"="0" [X]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2008-11-24 237693]
"avgnt"="c:\program files (x86)\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-12 21:42]
.
2012-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-12 22:30]
.
2012-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-07-12 22:30]
.
2009-10-08 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2009-02-02 18:59]
.
2012-06-24 c:\windows\Tasks\User_Feed_Synchronization-{D31572D4-87DE-4BCF-938C-0AB1A3322609}.job
- c:\windows\system32\msfeedssync.exe [2010-03-30 04:54]
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} - hxxps://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\David\AppData\Roaming\Mozilla\Firefox\Profiles\f81diurf.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKCU-Run-HPADVISOR - c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files (x86)\Avira\AntiVir Desktop\sched.exe
c:\program files (x86)\Avira\AntiVir Desktop\avguard.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
.
**************************************************************************
.
Completion time: 2012-06-23 19:50:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-24 02:50
ComboFix2.txt 2012-06-23 02:35
ComboFix3.txt 2012-06-22 18:04
.
Pre-Run: 361,265,647,616 bytes free
Post-Run: 360,996,470,784 bytes free
.
- - End Of File - - 57B9C7475A207C280C9134DF22F81764

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 23 June 2012 - 10:14 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent
Adobe Reader 9.1.2
Java™ 6 Update 14
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 dcon

dcon
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 25 June 2012 - 09:11 AM

Thanks Gringo! Things seem to be going well with my computer. I appreciate you looking at this.

Here is the MBAM log:
Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.24.06

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 8.0.6001.18904
David :: SCHOENBORN [administrator]

6/24/2012 8:50:19 PM
mbam-log-2012-06-24 (20-50-19).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 369244
Time elapsed: 45 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Here is the Hijack This log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:09:39 AM, on 6/25/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\David\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Wisdom-soft ScreenHunter 5.1 Free] 0
O4 - HKCU\..\Run: [Wisdom-soft ScreenHunter 6.0 Free] 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} (HP Product Detection Control) - https://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Google Update Service (gupdate1ca03405849f6a8) (gupdate1ca03405849f6a8) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6649 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 25 June 2012 - 12:27 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Wisdom-soft ScreenHunter 5.1 Free] 0
      O4 - HKCU\..\Run: [Wisdom-soft ScreenHunter 6.0 Free] 0
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 dcon

dcon
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:35 AM

Posted 26 June 2012 - 02:57 AM

Thank you Gringo! The ESET scanner detected two threats, and I realized that I needed to run HijackThis as an administrator because my system denied access to the 'Hosts file', so I've also included the updated HijackThis log below. What do you think of the results?

ESET Results:
C:\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\All Users\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application


HijackThis Log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:27:45 PM, on 6/25/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\David\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=93&bd=Pavilion&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {36299202-09EF-4ABF-ADB9-47C599DBE778} (HP Product Detection Control) - https://www.hpwindows7upgrade.arvato.com/north_america/Endcustomer/HPProdDetect.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Google Update Service (gupdate1ca03405849f6a8) (gupdate1ca03405849f6a8) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 6521 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users