Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - User opened UPS malicious email attachment


  • This topic is locked This topic is locked
16 replies to this topic

#1 Giggsteve8

Giggsteve8

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 07 July 2012 - 03:13 PM

Hello again!

As I had an EXCELLENT experience with Gringo the last time around, I thought I'd stop back with my next project.

This is a Dell Inspiron 530 desktop running Windows 7 Professional, 32-bit. This is one of the main computers at a small business. I mention this because it includes some programs not normally found on personal computers I've worked on in the past. This includes Dyn Updated, Quickbooks, Intuit Data Backup, to name a few. I figure this might make it a bit more difficult when navigating around while we clean.

Here's what I know: Computer was infected about 4-5 days ago after the user received a malicious email from a sender claiming to be UPS or Fedex. The email attachment claimed to have information about a package that would be dropped off or picked up (the user isn't sure which), and you needed to open and print the attached "receipt" to receive your package.

This installed one of the fake "security" suites that has been removed earlier this morning. I feel like there is still a rootkit hanging on somewhere, and aswMBR seemed to detect something pertaining to Microsoft Security Essentials (the entry was highlighted in RED) RIGHT before Windows bluescreened with an IRQ_NOT_LESS_OR_EQUAL error or something of the sort. Logs are attached below, and I eagerly await your advice. Nothing will be done until I am instructed to do so.

DDS.TXT is below, the other two are attached.

**EDIT: I also have a screenshot of what Malwarebytes claimed to have removed earlier in the day, if this would be helpful.**

Thank you!



*************
DDS.TXT
*************


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Mary at 14:51:52 on 2012-07-07
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2037.602 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\QuickBooks Online Backup\OnlineBackup.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\ProgramData\WebEx\MyWebEx\319\atnthost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\ProgramData\WebEx\MyWebEx\319\RAAGTAPP.EXE
C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
C:\Windows\system32\HPSIsvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~2\WebEx\MyWebEx\319\RaPanel.exe
C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE
C:\Windows\system32\lxebcoms.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\DynDNS Updater\DynUpSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\lxcycoms.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Intuit\DataProtect\IBuEngHost.exe
C:\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskhost.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/
mStart Page = hxxp://search.foxtab.com/?s=0&chnl=tst01&cd=2XzutAtN2Y1L1QzutDtDtC0DtDzyzzzy0CzztAyC0C0F0C0CyCtN0D0TzutBtDtCtCtCtCtDyB&cr=587921026
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [OnlineBackupScheduler] c:\program files\quickbooks online backup\OnlineBackup.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [GoogleDriveSync] "c:\program files\google\drive\googledrivesync.exe" /autostart
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [lxcymon.exe] "c:\program files\lexmark 3400 series\lxcymon.exe"
mRun: [EzPrint] "c:\program files\lexmark 3400 series\ezprint.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [LXCYCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCYtime.dll,_RunDLLEntry@16
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dynupd~1.lnk - c:\program files\dyndns updater\DynTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\intuit~1.lnk - c:\program files\common files\intuit\dataprotect\IntuitDataProtect.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\online~1.lnk - c:\windows\installer\{a9255718-8a40-45f9-b738-93655fbd4f6f}\_C90BDFE323B95CEE248723.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~3.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbwebconnector\QBWebConnector.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~2.lnk - c:\program files\intuit\quickbooks enterprise solutions 11.0\QBW32.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {4125262D-2E47-11D3-9387-00C04F5B12B1} - hxxps://www.backup.com/user/webrestore.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://samsclubus.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc1.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D1CE410F-0972-4549-8052-AD98305D9616} : NameServer = 216.146.35.35,216.146.36.36,192.168.1.1
TCP: Interfaces\{D1CE410F-0972-4549-8052-AD98305D9616} : DhcpNameServer = 192.168.1.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\intuit\quickbooks enterprise solutions 11.0\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 171064]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 atnthost;WebEx Remote Access Agent;c:\programdata\webex\mywebex\319\atnthost.exe [2011-3-21 16776]
R2 Dyn Updater;Dyn Updater;c:\program files\dyndns updater\DynUpSvc.exe [2011-11-15 95608]
R2 HPM1210RcvFaxSrvc;HP LaserJet Professional M1210 MFP Series Receive Fax Service;c:\program files\hp\hp laserjet m1210 mfp series\ReceiveFaxUtility.exe [2009-11-18 245760]
R2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [2011-3-3 99896]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-7-7 654408]
R2 QBVSS;QBIDPService;c:\program files\common files\intuit\dataprotect\QBIDPService.exe [2011-8-19 1248256]
R3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe -service --> c:\windows\system32\lxcycoms.exe -service [?]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-7-7 22344]
R3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\intuit\quickb~1.0\qbdbmgrn.exe -hvquickbooksdb22 --> c:\progra~1\intuit\quickb~1.0\QBDBMgrN.exe -hvQuickBooksDB22 [?]
R3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2009-7-13 266752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-21 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-28 257224]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-21 136176]
S3 HP1210FAX;HP1210MFP FAX;c:\windows\system32\drivers\HPM1210FAX.sys [2011-3-3 13824]
S3 mvusbews;USB EWS Device;c:\windows\system32\drivers\mvusbews.sys [2011-3-3 17408]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-7-7 27192]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-1 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-2-20 1343400]
.
=============== Created Last 30 ================
.
2012-07-07 18:20:59 -------- d-sh--w- C:\$RECYCLE.BIN
2012-07-07 18:19:25 -------- d-----w- c:\users\mary\appdata\local\temp
2012-07-07 17:56:36 -------- d-----w- c:\users\mary\appdata\roaming\VS Revo Group
2012-07-07 17:32:17 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a6ce075b-d29c-49ce-98f4-a423b9ccab6f}\mpengine.dll
2012-07-07 17:03:56 98816 ----a-w- c:\windows\sed.exe
2012-07-07 17:03:56 518144 ----a-w- c:\windows\SWREG.exe
2012-07-07 17:03:56 256000 ----a-w- c:\windows\PEV.exe
2012-07-07 17:03:56 208896 ----a-w- c:\windows\MBR.exe
2012-07-07 15:43:15 -------- d-----w- c:\program files\CCleaner
2012-07-07 15:15:41 -------- d-----w- c:\users\mary\appdata\roaming\Malwarebytes
2012-07-07 15:15:36 -------- d-----w- c:\programdata\Malwarebytes
2012-07-07 15:15:35 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-07 15:15:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-07 15:03:19 -------- d-----w- c:\users\mary\appdata\local\VS Revo Group
2012-07-07 15:03:16 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-07-07 15:03:14 -------- d-----w- c:\program files\VS Revo Group
2012-07-05 13:05:08 6762896 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-07-04 13:05:16 713784 ------w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9809cbc5-2d05-4959-bfcf-2a5f05347301}\gapaengine.dll
2012-06-21 08:55:00 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 08:54:43 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 08:54:21 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-21 08:54:21 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-13 08:02:28 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 08:02:24 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 08:02:21 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-13 08:02:14 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 08:02:11 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 08:02:11 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
==================== Find3M ====================
.
2012-06-13 12:24:34 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 12:24:34 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-01 04:44:12 164352 ----a-w- c:\windows\system32\profsvc.dll
2012-04-26 04:45:55 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45:54 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41:16 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-04-19 01:56:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 01:56:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
============= FINISH: 14:52:35.66 ===============


