Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJ_GEN.R1ECDFT & TROJ_SPNR.19FH12


  • This topic is locked This topic is locked
27 replies to this topic

#1 BrianC24

BrianC24

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona, USA
  • Local time:01:29 AM

Posted 06 July 2012 - 03:03 AM

Hi there... im using trendmicro house call to try and figure out why everytime i try to goto a website it takes me to some other site i didnt try to goto. House call says its TROJ_GEN.R1ECDFT & TROJ_SPNR.19FH12 About a week ago i told it to remove the files then it said i had to restart my computer once it was done. well when i restarted my computer wouldnt start anymore. I had to get into safe mode and do a system restore. I stopped messing it since but it seems to be getting worse and worse. So i just reinstalled house call and it is still poping up with the same two trojans as before. Im not so sure what to do with it anymore so i downloaded Hijackthis. Im not sure what any of it means so if anyone could help me with what to do from here it would be sooo appreciated. Thank you, Brian


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:15 AM, on 7/6/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19272)
Boot mode: Normal

Running processes:
C:\Windows\MHotKey.exe
C:\Windows\ChiFuncExt.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Northstar\SmartCopy\SmartCopy.exe
C:\Program Files (x86)\Northstar\SmartLauncher\SmartLauncher.exe
C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe
C:\Windows\CNYHKey.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Windows\ModLedKey.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files (x86)\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files (x86)\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Brian\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1008&m=fx6800-01e&c=BB
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1008&m=fx6800-01e&c=BB
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1008&m=fx6800-01e&c=BB
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1066\TmIEPlg32.dll
O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\TmBpIe32.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [LchDrvKey] LchDrvKey.exe
O4 - HKLM\..\Run: [LedKey] CNYHKey.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [StartMSu] "C:\Program Files (x86)\Creative\MediaSource5\Startmsu.exe" /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [StartMSu] "C:\Program Files (x86)\Creative\MediaSource5\Startmsu.exe" /s (User 'Default user')
O4 - Global Startup: SmartCopy.lnk = C:\Program Files (x86)\Northstar\SmartCopy\SmartCopy.exe
O4 - Global Startup: SmartLauncher.lnk = C:\Program Files (x86)\Northstar\SmartLauncher\SmartLauncher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab?rnd=2950334744
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1066\TmIEPlg32.dll
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Trend Micro Solution Platform (Amsp) - Trend Micro Inc. - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
O23 - Service: Creative ALchemy AL6 Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Partner Service - Google Inc. - C:\ProgramData\Partner\partner.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11513 bytes

BC AdBot (Login to Remove)

 


#2 BrianC24

BrianC24
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona, USA
  • Local time:01:29 AM

Posted 06 July 2012 - 03:32 AM

Also.... I used to have trendmicro on this computer a couple years ago before i went off to Colorado for college. I tried reinstalling it tonight on my computer here in Arizona but my computers for school have all the subscriptions taken so i used housecall. Dont know if that makes any difference? Thx, Brian

#3 BrianC24

BrianC24
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona, USA
  • Local time:01:29 AM

Posted 06 July 2012 - 03:33 AM

.

Edited by BrianC24, 06 July 2012 - 04:29 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 06 July 2012 - 05:49 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.


DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.


Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

information and logs:

  • In your next post I need the following

  • .logs from DDS
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 BrianC24

BrianC24
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona, USA
  • Local time:01:29 AM

Posted 06 July 2012 - 04:47 PM

Results of screen317's Security Check version 0.99.42
Windows Vista Service Pack 2 x64 (UAC is disabled!)
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Trend Micro Internet Security Pro
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
MVPS Hosts File
Out of date HijackThis installed!
Spybot - Search & Destroy
HijackThis 2.0.2
Java™ 6 Update 26
Java™ 6 Update 5
Java version out of Date!
Adobe Reader 8 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Trend Micro AMSP coreServiceShell.exe
Trend Micro UniClient UiFrmWrk uiWatchDog.exe
Trend Micro AMSP coreFrameworkHost.exe
Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
Trend Micro UniClient UiFrmWrk WscStatusController.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0 %
````````````````````End of Log``````````````````````





.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.19272
Run by Brian at 14:37:14 on 2012-07-06
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1527 [GMT -7:00]
.
AV: Trend Micro Internet Security Pro *Disabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
SP: Trend Micro Internet Security Pro *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\MHotKey.exe
C:\Windows\ChiFuncExt.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Windows\RAVCpl64.exe
C:\Windows\System32\rundll32.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Windows\system32\agr64svc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\Northstar\SmartCopy\SmartCopy.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files (x86)\Northstar\SmartLauncher\SmartLauncher.exe
C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\CNYHKey.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Windows\SysWOW64\PnkBstrA.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\ModLedKey.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Brian\Desktop\Defogger.exe
C:\Windows\SysWOW64\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1008&m=fx6800-01e&c=BB
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1008&m=fx6800-01e&c=BB
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1008&m=fx6800-01e&c=BB
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1066\TmIEPlg32.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\TmBpIe32.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
uRun: [igndlm.exe] C:\Program Files (x86)\Download Manager\DLM.exe /windowsstart /startifwork
uRun: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
uRun: [ehTray.exe] C:\Windows\ehome\ehTray.exe
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
mRun: [UpdReg] C:\Windows\UpdReg.EXE
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [LchDrvKey] LchDrvKey.exe
mRun: [LedKey] CNYHKey.exe
mRun: [eRecoveryService]
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
dRun: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
dRunOnce: [StartMSu] "C:\Program Files (x86)\Creative\MediaSource5\Startmsu.exe" /s
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SMARTC~1.LNK - C:\Program Files (x86)\Northstar\SmartCopy\SmartCopy.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SMARTL~1.LNK - C:\Program Files (x86)\Northstar\SmartLauncher\SmartLauncher.exe
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/RACtrl.cab?rnd=2950334744
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{05CE41D7-A829-42BD-8E8E-6749DA5D3F4C} : DhcpNameServer = 192.168.1.1
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.0.1081\7.0.1081\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1066\TmIEPlg32.dll
SubSystems: Windows = basesrv,1 winsrv:UserServerDllInitialization,3 consrv:ConServerDllInitialization,2
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1066\TmIEPlg32.dll
BHO-X64: Trend Micro NSC BHO - No File
BHO-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
BHO-X64: Ad-Aware Security Toolbar - No File
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
BHO-X64: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\TmBpIe32.dll
BHO-X64: TmBpIeBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files (x86)\adawaretb\adawareDx.dll
mRun-x64: [VolPanel] "C:\Program Files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" /r
mRun-x64: [UpdReg] C:\Windows\UpdReg.EXE
mRun-x64: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun-x64: [LchDrvKey] LchDrvKey.exe
mRun-x64: [LedKey] CNYHKey.exe
mRun-x64: [eRecoveryService]
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 SbFw;SbFw;C:\Windows\system32\drivers\SbFw.sys --> C:\Windows\system32\drivers\SbFw.sys [?]
R1 tmevtmgr;tmevtmgr;C:\Windows\system32\DRIVERS\tmevtmgr.sys --> C:\Windows\system32\DRIVERS\tmevtmgr.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 Amsp;Trend Micro Solution Platform;C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe [2012-7-5 275912]
R2 ETService;Empowering Technology Service;C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe [2008-10-25 24576]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\system32\DRIVERS\e1y60x64.sys --> C:\Windows\system32\DRIVERS\e1y60x64.sys [?]
R3 gwfilt64;gwfilt64;C:\Windows\system32\drivers\gwfilt64.sys --> C:\Windows\system32\drivers\gwfilt64.sys [?]
R3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;C:\Windows\system32\Drivers\RTS5121.sys --> C:\Windows\system32\Drivers\RTS5121.sys [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-8 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-5-12 257224]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2009-9-24 89920]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe [2008-1-9 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2008-1-9 79360]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-5-8 135664]
S3 Partner Service;Partner Service;C:\ProgramData\Partner\partner.exe [2009-1-8 110576]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 Symantec Core LC;Symantec Core LC;C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-1-9 1245064]
S4 NetworkLog;NetworkLog; [x]
S4 SPService;SPService;C:\Windows\sysWOW64\svchost.exe -k netsvc --> C:\Windows\sysWOW64\svchost.exe -k netsvc [?]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-07-06 06:28:09 102400 ----a-w- C:\Windows\RegBootClean.exe
2012-07-06 05:58:59 129024 ----a-w- C:\Windows\RegBootClean64.exe
2012-07-06 05:57:31 105744 ----a-w- C:\Windows\System32\drivers\tmtdi.sys
2012-07-06 05:54:55 70928 ----a-w- C:\Windows\System32\drivers\tmevtmgr.sys
2012-07-06 05:54:55 167696 ----a-w- C:\Windows\System32\drivers\tmcomm.sys
2012-07-06 05:54:54 91920 ----a-w- C:\Windows\System32\drivers\tmactmon.sys
2012-07-06 05:53:19 56 ----a-w- C:\Windows\System32\SupportTool.exe.bat
2012-07-06 05:52:28 -------- d-----w- C:\Program Files\Trend Micro
2012-07-06 05:34:37 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-06-30 10:20:14 -------- d-----w- C:\Program Files (x86)\Palringo
2012-06-29 05:37:01 -------- d-----w- C:\Users\Brian\AppData\Local\LogMeIn
2012-06-29 05:37:01 -------- d-----w- C:\ProgramData\LogMeIn
2012-06-14 01:54:53 209920 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
.
==================== Find3M ====================
.
2012-06-26 07:48:55 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-26 07:48:55 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-05 07:37:22 256904 ----a-w- C:\Windows\SysWow64\drivers\tmcomm.sys
2012-06-02 22:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 22:19:42 171904 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 22:12:20 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2012-06-02 22:12:13 88576 ----a-w- C:\Windows\SysWow64\wudriver.dll
2012-05-26 03:23:03 0 --sha-w- C:\Windows\System32\dds_trash_log.cmd
2012-05-15 20:15:08 2767360 ----a-w- C:\Windows\System32\win32k.sys
2012-05-15 06:37:49 916992 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-15 06:32:25 43520 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2012-05-15 06:32:00 1469440 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-05-15 06:31:44 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2012-05-15 06:31:43 71680 ----a-w- C:\Windows\SysWow64\iesetup.dll
2012-05-15 05:01:56 385024 ----a-w- C:\Windows\SysWow64\html.iec
2012-05-15 03:26:05 133632 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-05-15 03:23:41 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-05-15 02:19:57 1147392 ----a-w- C:\Windows\System32\wininet.dll
2012-05-15 02:15:14 56832 ----a-w- C:\Windows\System32\licmgr10.dll
2012-05-15 02:14:53 1538560 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-05-15 02:14:26 77312 ----a-w- C:\Windows\System32\iesetup.dll
2012-05-15 02:14:26 132096 ----a-w- C:\Windows\System32\iesysprep.dll
2012-05-15 01:21:55 479232 ----a-w- C:\Windows\System32\html.iec
2012-05-15 00:40:32 162816 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-05-15 00:39:13 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2012-04-11 23:59:30 8592 ----a-w- C:\Windows\SysWow64\ractrlkeyhook.dll
.
============= FINISH: 14:37:46.00 ===============







.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 10/25/2008 5:43:39 AM
System Uptime: 7/6/2012 2:20:54 PM (0 hours ago)
.
Motherboard: Gateway | | TBGM01
Processor: Intel® Core™ i7 CPU 920 @ 2.67GHz | CPU 1 | 2667/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 689 GiB total, 546.284 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Update for Microsoft Office 2007 (KB2508958)
Ad-Aware Security Toolbar
Adobe Flash Player 11 ActiveX
Adobe Reader 8.1.3
AVerMedia M791 PCIe Combo NTSC/ATSC 6.104.64.5
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization Dutch
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Swedish
ccc-core-static
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Dutch
CCC Help English
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCC Help Swedish
Compatibility Pack for the 2007 Office system
Creative ALchemy
Creative MediaSource 5
CyberLink LabelPrint
CyberLink Power2Go
Download Manager 2.3.7
FrostWire 5.2.11
Gateway Games
Gateway Recovery Management
Google Toolbar for Internet Explorer
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java™ 6 Update 26
Java™ 6 Update 5
KB0817 Keyboard Driver
LimeWire 4.18.8
Microsoft Money Essentials
Microsoft Money Shared Libraries
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Napster
Napster Burn Engine
Palringo
Realtek Card Reader
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596880) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597162) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2598041) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2597161) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2596917) 32-Bit Edition
Skins
SmartCopy
SmartLauncher
Sound Blaster X-Fi MB
Spybot - Search & Destroy
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
WinRAR archiver
Wolfenstein - Enemy Territory
Yahoo! Detect
.
==== Event Viewer Messages From Past Week ========
.
7/6/2012 2:34:53 PM, Error: Service Control Manager [7023] - The Security Center service terminated with the following error: The system cannot find the file specified.
7/6/2012 2:22:54 PM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
7/6/2012 2:22:54 PM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed.
7/6/2012 2:22:54 PM, Error: Service Control Manager [7003] - The Internet Connection Sharing (ICS) service depends the following service: BFE. This service might not be installed.
7/6/2012 2:22:54 PM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed.
7/5/2012 9:19:06 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the W32Time service.
7/5/2012 9:18:36 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the FDResPub service.
7/5/2012 9:17:06 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanWorkstation service.
7/5/2012 8:51:44 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the stisvc service.
7/5/2012 11:28:07 PM, Error: Service Control Manager [7034] - The NetworkLog service terminated unexpectedly. It has done this 1 time(s).
7/5/2012 10:51:25 PM, Error: Service Control Manager [7023] - The SPService service terminated with the following error: Invalid access to memory location.
7/5/2012 10:41:47 PM, Error: Service Control Manager [7003] - The SBSD Security Center Service service depends the following service: wscsvc. This service might not be installed.
7/5/2012 10:39:08 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the netprofm service.
7/5/2012 10:38:38 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the fdPHost service.
7/5/2012 10:35:04 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WinHttpAutoProxySvc service.
7/5/2012 10:35:04 PM, Error: Service Control Manager [7000] - The WinHTTP Web Proxy Auto-Discovery Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
7/3/2012 6:46:27 PM, Error: EventLog [6008] - The previous system shutdown at 6:44:59 PM on 7/3/2012 was unexpected.
.
==== End Of File ===========================




Thank you, Brian

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 07 July 2012 - 12:22 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 BrianC24

BrianC24
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona, USA
  • Local time:01:29 AM

Posted 07 July 2012 - 12:57 AM

ComboFix 12-07-06.02 - Brian 07/06/2012 22:32:25.1.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1896 [GMT -7:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *Disabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
SP: Trend Micro Internet Security Pro *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Brian\AppData\Local\ewy.exe
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\consrv.dll
c:\windows\system32\dds_trash_log.cmd
c:\windows\System64
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_NetworkLog
-------\Service_SPService
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-07 05:42 . 2012-07-07 05:44 -------- d-----w- c:\users\Brian\AppData\Local\temp
2012-07-06 06:28 . 2012-07-06 06:28 102400 ----a-w- c:\windows\RegBootClean.exe
2012-07-06 05:58 . 2012-07-06 05:59 129024 ----a-w- c:\windows\RegBootClean64.exe
2012-07-06 05:57 . 2012-07-06 05:35 105744 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2012-07-06 05:54 . 2012-07-06 05:35 70928 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2012-07-06 05:54 . 2012-07-06 05:35 167696 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-07-06 05:54 . 2012-07-06 05:35 91920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2012-07-06 05:53 . 2012-07-06 05:53 56 ----a-w- c:\windows\system32\SupportTool.exe.bat
2012-07-06 05:52 . 2012-07-06 05:52 -------- d-----w- c:\program files\Trend Micro
2012-07-06 05:34 . 2012-07-06 05:35 -------- d-----w- c:\program files (x86)\Trend Micro
2012-06-30 10:20 . 2012-06-30 10:20 -------- d-----w- c:\program files (x86)\Palringo
2012-06-29 05:37 . 2012-06-29 05:37 -------- d-----w- c:\users\Brian\AppData\Local\LogMeIn
2012-06-29 05:37 . 2012-06-29 05:37 -------- d-----w- c:\programdata\LogMeIn
2012-06-14 01:54 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-26 07:48 . 2012-05-12 10:27 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-26 07:48 . 2011-08-03 03:10 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-05 07:37 . 2011-05-27 21:30 256904 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2012-04-11 23:59 . 2012-04-11 23:59 8592 ----a-w- c:\windows\SysWow64\ractrlkeyhook.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2012-04-11 20:08 87440 ----a-w- c:\program files (x86)\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files (x86)\adawaretb\adawareDx.dll" [2012-04-11 87440]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files (x86)\Download Manager\DLM.exe" [2008-08-01 1103216]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-09 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-07-10 225396]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-05-09 201112]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"StartMSu"="c:\program files (x86)\Creative\MediaSource5\Startmsu.exe" [2006-10-02 81920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SmartCopy.lnk - c:\program files (x86)\Northstar\SmartCopy\SmartCopy.exe [2008-10-25 319488]
SmartLauncher.lnk - c:\program files (x86)\Northstar\SmartLauncher\SmartLauncher.exe [2008-10-25 335872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-26 257224]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 07:48]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-08 17:25]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-08 17:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2006-11-02 46592]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-07-06 204048]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-07-06 1300672]
"combofix"="c:\combofix\CF16042.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
nlsvc
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1008&m=fx6800-01e&c=BB
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: mswsock.dll
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{96AFBE69-C3B0-4b00-8578-D933D2896EE2} - (no file)
Wow6432Node-HKLM-Run-eRecoveryService - (no file)
HKLM-Run-Skytel - Skytel.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\windows\MHotKey.exe
c:\windows\ChiFuncExt.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\CNYHKey.exe
c:\program files (x86)\Windows Media Player\wmplayer.exe
c:\windows\ModLedKey.exe
.
**************************************************************************
.
Completion time: 2012-07-06 22:50:28 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-07 05:50
.
Pre-Run: 585,516,699,648 bytes free
Post-Run: 585,175,142,400 bytes free
.
- - End Of File - - 0FA0F56E9D5F819C41AB1C4999314C0D




There were no problems during combofix running. I just now got back to my computer since running combofix so im not so sure how it is running just yet. earlier today when i would click on a link 70% of the time id get taken to some other website that ive never seen before.
-Brian

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 07 July 2012 - 12:59 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 BrianC24

BrianC24
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona, USA
  • Local time:01:29 AM

Posted 07 July 2012 - 01:26 AM

The TDDSKiller required a reboot of my computer. now that i goto the C: folder it had two documents for it. You had not told me if i should click fix on the aswMBR so i didnt. ill keep it open until you tell me to do so or not.

First one:

23:07:09.0522 5336 TDSS rootkit removing tool 2.7.44.0 Jul 2 2012 20:01:08
23:07:09.0878 5336 ============================================================
23:07:09.0878 5336 Current date / time: 2012/07/06 23:07:09.0878
23:07:09.0878 5336 SystemInfo:
23:07:09.0878 5336
23:07:09.0878 5336 OS Version: 6.0.6002 ServicePack: 2.0
23:07:09.0878 5336 Product type: Workstation
23:07:09.0878 5336 ComputerName: BRIAN-PC
23:07:09.0878 5336 UserName: Brian
23:07:09.0879 5336 Windows directory: C:\Windows
23:07:09.0879 5336 System windows directory: C:\Windows
23:07:09.0879 5336 Running under WOW64
23:07:09.0879 5336 Processor architecture: Intel x64
23:07:09.0879 5336 Number of processors: 8
23:07:09.0879 5336 Page size: 0x1000
23:07:09.0879 5336 Boot type: Normal boot
23:07:09.0879 5336 ============================================================
23:07:10.0739 5336 Drive \Device\Harddisk0\DR0 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
23:07:10.0760 5336 ============================================================
23:07:10.0760 5336 \Device\Harddisk0\DR0:
23:07:10.0760 5336 MBR partitions:
23:07:10.0760 5336 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1389000, BlocksNum 0x561BC800
23:07:10.0760 5336 ============================================================
23:07:10.0792 5336 C: <-> \Device\Harddisk0\DR0\Partition0
23:07:10.0792 5336 ============================================================
23:07:10.0792 5336 Initialize success
23:07:10.0792 5336 ============================================================
23:08:30.0888 5268 ============================================================
23:08:30.0889 5268 Scan started
23:08:30.0889 5268 Mode: Manual;
23:08:30.0889 5268 ============================================================
23:08:32.0164 5268 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys
23:08:32.0183 5268 ACPI - ok
23:08:32.0301 5268 AdobeFlashPlayerUpdateSvc (f3cd7b20b27d1772c946df993ff3635c) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
23:08:32.0302 5268 AdobeFlashPlayerUpdateSvc - ok
23:08:32.0353 5268 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
23:08:32.0382 5268 adp94xx - ok
23:08:32.0418 5268 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
23:08:32.0433 5268 adpahci - ok
23:08:32.0456 5268 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
23:08:32.0459 5268 adpu160m - ok
23:08:32.0488 5268 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
23:08:32.0491 5268 adpu320 - ok
23:08:32.0517 5268 AeLookupSvc (0f421175574bfe0bf2f4d8e910a253bb) C:\Windows\System32\aelupsvc.dll
23:08:32.0519 5268 AeLookupSvc - ok
23:08:32.0571 5268 AFD (c4f6ce6087760ad70960c9eb130e7943) C:\Windows\system32\drivers\afd.sys
23:08:32.0611 5268 AFD - ok
23:08:32.0648 5268 AgereModemAudio (8b0d8b5bafd4c9d57b41426bc68b32f9) C:\Windows\system32\agr64svc.exe
23:08:32.0653 5268 AgereModemAudio - ok
23:08:32.0794 5268 AgereSoftModem (ddf52c4c92d831a4cdb7788b37585e36) C:\Windows\system32\DRIVERS\agrsm64.sys
23:08:32.0817 5268 AgereSoftModem - ok
23:08:32.0852 5268 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
23:08:32.0854 5268 agp440 - ok
23:08:32.0874 5268 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
23:08:32.0877 5268 aic78xx - ok
23:08:32.0898 5268 ALG (5922f4f59b7868f3d74bbbbeb7b825a3) C:\Windows\System32\alg.exe
23:08:32.0900 5268 ALG - ok
23:08:32.0914 5268 aliide (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys
23:08:32.0916 5268 aliide - ok
23:08:32.0960 5268 AMD External Events Utility (a359974eaac83a435497c52f62a2e590) C:\Windows\system32\atiesrxx.exe
23:08:32.0971 5268 AMD External Events Utility - ok
23:08:32.0979 5268 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
23:08:32.0981 5268 amdide - ok
23:08:32.0997 5268 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
23:08:33.0000 5268 AmdK8 - ok
23:08:33.0329 5268 amdkmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
23:08:33.0453 5268 amdkmdag - ok
23:08:33.0588 5268 amdkmdap (6b4e9261b613b047a9a145f328889968) C:\Windows\system32\DRIVERS\atikmpag.sys
23:08:33.0603 5268 amdkmdap - ok
23:08:33.0704 5268 Amsp (1b7d1f0a0dfadbc797c16364792a7aa5) C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
23:08:33.0706 5268 Amsp - ok
23:08:33.0748 5268 Appinfo (9c37b3fd5615477cb9a0cd116cf43f5c) C:\Windows\System32\appinfo.dll
23:08:33.0749 5268 Appinfo - ok
23:08:33.0777 5268 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
23:08:33.0780 5268 arc - ok
23:08:33.0805 5268 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
23:08:33.0807 5268 arcsas - ok
23:08:33.0840 5268 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
23:08:33.0840 5268 AsyncMac - ok
23:08:33.0872 5268 atapi (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys
23:08:33.0873 5268 atapi - ok
23:08:34.0228 5268 atikmdag (60216b0e704584de6d5a9f59e9c34c47) C:\Windows\system32\DRIVERS\atikmdag.sys
23:08:34.0268 5268 atikmdag - ok
23:08:34.0380 5268 AudioEndpointBuilder (79318c744693ec983d20e9337a2f8196) C:\Windows\System32\Audiosrv.dll
23:08:34.0420 5268 AudioEndpointBuilder - ok
23:08:34.0423 5268 AudioSrv (79318c744693ec983d20e9337a2f8196) C:\Windows\System32\Audiosrv.dll
23:08:34.0425 5268 AudioSrv - ok
23:08:34.0440 5268 Beep - ok
23:08:34.0495 5268 BFE (ffb96c2589ffa60473ead78b39fbde29) C:\Windows\System32\bfe.dll
23:08:34.0508 5268 BFE - ok
23:08:34.0584 5268 BITS (6d316f4859634071cc25c4fd4589ad2c) C:\Windows\system32\qmgr.dll
23:08:34.0590 5268 BITS - ok
23:08:34.0627 5268 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
23:08:34.0629 5268 blbdrive - ok
23:08:34.0677 5268 bowser (2348447a80920b2493a9b582a23e81e1) C:\Windows\system32\DRIVERS\bowser.sys
23:08:34.0680 5268 bowser - ok
23:08:34.0694 5268 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
23:08:34.0696 5268 BrFiltLo - ok
23:08:34.0706 5268 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
23:08:34.0708 5268 BrFiltUp - ok
23:08:34.0732 5268 Browser (a1b39de453433b115b4ea69ee0343816) C:\Windows\System32\browser.dll
23:08:34.0733 5268 Browser - ok
23:08:34.0744 5268 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
23:08:34.0746 5268 Brserid - ok
23:08:34.0761 5268 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
23:08:34.0764 5268 BrSerWdm - ok
23:08:34.0779 5268 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
23:08:34.0781 5268 BrUsbMdm - ok
23:08:34.0791 5268 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
23:08:34.0793 5268 BrUsbSer - ok
23:08:34.0808 5268 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
23:08:34.0811 5268 BTHMODEM - ok
23:08:34.0829 5268 catchme - ok
23:08:34.0846 5268 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
23:08:34.0849 5268 cdfs - ok
23:08:34.0891 5268 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys
23:08:34.0893 5268 cdrom - ok
23:08:34.0932 5268 CertPropSvc (5a268127633c7ee2a7fb87f39d748d56) C:\Windows\System32\certprop.dll
23:08:34.0934 5268 CertPropSvc - ok
23:08:34.0947 5268 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\DRIVERS\circlass.sys
23:08:34.0949 5268 circlass - ok
23:08:35.0002 5268 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys
23:08:35.0019 5268 CLFS - ok
23:08:35.0066 5268 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
23:08:35.0069 5268 clr_optimization_v2.0.50727_32 - ok
23:08:35.0133 5268 clr_optimization_v2.0.50727_64 (ce07a466201096f021cd09d631b21540) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
23:08:35.0136 5268 clr_optimization_v2.0.50727_64 - ok
23:08:35.0145 5268 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
23:08:35.0146 5268 cmdide - ok
23:08:35.0156 5268 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\drivers\compbatt.sys
23:08:35.0158 5268 Compbatt - ok
23:08:35.0159 5268 COMSysApp - ok
23:08:35.0165 5268 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
23:08:35.0165 5268 crcdisk - ok
23:08:35.0228 5268 Creative ALchemy AL6 Licensing Service (c8bd651e13895b93ed9ec5b4f1df42bc) C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\AL6Licensing.exe
23:08:35.0231 5268 Creative ALchemy AL6 Licensing Service - ok
23:08:35.0262 5268 Creative Audio Engine Licensing Service (c0ead9f8ab83d41ff07303c75589c2b8) C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
23:08:35.0265 5268 Creative Audio Engine Licensing Service - ok
23:08:35.0281 5268 CryptSvc (18918613e63f387cde4d95ca7d49dcf7) C:\Windows\system32\cryptsvc.dll
23:08:35.0282 5268 CryptSvc - ok
23:08:35.0326 5268 CTAudSvcService (ff686c4620b646773c8181f1c7c5101c) C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
23:08:35.0328 5268 CTAudSvcService - ok
23:08:35.0409 5268 DcomLaunch (cf8b9a3a5e7dc57724a89d0c3e8cf9ef) C:\Windows\system32\rpcss.dll
23:08:35.0412 5268 DcomLaunch - ok
23:08:35.0479 5268 DfsC (8b722ba35205c71e7951cdc4cdbade19) C:\Windows\system32\Drivers\dfsc.sys
23:08:35.0482 5268 DfsC - ok
23:08:35.0650 5268 DFSR (c647f468f7de343df8c143655c5557d4) C:\Windows\system32\DFSR.exe
23:08:35.0713 5268 DFSR - ok
23:08:35.0832 5268 Dhcp (3ed0321127ce70acdaabbf77e157c2a7) C:\Windows\System32\dhcpcsvc.dll
23:08:35.0848 5268 Dhcp - ok
23:08:35.0901 5268 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys
23:08:35.0904 5268 disk - ok
23:08:35.0962 5268 Dnscache (06230f1b721494a6df8d47fd395bb1b0) C:\Windows\System32\dnsrslvr.dll
23:08:35.0965 5268 Dnscache - ok
23:08:36.0009 5268 dot3svc (1a7156dd1e850e9914e5e991e3225b94) C:\Windows\System32\dot3svc.dll
23:08:36.0014 5268 dot3svc - ok
23:08:36.0037 5268 DPS (1583b39790db3eaec7edb0cb0140c708) C:\Windows\system32\dps.dll
23:08:36.0038 5268 DPS - ok
23:08:36.0063 5268 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
23:08:36.0065 5268 drmkaud - ok
23:08:36.0141 5268 DXGKrnl (b8e554e502d5123bc111f99d6a2181b4) C:\Windows\System32\drivers\dxgkrnl.sys
23:08:36.0162 5268 DXGKrnl - ok
23:08:36.0182 5268 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
23:08:36.0186 5268 E1G60 - ok
23:08:36.0219 5268 e1yexpress (b37f6853d6e0c6f5f8efde33e831b5f8) C:\Windows\system32\DRIVERS\e1y60x64.sys
23:08:36.0234 5268 e1yexpress - ok
23:08:36.0245 5268 EapHost (c2303883fd9be49dc36a6400643002ea) C:\Windows\System32\eapsvc.dll
23:08:36.0246 5268 EapHost - ok
23:08:36.0314 5268 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys
23:08:36.0317 5268 Ecache - ok
23:08:36.0399 5268 ehRecvr (14ce384d2e27b64c256bda4dc39c312d) C:\Windows\ehome\ehRecvr.exe
23:08:36.0416 5268 ehRecvr - ok
23:08:36.0435 5268 ehSched (b93159c1313d66fdfbbe876f5189cd52) C:\Windows\ehome\ehsched.exe
23:08:36.0438 5268 ehSched - ok
23:08:36.0451 5268 ehstart (f5ee2527d74449868e3c3227a59bcd28) C:\Windows\ehome\ehstart.dll
23:08:36.0453 5268 ehstart - ok
23:08:36.0485 5268 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
23:08:36.0502 5268 elxstor - ok
23:08:36.0556 5268 EMDMgmt (a9b18b63a4fd6baab83326706d857fab) C:\Windows\system32\emdmgmt.dll
23:08:36.0582 5268 EMDMgmt - ok
23:08:36.0603 5268 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys
23:08:36.0605 5268 ErrDev - ok
23:08:36.0714 5268 ETService (4d06d9a26227ac485305133916888df1) C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
23:08:36.0714 5268 ETService - ok
23:08:36.0810 5268 EventSystem (e12f22b73f153dece721cd45ec05b4af) C:\Windows\system32\es.dll
23:08:36.0812 5268 EventSystem - ok
23:08:36.0863 5268 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys
23:08:36.0867 5268 exfat - ok
23:08:36.0906 5268 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys
23:08:36.0950 5268 fastfat - ok
23:08:36.0970 5268 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
23:08:36.0972 5268 fdc - ok
23:08:36.0994 5268 fdPHost (bb9267acacd8b7533dd936c34a0cba5e) C:\Windows\system32\fdPHost.dll
23:08:36.0995 5268 fdPHost - ok
23:08:37.0011 5268 FDResPub (300c80931eabbe1db7591c516efe8d0f) C:\Windows\system32\fdrespub.dll
23:08:37.0013 5268 FDResPub - ok
23:08:37.0028 5268 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
23:08:37.0031 5268 FileInfo - ok
23:08:37.0042 5268 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
23:08:37.0044 5268 Filetrace - ok
23:08:37.0054 5268 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
23:08:37.0056 5268 flpydisk - ok
23:08:37.0108 5268 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys
23:08:37.0124 5268 FltMgr - ok
23:08:37.0217 5268 FontCache (be1c5bd1ca7ed015bc6fa1ae67e592c8) C:\Windows\system32\FntCache.dll
23:08:37.0240 5268 FontCache - ok
23:08:37.0313 5268 FontCache3.0.0.0 (bc5b0be5af3510b0fd8c140ee42c6d3e) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
23:08:37.0315 5268 FontCache3.0.0.0 - ok
23:08:37.0386 5268 Fs_Rec (5779b86cd8b32519fbecb136394d946a) C:\Windows\system32\drivers\Fs_Rec.sys
23:08:37.0388 5268 Fs_Rec - ok
23:08:37.0409 5268 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
23:08:37.0412 5268 gagp30kx - ok
23:08:37.0484 5268 GameConsoleService (617dc2877015270914ca3c03873560d5) C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
23:08:37.0488 5268 GameConsoleService - ok
23:08:37.0562 5268 gpsvc (a0e1b575ba8f504968cd40c0faeb2384) C:\Windows\System32\gpsvc.dll
23:08:37.0566 5268 gpsvc - ok
23:08:37.0637 5268 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
23:08:37.0642 5268 gupdate - ok
23:08:37.0651 5268 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
23:08:37.0652 5268 gupdatem - ok
23:08:37.0691 5268 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
23:08:37.0695 5268 gusvc - ok
23:08:37.0724 5268 gwfilt64 (5e114600f350f3bee3f92516e51144f1) C:\Windows\system32\drivers\gwfilt64.sys
23:08:37.0727 5268 gwfilt64 - ok
23:08:37.0754 5268 HdAudAddService (df45f8142dc6df9d18c39b3effbd0409) C:\Windows\system32\drivers\HdAudio.sys
23:08:37.0769 5268 HdAudAddService - ok
23:08:37.0845 5268 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys
23:08:37.0866 5268 HDAudBus - ok
23:08:37.0876 5268 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
23:08:37.0878 5268 HidBth - ok
23:08:37.0888 5268 HidIr (5f47839455d01ff6403b008d481a6f5b) C:\Windows\system32\DRIVERS\hidir.sys
23:08:37.0890 5268 HidIr - ok
23:08:37.0928 5268 hidserv (59361d38a297755d46a540e450202b2a) C:\Windows\System32\hidserv.dll
23:08:37.0930 5268 hidserv - ok
23:08:37.0970 5268 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys
23:08:37.0972 5268 HidUsb - ok
23:08:38.0000 5268 hkmsvc (b12f367ea39c0795fd57e31242ce1a5a) C:\Windows\system32\kmsvc.dll
23:08:38.0003 5268 hkmsvc - ok
23:08:38.0027 5268 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
23:08:38.0029 5268 HpCISSs - ok
23:08:38.0092 5268 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys
23:08:38.0111 5268 HTTP - ok
23:08:38.0128 5268 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
23:08:38.0131 5268 i2omp - ok
23:08:38.0158 5268 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
23:08:38.0161 5268 i8042prt - ok
23:08:38.0242 5268 IAANTMON (3e42c4691aad4b1e8d0466f9cbf05cbe) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
23:08:38.0244 5268 IAANTMON - ok
23:08:38.0274 5268 iaStor (fc28e90f2204d8fd147fa9bfa8a51c01) C:\Windows\system32\DRIVERS\iaStor.sys
23:08:38.0276 5268 iaStor - ok
23:08:38.0298 5268 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
23:08:38.0314 5268 iaStorV - ok
23:08:38.0397 5268 idsvc (749f5f8cedca70f2a512945325fc489d) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
23:08:38.0442 5268 idsvc - ok
23:08:38.0457 5268 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
23:08:38.0459 5268 iirsp - ok
23:08:38.0511 5268 IKEEXT (0c9ea6e654e7b0471741e343a6c671af) C:\Windows\System32\ikeext.dll
23:08:38.0527 5268 IKEEXT - ok
23:08:38.0593 5268 int15 (8c7fa71cb1ebcd3ede8958d27b1bf0b4) C:\Windows\SysWOW64\drivers\int15_64.sys
23:08:38.0593 5268 int15 - ok
23:08:38.0675 5268 IntcAzAudAddService (6fdf709500c20362ffc5057f0d1e0c8d) C:\Windows\system32\drivers\RTKVHD64.sys
23:08:38.0703 5268 IntcAzAudAddService - ok
23:08:38.0791 5268 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys
23:08:38.0793 5268 intelide - ok
23:08:38.0808 5268 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
23:08:38.0809 5268 intelppm - ok
23:08:38.0847 5268 IPBusEnum (5624bc1bc5eeb49c0ab76a8114f05ea3) C:\Windows\system32\ipbusenum.dll
23:08:38.0851 5268 IPBusEnum - ok
23:08:38.0886 5268 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys
23:08:38.0889 5268 IpFilterDriver - ok
23:08:38.0971 5268 iphlpsvc (bf0dbfa9792c5c14fa00f61c75116c1b) C:\Windows\System32\iphlpsvc.dll
23:08:38.0987 5268 iphlpsvc - ok
23:08:38.0989 5268 IpInIp - ok
23:08:39.0002 5268 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
23:08:39.0005 5268 IPMIDRV - ok
23:08:39.0026 5268 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
23:08:39.0034 5268 IPNAT - ok
23:08:39.0054 5268 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
23:08:39.0056 5268 IRENUM - ok
23:08:39.0078 5268 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
23:08:39.0079 5268 isapnp - ok
23:08:39.0143 5268 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys
23:08:39.0146 5268 iScsiPrt - ok
23:08:39.0161 5268 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
23:08:39.0163 5268 iteatapi - ok
23:08:39.0185 5268 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
23:08:39.0187 5268 iteraid - ok
23:08:39.0202 5268 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
23:08:39.0203 5268 kbdclass - ok
23:08:39.0245 5268 kbdhid (dbdf75d51464fbc47d0104ec3d572c05) C:\Windows\system32\DRIVERS\kbdhid.sys
23:08:39.0246 5268 kbdhid - ok
23:08:39.0283 5268 KeyIso (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
23:08:39.0284 5268 KeyIso - ok
23:08:39.0317 5268 KSecDD (2758d174604f597bbc8a217ff667913d) C:\Windows\system32\Drivers\ksecdd.sys
23:08:39.0335 5268 KSecDD - ok
23:08:39.0343 5268 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
23:08:39.0347 5268 ksthunk - ok
23:08:39.0409 5268 KtmRm (1faf6926f3416d3da05c5b265491bdae) C:\Windows\system32\msdtckrm.dll
23:08:39.0422 5268 KtmRm - ok
23:08:39.0477 5268 LanmanServer (50c7a3cb427e9bb5ed0708a669956ab5) C:\Windows\System32\srvsvc.dll
23:08:39.0488 5268 LanmanServer - ok
23:08:39.0543 5268 LanmanWorkstation (caf86fc1388be1e470f1a7b43e348adb) C:\Windows\System32\wkssvc.dll
23:08:39.0564 5268 LanmanWorkstation - ok
23:08:39.0582 5268 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
23:08:39.0584 5268 lltdio - ok
23:08:39.0624 5268 lltdsvc (961ccbd0b1ccb5675d64976fae37d092) C:\Windows\System32\lltdsvc.dll
23:08:39.0641 5268 lltdsvc - ok
23:08:39.0666 5268 lmhosts (a47f8080cacc23c91fe823ad19aa5612) C:\Windows\System32\lmhsvc.dll
23:08:39.0668 5268 lmhosts - ok
23:08:39.0694 5268 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
23:08:39.0696 5268 LSI_FC - ok
23:08:39.0719 5268 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
23:08:39.0722 5268 LSI_SAS - ok
23:08:39.0747 5268 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
23:08:39.0750 5268 LSI_SCSI - ok
23:08:39.0773 5268 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
23:08:39.0776 5268 luafv - ok
23:08:39.0801 5268 Mcx2Svc (76a58df02bd4ea29f189b82d0bef17f8) C:\Windows\system32\Mcx2Svc.dll
23:08:39.0805 5268 Mcx2Svc - ok
23:08:39.0820 5268 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
23:08:39.0821 5268 megasas - ok
23:08:39.0859 5268 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
23:08:39.0876 5268 MegaSR - ok
23:08:39.0896 5268 MMCSS (3cbe4995e80e13ccfbc42e5dcf3ac81a) C:\Windows\system32\mmcss.dll
23:08:39.0899 5268 MMCSS - ok
23:08:39.0907 5268 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
23:08:39.0908 5268 Modem - ok
23:08:39.0949 5268 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
23:08:39.0950 5268 monitor - ok
23:08:39.0961 5268 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
23:08:39.0963 5268 mouclass - ok
23:08:39.0972 5268 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
23:08:39.0974 5268 mouhid - ok
23:08:39.0983 5268 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
23:08:39.0984 5268 MountMgr - ok
23:08:40.0003 5268 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
23:08:40.0007 5268 mpio - ok
23:08:40.0021 5268 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
23:08:40.0024 5268 mpsdrv - ok
23:08:40.0094 5268 MpsSvc (897e3baf68ba406a61682ae39c83900c) C:\Windows\system32\mpssvc.dll
23:08:40.0111 5268 MpsSvc - ok
23:08:40.0122 5268 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
23:08:40.0124 5268 Mraid35x - ok
23:08:40.0167 5268 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys
23:08:40.0170 5268 MRxDAV - ok
23:08:40.0210 5268 mrxsmb (1485811b320ff8c7edad1caebb1c6c2b) C:\Windows\system32\DRIVERS\mrxsmb.sys
23:08:40.0214 5268 mrxsmb - ok
23:08:40.0259 5268 mrxsmb10 (3b929a60c833fc615fd97fba82bc7632) C:\Windows\system32\DRIVERS\mrxsmb10.sys
23:08:40.0275 5268 mrxsmb10 - ok
23:08:40.0288 5268 mrxsmb20 (c64ab3e1f53b4f5b5bb6d796b2d7bec3) C:\Windows\system32\DRIVERS\mrxsmb20.sys
23:08:40.0290 5268 mrxsmb20 - ok
23:08:40.0347 5268 msahci (aa459f2ab3ab603c357ff117cae3d818) C:\Windows\system32\drivers\msahci.sys
23:08:40.0350 5268 msahci - ok
23:08:40.0381 5268 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
23:08:40.0384 5268 msdsm - ok
23:08:40.0419 5268 MSDTC (7ec02ce772f068ed0beafa3da341a9bc) C:\Windows\System32\msdtc.exe
23:08:40.0422 5268 MSDTC - ok
23:08:40.0436 5268 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
23:08:40.0437 5268 Msfs - ok
23:08:40.0461 5268 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
23:08:40.0464 5268 msisadrv - ok
23:08:40.0491 5268 MSiSCSI (366b0c1f4478b519c181e37d43dcda32) C:\Windows\system32\iscsiexe.dll
23:08:40.0495 5268 MSiSCSI - ok
23:08:40.0497 5268 msiserver - ok
23:08:40.0510 5268 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
23:08:40.0513 5268 MSKSSRV - ok
23:08:40.0523 5268 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
23:08:40.0525 5268 MSPCLOCK - ok
23:08:40.0527 5268 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
23:08:40.0528 5268 MSPQM - ok
23:08:40.0585 5268 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys
23:08:40.0614 5268 MsRPC - ok
23:08:40.0621 5268 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
23:08:40.0623 5268 mssmbios - ok
23:08:40.0635 5268 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
23:08:40.0637 5268 MSTEE - ok
23:08:40.0653 5268 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys
23:08:40.0670 5268 Mup - ok
23:08:40.0730 5268 napagent (a5b10c845e7538c60c0f5d87a57cb3f5) C:\Windows\system32\qagentRT.dll
23:08:40.0745 5268 napagent - ok
23:08:40.0793 5268 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys
23:08:40.0797 5268 NativeWifiP - ok
23:08:40.0863 5268 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys
23:08:40.0867 5268 NDIS - ok
23:08:40.0883 5268 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
23:08:40.0892 5268 NdisTapi - ok
23:08:40.0905 5268 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
23:08:40.0907 5268 Ndisuio - ok
23:08:40.0921 5268 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys
23:08:40.0925 5268 NdisWan - ok
23:08:40.0935 5268 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
23:08:40.0938 5268 NDProxy - ok
23:08:40.0951 5268 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
23:08:40.0953 5268 NetBIOS - ok
23:08:41.0030 5268 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys
23:08:41.0036 5268 netbt - ok
23:08:41.0056 5268 Netlogon (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
23:08:41.0056 5268 Netlogon - ok
23:08:41.0094 5268 Netman (9b63b29defc0f3115a559d2597bf5d75) C:\Windows\System32\netman.dll
23:08:41.0096 5268 Netman - ok
23:08:41.0121 5268 netprofm (7846d0136cc2b264926a73047ba7688a) C:\Windows\System32\netprofm.dll
23:08:41.0123 5268 netprofm - ok
23:08:41.0189 5268 NetTcpPortSharing (74751dda198165947fd7454d83f49825) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
23:08:41.0193 5268 NetTcpPortSharing - ok
23:08:41.0210 5268 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
23:08:41.0213 5268 nfrd960 - ok
23:08:41.0229 5268 NlaSvc (f145bf4c4668e7e312069f81ef847cfc) C:\Windows\System32\nlasvc.dll
23:08:41.0231 5268 NlaSvc - ok
23:08:41.0272 5268 nlsvc (5f22132c9153639762708909f156b33d) C:\Windows\system32\MSTAPE.dll
23:08:41.0274 5268 nlsvc ( Backdoor.Multi.ZAccess.gen ) - infected
23:08:41.0274 5268 nlsvc - detected Backdoor.Multi.ZAccess.gen (0)
23:08:41.0322 5268 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys
23:08:41.0324 5268 Npfs - ok
23:08:41.0332 5268 nsi (acb62baa1c319b17752553df3026eeeb) C:\Windows\system32\nsisvc.dll
23:08:41.0389 5268 nsi - ok
23:08:41.0393 5268 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
23:08:41.0395 5268 nsiproxy - ok
23:08:41.0486 5268 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys
23:08:41.0493 5268 Ntfs - ok
23:08:41.0599 5268 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
23:08:41.0599 5268 Null - ok
23:08:41.0617 5268 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
23:08:41.0621 5268 nvraid - ok
23:08:41.0632 5268 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
23:08:41.0634 5268 nvstor - ok
23:08:41.0657 5268 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
23:08:41.0660 5268 nv_agp - ok
23:08:41.0661 5268 NwlnkFlt - ok
23:08:41.0664 5268 NwlnkFwd - ok
23:08:41.0809 5268 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
23:08:41.0811 5268 odserv - ok
23:08:41.0898 5268 ohci1394 (b5b1ce65ac15bbd11c0619e3ef7cfc28) C:\Windows\system32\DRIVERS\ohci1394.sys
23:08:41.0902 5268 ohci1394 - ok
23:08:41.0925 5268 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
23:08:41.0926 5268 ose - ok
23:08:42.0038 5268 p2pimsvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
23:08:42.0056 5268 p2pimsvc - ok
23:08:42.0062 5268 p2psvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
23:08:42.0067 5268 p2psvc - ok
23:08:42.0084 5268 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
23:08:42.0086 5268 Parport - ok
23:08:42.0127 5268 partmgr (b43751085e2abe389da466bc62a4b987) C:\Windows\system32\drivers\partmgr.sys
23:08:42.0128 5268 partmgr - ok
23:08:42.0184 5268 Partner Service (3c6e7d73b0e9bc21d5e4b531ab7ec091) C:\ProgramData\Partner\partner.exe
23:08:42.0185 5268 Partner Service - ok
23:08:42.0203 5268 PcaSvc (9ab157b374192ff276c1628fbdba2b0e) C:\Windows\System32\pcasvc.dll
23:08:42.0207 5268 PcaSvc - ok
23:08:42.0221 5268 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys
23:08:42.0224 5268 pci - ok
23:08:42.0234 5268 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys
23:08:42.0236 5268 pciide - ok
23:08:42.0261 5268 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
23:08:42.0266 5268 pcmcia - ok
23:08:42.0313 5268 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
23:08:42.0330 5268 PEAUTH - ok
23:08:42.0388 5268 PerfHost (0ed8727ea0172860f47258456c06caea) C:\Windows\SysWow64\perfhost.exe
23:08:42.0392 5268 PerfHost - ok
23:08:42.0479 5268 pla (e9e68c1a0f25cf4a7ac966eea74ee89e) C:\Windows\system32\pla.dll
23:08:42.0506 5268 pla - ok
23:08:42.0561 5268 PlugPlay (fe6b0f59215c9fd9f9d26539c58c8b82) C:\Windows\system32\umpnpmgr.dll
23:08:42.0604 5268 PlugPlay - ok
23:08:42.0625 5268 PnkBstrA - ok
23:08:42.0692 5268 PNRPAutoReg (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
23:08:42.0697 5268 PNRPAutoReg - ok
23:08:42.0703 5268 PNRPsvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
23:08:42.0706 5268 PNRPsvc - ok
23:08:42.0767 5268 PolicyAgent (89a5560671c2d8b4a4b51f3e1aa069d8) C:\Windows\System32\ipsecsvc.dll
23:08:42.0785 5268 PolicyAgent - ok
23:08:42.0850 5268 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys
23:08:42.0853 5268 PptpMiniport - ok
23:08:42.0876 5268 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
23:08:42.0878 5268 Processor - ok
23:08:42.0926 5268 ProfSvc (e058ce4fc2449d8bfa14739c83b7ff2a) C:\Windows\system32\profsvc.dll
23:08:42.0928 5268 ProfSvc - ok
23:08:42.0972 5268 ProtectedStorage (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
23:08:42.0973 5268 ProtectedStorage - ok
23:08:43.0011 5268 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys
23:08:43.0014 5268 PSched - ok
23:08:43.0060 5268 PxHlpa64 (05f46042208e515b9c240aafc54e7aa2) C:\Windows\system32\Drivers\PxHlpa64.sys
23:08:43.0062 5268 PxHlpa64 - ok
23:08:43.0114 5268 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
23:08:43.0138 5268 ql2300 - ok
23:08:43.0160 5268 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
23:08:43.0163 5268 ql40xx - ok
23:08:43.0203 5268 QWAVE (90574842c3da781e279061a3eff91f07) C:\Windows\system32\qwave.dll
23:08:43.0219 5268 QWAVE - ok
23:08:43.0232 5268 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
23:08:43.0234 5268 QWAVEdrv - ok
23:08:43.0241 5268 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
23:08:43.0242 5268 RasAcd - ok
23:08:43.0271 5268 RasAuto (b2ae18f847d07f0044404ddf7cb04497) C:\Windows\System32\rasauto.dll
23:08:43.0274 5268 RasAuto - ok
23:08:43.0287 5268 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys
23:08:43.0291 5268 Rasl2tp - ok
23:08:43.0316 5268 RasMan (3ad83e4046c43be510de681588acb8af) C:\Windows\System32\rasmans.dll
23:08:43.0330 5268 RasMan - ok
23:08:43.0395 5268 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys
23:08:43.0397 5268 RasPppoe - ok
23:08:43.0427 5268 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys
23:08:43.0429 5268 RasSstp - ok
23:08:43.0474 5268 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys
23:08:43.0488 5268 rdbss - ok
23:08:43.0498 5268 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
23:08:43.0500 5268 RDPCDD - ok
23:08:43.0523 5268 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
23:08:43.0538 5268 rdpdr - ok
23:08:43.0542 5268 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
23:08:43.0542 5268 RDPENCDD - ok
23:08:43.0613 5268 RDPWD (ae4bd9e1c33d351d8e607fc81f15160c) C:\Windows\system32\drivers\RDPWD.sys
23:08:43.0617 5268 RDPWD - ok
23:08:43.0632 5268 RemoteAccess (c612b9557da73f70d41f8a6fbc8e5344) C:\Windows\System32\mprdim.dll
23:08:43.0634 5268 RemoteAccess - ok
23:08:43.0651 5268 RemoteRegistry (44b9d8ec2f3ef3a0efb00857af70d861) C:\Windows\system32\regsvc.dll
23:08:43.0652 5268 RemoteRegistry - ok
23:08:43.0672 5268 RpcLocator (f46c457840d4b7a4daafee739ce04102) C:\Windows\system32\locator.exe
23:08:43.0674 5268 RpcLocator - ok
23:08:43.0744 5268 RpcSs (cf8b9a3a5e7dc57724a89d0c3e8cf9ef) C:\Windows\system32\rpcss.dll
23:08:43.0748 5268 RpcSs - ok
23:08:43.0766 5268 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
23:08:43.0778 5268 rspndr - ok
23:08:43.0799 5268 RSUSBSTOR (1807ea271c9685a25571d94ae4e3a8dd) C:\Windows\system32\Drivers\RTS5121.sys
23:08:43.0803 5268 RSUSBSTOR - ok
23:08:43.0850 5268 RTHDMIAzAudService (f8da8fc39ce5859c0d8c0fe6524ce465) C:\Windows\system32\drivers\RtHDMIVX.sys
23:08:43.0854 5268 RTHDMIAzAudService - ok
23:08:43.0885 5268 RTL8187Se (462308d94e4e3318503267991b0cdc7f) C:\Windows\system32\DRIVERS\RTL8187Se.sys
23:08:43.0899 5268 RTL8187Se - ok
23:08:43.0901 5268 Rts516xIR - ok
23:08:43.0938 5268 SamSs (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
23:08:43.0939 5268 SamSs - ok
23:08:44.0005 5268 SbFw (19954328dda3d656f8a879b3a46ffed6) C:\Windows\system32\drivers\SbFw.sys
23:08:44.0015 5268 SbFw - ok
23:08:44.0027 5268 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
23:08:44.0030 5268 sbp2port - ok
23:08:44.0093 5268 SCardSvr (fd1cdcf108d5ef3366f00d18b70fb89b) C:\Windows\System32\SCardSvr.dll
23:08:44.0097 5268 SCardSvr - ok
23:08:44.0170 5268 Schedule (0f838c811ad295d2a4489b9993096c63) C:\Windows\system32\schedsvc.dll
23:08:44.0175 5268 Schedule - ok
23:08:44.0217 5268 SCPolicySvc (5a268127633c7ee2a7fb87f39d748d56) C:\Windows\System32\certprop.dll
23:08:44.0217 5268 SCPolicySvc - ok
23:08:44.0241 5268 SDRSVC (4ff71b076a7760fe75ea5ae2d0ee0018) C:\Windows\System32\SDRSVC.dll
23:08:44.0245 5268 SDRSVC - ok
23:08:44.0256 5268 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
23:08:44.0259 5268 secdrv - ok
23:08:44.0271 5268 seclogon (5acdcbc67fcf894a1815b9f96d704490) C:\Windows\system32\seclogon.dll
23:08:44.0274 5268 seclogon - ok
23:08:44.0286 5268 SENS (90973a64b96cd647ff81c79443618eed) C:\Windows\system32\sens.dll
23:08:44.0288 5268 SENS - ok
23:08:44.0304 5268 Serenum (2449316316411d65bd2c761a6ffb2ce2) C:\Windows\system32\DRIVERS\serenum.sys
23:08:44.0306 5268 Serenum - ok
23:08:44.0331 5268 Serial (4b438170be2fc8e0bd35ee87a960f84f) C:\Windows\system32\DRIVERS\serial.sys
23:08:44.0334 5268 Serial - ok
23:08:44.0349 5268 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
23:08:44.0390 5268 sermouse - ok
23:08:44.0404 5268 SessionEnv (a8e4a4407a09f35dccc3771af590b0c4) C:\Windows\system32\sessenv.dll
23:08:44.0407 5268 SessionEnv - ok
23:08:44.0416 5268 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
23:08:44.0418 5268 sffdisk - ok
23:08:44.0427 5268 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
23:08:44.0428 5268 sffp_mmc - ok
23:08:44.0438 5268 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
23:08:44.0441 5268 sffp_sd - ok
23:08:44.0458 5268 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
23:08:44.0460 5268 sfloppy - ok
23:08:44.0519 5268 SharedAccess (4c5aee179da7e1ee9a9ccb9da289af34) C:\Windows\System32\ipnathlp.dll
23:08:44.0552 5268 SharedAccess - ok
23:08:44.0613 5268 ShellHWDetection (56793271ecdedd350c5add305603e963) C:\Windows\System32\shsvcs.dll
23:08:44.0615 5268 ShellHWDetection - ok
23:08:44.0629 5268 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
23:08:44.0631 5268 SiSRaid2 - ok
23:08:44.0653 5268 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
23:08:44.0656 5268 SiSRaid4 - ok
23:08:44.0782 5268 slsvc (a9a27a8e257b45a604fdad4f26fe7241) C:\Windows\system32\SLsvc.exe
23:08:44.0824 5268 slsvc - ok
23:08:44.0933 5268 SLUINotify (fd74b4b7c2088e390a30c85a896fc3af) C:\Windows\system32\SLUINotify.dll
23:08:44.0936 5268 SLUINotify - ok
23:08:44.0991 5268 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys
23:08:44.0993 5268 Smb - ok
23:08:45.0014 5268 SNMPTRAP (f8f47f38909823b1af28d60b96340cff) C:\Windows\System32\snmptrap.exe
23:08:45.0016 5268 SNMPTRAP - ok
23:08:45.0056 5268 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys
23:08:45.0057 5268 spldr - ok
23:08:45.0111 5268 Spooler (f66ff751e7efc816d266977939ef5dc3) C:\Windows\System32\spoolsv.exe
23:08:45.0113 5268 Spooler - ok
23:08:45.0193 5268 srv (880a57fccb571ebd063d4dd50e93e46d) C:\Windows\system32\DRIVERS\srv.sys
23:08:45.0208 5268 srv - ok
23:08:45.0255 5268 srv2 (a1ad14a6d7a37891fffeca35ebbb0730) C:\Windows\system32\DRIVERS\srv2.sys
23:08:45.0257 5268 srv2 - ok
23:08:45.0303 5268 srvnet (4bed62f4fa4d8300973f1151f4c4d8a7) C:\Windows\system32\DRIVERS\srvnet.sys
23:08:45.0307 5268 srvnet - ok
23:08:45.0328 5268 SSDPSRV (192c74646ec5725aef3f80d19ff75f6a) C:\Windows\System32\ssdpsrv.dll
23:08:45.0330 5268 SSDPSRV - ok
23:08:45.0352 5268 SstpSvc (2ee3fa0308e6185ba64a9a7f2e74332b) C:\Windows\system32\sstpsvc.dll
23:08:45.0358 5268 SstpSvc - ok
23:08:45.0403 5268 stisvc (15825c1fbfb8779992cb65087f316af5) C:\Windows\System32\wiaservc.dll
23:08:45.0422 5268 stisvc - ok
23:08:45.0445 5268 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
23:08:45.0447 5268 swenum - ok
23:08:45.0502 5268 swprv (6de37f4de19d4efd9c48c43addbc949a) C:\Windows\System32\swprv.dll
23:08:45.0514 5268 swprv - ok
23:08:45.0621 5268 Symantec Core LC (438fafe708c93b2236fc26b6f2bd5fd0) C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
23:08:45.0627 5268 Symantec Core LC - ok
23:08:45.0711 5268 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
23:08:45.0713 5268 Symc8xx - ok
23:08:45.0730 5268 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
23:08:45.0732 5268 Sym_hi - ok
23:08:45.0744 5268 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
23:08:45.0747 5268 Sym_u3 - ok
23:08:45.0823 5268 SysMain (92d7a8b0f87b036f17d25885937897a6) C:\Windows\system32\sysmain.dll
23:08:45.0844 5268 SysMain - ok
23:08:45.0871 5268 TabletInputService (005ce42567f9113a3bccb3b20073b029) C:\Windows\System32\TabSvc.dll
23:08:45.0874 5268 TabletInputService - ok
23:08:45.0924 5268 TapiSrv (cc2562b4d55e0b6a4758c65407f63b79) C:\Windows\System32\tapisrv.dll
23:08:45.0927 5268 TapiSrv - ok
23:08:45.0944 5268 TBS (cdbe8d7c1e201b911cdc346d06617fb5) C:\Windows\System32\tbssvc.dll
23:08:45.0945 5268 TBS - ok
23:08:46.0042 5268 Tcpip (46d448e9117464e4d3bbf36d7e3fa48e) C:\Windows\system32\drivers\tcpip.sys
23:08:46.0049 5268 Tcpip - ok
23:08:46.0064 5268 Tcpip6 (46d448e9117464e4d3bbf36d7e3fa48e) C:\Windows\system32\DRIVERS\tcpip.sys
23:08:46.0071 5268 Tcpip6 - ok
23:08:46.0108 5268 tcpipreg (c7e72a4071ee0200e3c075dacfb2b334) C:\Windows\system32\drivers\tcpipreg.sys
23:08:46.0110 5268 tcpipreg - ok
23:08:46.0121 5268 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
23:08:46.0122 5268 TDPIPE - ok
23:08:46.0132 5268 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
23:08:46.0134 5268 TDTCP - ok
23:08:46.0182 5268 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys
23:08:46.0183 5268 tdx - ok
23:08:46.0223 5268 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys
23:08:46.0225 5268 TermDD - ok
23:08:46.0284 5268 TermService (5cdd30bc217082dac71a9878d9bfd566) C:\Windows\System32\termsrv.dll
23:08:46.0287 5268 TermService - ok
23:08:46.0338 5268 Themes (56793271ecdedd350c5add305603e963) C:\Windows\system32\shsvcs.dll
23:08:46.0340 5268 Themes - ok
23:08:46.0391 5268 THREADORDER (3cbe4995e80e13ccfbc42e5dcf3ac81a) C:\Windows\system32\mmcss.dll
23:08:46.0392 5268 THREADORDER - ok
23:08:46.0442 5268 tmactmon (e386dd8ec68c67ca3e2a3abdc1df5c56) C:\Windows\system32\DRIVERS\tmactmon.sys
23:08:46.0445 5268 tmactmon - ok
23:08:46.0488 5268 tmcomm (ab011c569487fd65c8944ddf8cbb2572) C:\Windows\system32\DRIVERS\tmcomm.sys
23:08:46.0492 5268 tmcomm - ok
23:08:46.0509 5268 tmevtmgr (8870a3d7305455b47adccd226f8e51bc) C:\Windows\system32\DRIVERS\tmevtmgr.sys
23:08:46.0512 5268 tmevtmgr - ok
23:08:46.0534 5268 tmtdi (065cb7d9278d778fb9ef62cead01433f) C:\Windows\system32\DRIVERS\tmtdi.sys
23:08:46.0555 5268 tmtdi - ok
23:08:46.0576 5268 TrkWks (f4689f05af472a651a7b1b7b02d200e7) C:\Windows\System32\trkwks.dll
23:08:46.0578 5268 TrkWks - ok
23:08:46.0637 5268 TrustedInstaller (66328b08ef5a9305d8ede36b93930369) C:\Windows\servicing\TrustedInstaller.exe
23:08:46.0638 5268 TrustedInstaller - ok
23:08:46.0661 5268 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
23:08:46.0663 5268 tssecsrv - ok
23:08:46.0671 5268 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
23:08:46.0673 5268 tunmp - ok
23:08:46.0707 5268 tunnel (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys
23:08:46.0709 5268 tunnel - ok
23:08:46.0727 5268 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
23:08:46.0730 5268 uagp35 - ok
23:08:46.0777 5268 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys
23:08:46.0828 5268 udfs - ok
23:08:46.0856 5268 UI0Detect (060507c4113391394478f6953a79eedc) C:\Windows\system32\UI0Detect.exe
23:08:46.0859 5268 UI0Detect - ok
23:08:46.0881 5268 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
23:08:46.0884 5268 uliagpkx - ok
23:08:46.0908 5268 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
23:08:46.0949 5268 uliahci - ok
23:08:46.0964 5268 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
23:08:46.0968 5268 UlSata - ok
23:08:46.0985 5268 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
23:08:46.0988 5268 ulsata2 - ok
23:08:47.0008 5268 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
23:08:47.0010 5268 umbus - ok
23:08:47.0030 5268 UMPass (01abe05c401e70795b43a8933b44831e) C:\Windows\system32\DRIVERS\umpass.sys
23:08:47.0032 5268 UMPass - ok
23:08:47.0058 5268 upnphost (7093799ff80e9deca0680d2e3535be60) C:\Windows\System32\upnphost.dll
23:08:47.0062 5268 upnphost - ok
23:08:47.0073 5268 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
23:08:47.0075 5268 usbccgp - ok
23:08:47.0083 5268 USBCCID - ok
23:08:47.0098 5268 usbcir (8c39d53e1a343f4c47ee8f3c052126d8) C:\Windows\system32\DRIVERS\usbcir.sys
23:08:47.0101 5268 usbcir - ok
23:08:47.0158 5268 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys
23:08:47.0160 5268 usbehci - ok
23:08:47.0183 5268 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys
23:08:47.0194 5268 usbhub - ok
23:08:47.0217 5268 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
23:08:47.0219 5268 usbohci - ok
23:08:47.0248 5268 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys
23:08:47.0249 5268 usbprint - ok
23:08:47.0267 5268 usbscan (ea0bf666868964fbe8cb10e50c97b9f1) C:\Windows\system32\DRIVERS\usbscan.sys
23:08:47.0269 5268 usbscan - ok
23:08:47.0307 5268 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS
23:08:47.0309 5268 USBSTOR - ok
23:08:47.0328 5268 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
23:08:47.0330 5268 usbuhci - ok
23:08:47.0379 5268 UxSms (d76e231e4850bb3f88a3d9a78df191e3) C:\Windows\System32\uxsms.dll
23:08:47.0382 5268 UxSms - ok
23:08:47.0436 5268 vds (294945381dfa7ce58cecf0a9896af327) C:\Windows\System32\vds.exe
23:08:47.0449 5268 vds - ok
23:08:47.0485 5268 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
23:08:47.0487 5268 vga - ok
23:08:47.0511 5268 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
23:08:47.0513 5268 VgaSave - ok
23:08:47.0524 5268 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
23:08:47.0526 5268 viaide - ok
23:08:47.0544 5268 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys
23:08:47.0550 5268 volmgr - ok
23:08:47.0617 5268 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys
23:08:47.0634 5268 volmgrx - ok
23:08:47.0655 5268 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys
23:08:47.0672 5268 volsnap - ok
23:08:47.0693 5268 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
23:08:47.0697 5268 vsmraid - ok
23:08:47.0778 5268 VSS (b75232dad33bfd95bf6f0a3e6bff51e1) C:\Windows\system32\vssvc.exe
23:08:47.0805 5268 VSS - ok
23:08:47.0861 5268 W32Time (f14a7de2ea41883e250892e1e5230a9a) C:\Windows\system32\w32time.dll
23:08:47.0877 5268 W32Time - ok
23:08:47.0908 5268 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
23:08:47.0910 5268 WacomPen - ok
23:08:47.0953 5268 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
23:08:47.0956 5268 Wanarp - ok
23:08:47.0958 5268 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
23:08:47.0958 5268 Wanarpv6 - ok
23:08:47.0992 5268 wcncsvc (b4e4c37d0aa6100090a53213ee2bf1c1) C:\Windows\System32\wcncsvc.dll
23:08:48.0011 5268 wcncsvc - ok
23:08:48.0031 5268 WcsPlugInService (ea4b369560e986f19d93f45a881484ac) C:\Windows\System32\WcsPlugInService.dll
23:08:48.0033 5268 WcsPlugInService - ok
23:08:48.0045 5268 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
23:08:48.0047 5268 Wd - ok
23:08:48.0087 5268 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys
23:08:48.0109 5268 Wdf01000 - ok
23:08:48.0121 5268 WdiServiceHost (c5efda73ebfca8b02a094898de0a9276) C:\Windows\system32\wdi.dll
23:08:48.0124 5268 WdiServiceHost - ok
23:08:48.0126 5268 WdiSystemHost (c5efda73ebfca8b02a094898de0a9276) C:\Windows\system32\wdi.dll
23:08:48.0128 5268 WdiSystemHost - ok
23:08:48.0143 5268 WebClient (3e6d05381cf35f75ebb055544a8ed9ac) C:\Windows\System32\webclnt.dll
23:08:48.0144 5268 WebClient - ok
23:08:48.0201 5268 Wecsvc (8d40bc587993f876658bf9fb0f7d3462) C:\Windows\system32\wecsvc.dll
23:08:48.0212 5268 Wecsvc - ok
23:08:48.0225 5268 wercplsupport (9c980351d7e96288ea0c23ae232bd065) C:\Windows\System32\wercplsupport.dll
23:08:48.0229 5268 wercplsupport - ok
23:08:48.0244 5268 WerSvc (66b9ecebc46683f47edc06333c075fef) C:\Windows\System32\WerSvc.dll
23:08:48.0245 5268 WerSvc - ok
23:08:48.0290 5268 WinDefend - ok
23:08:48.0294 5268 WinHttpAutoProxySvc - ok
23:08:48.0358 5268 Winmgmt (d2e7296ed1bd26d8db2799770c077a02) C:\Windows\system32\wbem\WMIsvc.dll
23:08:48.0394 5268 Winmgmt - ok
23:08:48.0512 5268 WinRM (6cbb0c68f13b9c2ec1b16f5fa5e7c869) C:\Windows\system32\WsmSvc.dll
23:08:48.0551 5268 WinRM - ok
23:08:48.0679 5268 Wlansvc (ec339c8115e91baed835957e9a677f16) C:\Windows\System32\wlansvc.dll
23:08:48.0698 5268 Wlansvc - ok
23:08:48.0738 5268 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\DRIVERS\wmiacpi.sys
23:08:48.0738 5268 WmiAcpi - ok
23:08:48.0768 5268 wmiApSrv (21fa389e65a852698b6a1341f36ee02d) C:\Windows\system32\wbem\WmiApSrv.exe
23:08:48.0782 5268 wmiApSrv - ok
23:08:48.0827 5268 WMPNetworkSvc - ok
23:08:48.0858 5268 WPCSvc (cbc156c913f099e6680d1df9307db7a8) C:\Windows\System32\wpcsvc.dll
23:08:48.0862 5268 WPCSvc - ok
23:08:48.0914 5268 WPDBusEnum (490a18b4e4d53dc10879deaa8e8b70d9) C:\Windows\system32\wpdbusenum.dll
23:08:48.0918 5268 WPDBusEnum - ok
23:08:48.0971 5268 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys
23:08:48.0973 5268 WpdUsb - ok
23:08:48.0983 5268 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
23:08:48.0985 5268 ws2ifsl - ok
23:08:49.0033 5268 wscsvc (9ea3e6d0ef7a5c2b9181961052a4b01a) C:\Windows\system32\wscsvc.dll
23:08:49.0037 5268 wscsvc - ok
23:08:49.0039 5268 WSearch - ok
23:08:49.0162 5268 wuauserv (d9ef901dca379cfe914e9fa13b73b4c4) C:\Windows\system32\wuaueng.dll
23:08:49.0201 5268 wuauserv - ok
23:08:49.0285 5268 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
23:08:49.0288 5268 WUDFRd - ok
23:08:49.0299 5268 wudfsvc (6cbd51ff913c851d56ed9dc7f2a27dde) C:\Windows\System32\WUDFSvc.dll
23:08:49.0303 5268 wudfsvc - ok
23:08:49.0383 5268 x64kdss - ok
23:08:49.0397 5268 MBR (0x1B8) (b751af1acddd7a1a71313731839f4ecb) \Device\Harddisk0\DR0
23:08:51.0352 5268 \Device\Harddisk0\DR0 - ok
23:08:51.0370 5268 Boot (0x1200) (c6eafa39f016302daed27066285f63d6) \Device\Harddisk0\DR0\Partition0
23:08:51.0372 5268 \Device\Harddisk0\DR0\Partition0 - ok
23:08:51.0373 5268 ============================================================
23:08:51.0373 5268 Scan finished
23:08:51.0373 5268 ============================================================
23:08:51.0378 5040 Detected object count: 1
23:08:51.0378 5040 Actual detected object count: 1
23:09:34.0292 5040 C:\Windows\system32\MSTAPE.dll - copied to quarantine
23:09:34.0292 5040 HKLM\SYSTEM\ControlSet001\services\nlsvc - will be deleted on reboot
23:09:34.0326 5040 HKLM\SYSTEM\ControlSet003\services\nlsvc - will be deleted on reboot
23:09:34.0574 5040 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\svchost:netsvcs - cured
23:09:34.0648 5040 C:\Windows\system32\MSTAPE.dll - will be deleted on reboot
23:09:34.0649 5040 nlsvc ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
23:09:58.0946 5328 Deinitialize success




Second one:

23:11:42.0498 3696 TDSS rootkit removing tool 2.7.44.0 Jul 2 2012 20:01:08
23:11:42.0873 3696 ============================================================
23:11:42.0873 3696 Current date / time: 2012/07/06 23:11:42.0873
23:11:42.0873 3696 SystemInfo:
23:11:42.0873 3696
23:11:42.0873 3696 OS Version: 6.0.6002 ServicePack: 2.0
23:11:42.0873 3696 Product type: Workstation
23:11:42.0873 3696 ComputerName: BRIAN-PC
23:11:42.0873 3696 UserName: Brian
23:11:42.0873 3696 Windows directory: C:\Windows
23:11:42.0873 3696 System windows directory: C:\Windows
23:11:42.0873 3696 Running under WOW64
23:11:42.0873 3696 Processor architecture: Intel x64
23:11:42.0873 3696 Number of processors: 8
23:11:42.0873 3696 Page size: 0x1000
23:11:42.0873 3696 Boot type: Normal boot
23:11:42.0873 3696 ============================================================
23:11:44.0342 3696 Drive \Device\Harddisk0\DR0 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
23:11:44.0373 3696 ============================================================
23:11:44.0373 3696 \Device\Harddisk0\DR0:
23:11:44.0373 3696 MBR partitions:
23:11:44.0373 3696 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1389000, BlocksNum 0x561BC800
23:11:44.0373 3696 ============================================================
23:11:44.0389 3696 C: <-> \Device\Harddisk0\DR0\Partition0
23:11:44.0389 3696 ============================================================
23:11:44.0389 3696 Initialize success
23:11:44.0389 3696 ============================================================
23:11:59.0768 3480 Deinitialize success





aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-06 23:12:05
-----------------------------
23:12:05.580 OS Version: Windows x64 6.0.6002 Service Pack 2
23:12:05.580 Number of processors: 8 586 0x1A04
23:12:05.580 ComputerName: BRIAN-PC UserName: Brian
23:12:06.002 Initialize success
23:13:01.444 AVAST engine defs: 12070700
23:14:17.536 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
23:14:17.536 Disk 0 Vendor: ST375063 SD46 Size: 715404MB BusType: 3
23:14:17.568 Disk 0 MBR read successfully
23:14:17.568 Disk 0 MBR scan
23:14:17.568 Disk 0 unknown MBR code
23:14:17.568 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10001 MB offset 63
23:14:17.583 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 705401 MB offset 20484096
23:14:17.599 Disk 0 scanning C:\Windows\system32\drivers
23:14:29.896 Service scanning
23:14:52.052 Modules scanning
23:14:52.052 Disk 0 trace - called modules:
23:14:52.068 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
23:14:52.068 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003a62790]
23:14:52.068 3 CLASSPNP.SYS[fffffa60011cfc33] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80035a3050]
23:14:54.161 AVAST engine scan C:\Windows
23:15:02.552 AVAST engine scan C:\Windows\system32
23:15:17.349 File: C:\Windows\system32\consrv.dll **INFECTED** Win32:Sirefef-HO [Rtk]
23:17:17.281 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-FQ [Drp]
23:17:22.141 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-HO [Rtk]
23:18:57.156 File: C:\Windows\assembly\temp\U\80000032.@ **INFECTED** Win32:Atraps-PF [Trj]
23:18:57.250 File: C:\Windows\assembly\temp\U\80000064.@ **INFECTED** Win32:Atraps-PF [Trj]
23:19:02.672 AVAST engine scan C:\Windows\system32\drivers
23:19:36.984 AVAST engine scan C:\Users\Brian
23:21:41.609 AVAST engine scan C:\ProgramData
23:23:25.750 Scan finished successfully
23:24:07.337 Disk 0 MBR has been saved successfully to "C:\Users\Brian\Desktop\MBR.dat"
23:24:07.337 The log file has been saved successfully to "C:\Users\Brian\Desktop\aswMBR.txt"


Thank you so much for helping me gringo.
-Brian

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 07 July 2012 - 01:31 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 BrianC24

BrianC24
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona, USA
  • Local time:01:29 AM

Posted 07 July 2012 - 02:06 AM

I had no problems running combofix but it did require a restart of my computer. Ill start surfer the web now to see if it is still having problems



ComboFix 12-07-07.01 - Brian 07/06/2012 23:44:31.2.8 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1736 [GMT -7:00]
Running from: c:\users\Brian\Desktop\ComboFix.exe
Command switches used :: c:\users\Brian\Desktop\CFScript.txt
AV: Trend Micro Internet Security Pro *Disabled/Updated* {48929DFC-7A52-A34F-8351-C4DBEDBD9C50}
FW: Trend Micro Personal Firewall *Disabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
SP: Trend Micro Internet Security Pro *Disabled/Updated* {F3F37C18-5C68-ACC1-B9E1-FFA9963AD6ED}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
c:\windows\assembly\temp\@
c:\windows\assembly\temp\cfg.ini
c:\windows\system32\consrv.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-07 to 2012-07-07 )))))))))))))))))))))))))))))))
.
.
2012-07-07 06:54 . 2012-07-07 06:57 -------- d-----w- c:\users\Brian\AppData\Local\temp
2012-07-07 06:54 . 2012-07-07 06:54 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2012-07-07 06:54 . 2012-07-07 06:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-07 06:11 . 2012-07-07 06:11 116016 ----a-w- c:\windows\system32\drivers\20875291.sys
2012-07-07 06:09 . 2012-07-07 06:09 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-06 06:28 . 2012-07-06 06:28 102400 ----a-w- c:\windows\RegBootClean.exe
2012-07-06 05:58 . 2012-07-06 05:59 129024 ----a-w- c:\windows\RegBootClean64.exe
2012-07-06 05:57 . 2012-07-06 05:35 105744 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2012-07-06 05:54 . 2012-07-06 05:35 70928 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2012-07-06 05:54 . 2012-07-06 05:35 167696 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-07-06 05:54 . 2012-07-06 05:35 91920 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2012-07-06 05:53 . 2012-07-06 05:53 56 ----a-w- c:\windows\system32\SupportTool.exe.bat
2012-07-06 05:52 . 2012-07-06 05:52 -------- d-----w- c:\program files\Trend Micro
2012-07-06 05:34 . 2012-07-06 05:35 -------- d-----w- c:\program files (x86)\Trend Micro
2012-06-30 10:20 . 2012-06-30 10:20 -------- d-----w- c:\program files (x86)\Palringo
2012-06-29 05:37 . 2012-06-29 05:37 -------- d-----w- c:\users\Brian\AppData\Local\LogMeIn
2012-06-29 05:37 . 2012-06-29 05:37 -------- d-----w- c:\programdata\LogMeIn
2012-06-14 01:54 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-26 07:48 . 2012-05-12 10:27 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-26 07:48 . 2011-08-03 03:10 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-05 07:37 . 2011-05-27 21:30 256904 ----a-w- c:\windows\SysWow64\drivers\tmcomm.sys
2012-04-11 23:59 . 2012-04-11 23:59 8592 ----a-w- c:\windows\SysWow64\ractrlkeyhook.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-07_05.44.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-25 21:28 . 2012-07-07 06:43 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-09-25 21:28 . 2012-07-07 05:27 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2012-05-14 01:22 . 2012-07-06 07:02 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-05-14 01:22 . 2012-07-07 06:01 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2008-01-21 02:23 . 2012-07-07 06:13 35212 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-07-07 06:58 80966 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-01-09 03:52 . 2012-07-07 06:13 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-09 03:52 . 2012-07-07 05:30 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-09 03:52 . 2012-07-07 06:13 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-09 03:52 . 2012-07-07 05:30 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-09 03:52 . 2012-07-07 05:30 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-09 03:52 . 2012-07-07 06:13 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-02 22:46 . 2012-07-06 21:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-02 22:46 . 2012-07-07 06:56 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-02 22:46 . 2012-07-06 21:21 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-02 22:46 . 2012-07-07 06:56 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-17 02:50 . 2012-07-07 06:10 1580 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2009-01-09 04:31 . 2012-07-07 06:58 9126 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-927838757-2233056545-1000923802-1000_UserData.bin
- 2012-07-07 05:44 . 2012-07-07 05:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-07 06:56 . 2012-07-07 06:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-07 06:56 . 2012-07-07 06:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-07 05:44 . 2012-07-07 05:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-01-21 03:20 . 2012-07-07 06:43 294912 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-21 03:20 . 2012-07-07 05:27 294912 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-05-14 01:22 . 2012-07-07 06:01 131072 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-05-14 01:22 . 2012-07-07 05:19 131072 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2006-11-02 12:46 . 2012-07-06 21:27 606858 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-07-07 06:18 606858 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-07-07 06:18 104896 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-07-06 21:27 104896 c:\windows\system32\perfc009.dat
- 2009-08-18 00:23 . 2012-07-06 21:21 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-08-18 00:23 . 2012-07-07 06:11 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2011-08-04 08:14 . 2012-07-07 06:55 287256 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-08-04 08:14 . 2012-07-07 05:43 287256 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2008-01-21 03:20 . 2012-07-07 06:43 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-07-07 05:27 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-07-07 06:43 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-07-07 05:27 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2012-04-11 20:08 87440 ----a-w- c:\program files (x86)\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files (x86)\adawaretb\adawareDx.dll" [2012-04-11 87440]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files (x86)\Download Manager\DLM.exe" [2008-08-01 1103216]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-09 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files (x86)\Creative\SB X-Fi MB\Volume Panel\VolPanlu.exe" [2008-07-10 225396]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"LchDrvKey"="LchDrvKey.exe" [2007-03-29 36864]
"LedKey"="CNYHKey.exe" [2008-04-24 339968]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Ad-Aware Browsing Protection"="c:\programdata\Ad-Aware Browsing Protection\adawarebp.exe" [2012-05-09 201112]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"StartMSu"="c:\program files (x86)\Creative\MediaSource5\Startmsu.exe" [2006-10-02 81920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
SmartCopy.lnk - c:\program files (x86)\Northstar\SmartCopy\SmartCopy.exe [2008-10-25 319488]
SmartLauncher.lnk - c:\program files (x86)\Northstar\SmartLauncher\SmartLauncher.exe [2008-10-25 335872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-26 257224]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-12 07:48]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-08 17:25]
.
2012-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-05-08 17:25]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RAVCpl64.exe" [2008-09-18 6495264]
"RunDLLEntry"="c:\windows\system32\RunDLL32.exe" [2006-11-02 46592]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-07-21 182808]
"Skytel"="Skytel.exe" [BU]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-07-06 204048]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-07-06 1300672]
"combofix"="c:\combofix\CF29620.3XE" [2008-01-21 363008]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&s=1&o=vp64&d=1008&m=fx6800-01e&c=BB
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-18317751.sys
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\windows\MHotKey.exe
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\windows\ChiFuncExt.exe
c:\windows\CNYHKey.exe
c:\windows\ModLedKey.exe
.
**************************************************************************
.
Completion time: 2012-07-07 00:01:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-07 07:01
ComboFix2.txt 2012-07-07 05:50
.
Pre-Run: 585,264,951,296 bytes free
Post-Run: 585,200,160,768 bytes free
.
- - End Of File - - D281AE1455DE0F622B6F903403B41310

#12 BrianC24

BrianC24
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona, USA
  • Local time:01:29 AM

Posted 07 July 2012 - 02:07 AM

-

Edited by BrianC24, 07 July 2012 - 02:15 AM.


#13 BrianC24

BrianC24
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona, USA
  • Local time:01:29 AM

Posted 07 July 2012 - 02:33 AM

as of right now the few things i did, i have not had a problem. I havent had any pop-ups or redirects to random websites as i was having before. I just ran the housecall that helped me find out i even had a virus coming up with no threats found... Should i consider my computer clean or not just yet?
-Brian

#14 BrianC24

BrianC24
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Arizona, USA
  • Local time:01:29 AM

Posted 07 July 2012 - 03:42 AM

i was just now using google news to read some topics it has. Out of nowhere a pop-up hit me. the url is http://www.bestproducttesters.com/ThankYouV2/ .... this was a random pop-up when looking at http://abcnews.go.com/US/wireStory/zimmerman-released-bail-stricter-terms-16731127?page=2 for 10-15mins. Sorry if im not allowed to post links, i just thought id note this with you because im worried im still infected.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:29 AM

Posted 07 July 2012 - 06:29 AM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Ad-Aware Security Toolbar
Adobe Reader 8.1.3
FrostWire 5.2.11
Java™ 6 Update 26
Java™ 6 Update 5
LimeWire 4.18.8
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users