************
END DDS.TXT
************

Attached Files


Edited by Giggsteve8, 07 July 2012 - 03:18 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 PM

Posted 07 July 2012 - 11:41 PM

Greetings and Welcome back to The Forums!!



Here are the things to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Giggsteve8

Giggsteve8
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 08 July 2012 - 12:35 AM

Hi Gringo! Honored to work with you again. The computer seems the same at this point. Two things to note:

1. The files in the folder "_MEI8402" have been deleted by myself MANY times, and they always reappear.
2. A QuickBooks Backup Log file came up when ComboFix restarted; this may have been a coincedence, but figured I would make note of it.

Here are the logs you require:




**********
Security Check Log
**********


Results of screen317's Security Check version 0.99.42
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
CCleaner
Java™ 6 Update 29
Java version out of Date!
Adobe Reader X (10.1.3)
Google Chrome 19.0.1084.56
Google Chrome 20.0.1132.47
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
QuickBooks Online Backup OnlineBackup.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


************





************
ComboFix Log
************

ComboFix 12-07-07.04 - Mary 07/08/2012 0:15.3.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.2037.908 [GMT -5:00]
Running from: c:\users\Mary\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mary\AppData\Local\Temp\_MEI8402\_ctypes.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\_elementtree.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\_hashlib.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\_socket.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\_ssl.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\pyexpat.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\pysqlite2._sqlite.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\python26.dll
c:\users\Mary\AppData\Local\Temp\_MEI8402\pythoncom26.dll
c:\users\Mary\AppData\Local\Temp\_MEI8402\PyWinTypes26.dll
c:\users\Mary\AppData\Local\Temp\_MEI8402\select.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\unicodedata.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\win32api.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\win32com.shell.shell.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\win32crypt.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\win32event.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\win32file.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\win32inet.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\win32pdh.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\win32process.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\windows._cacheinvalidation.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\wx._controls_.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\wx._core_.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\wx._gdi_.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\wx._html2.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\wx._misc_.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\wx._windows_.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\wx._wizard.pyd
c:\users\Mary\AppData\Local\Temp\_MEI8402\wxbase293u_net_vc.dll
c:\users\Mary\AppData\Local\Temp\_MEI8402\wxbase293u_vc.dll
c:\users\Mary\AppData\Local\Temp\_MEI8402\wxmsw293u_adv_vc.dll
c:\users\Mary\AppData\Local\Temp\_MEI8402\wxmsw293u_core_vc.dll
c:\users\Mary\AppData\Local\Temp\_MEI8402\wxmsw293u_html_vc.dll
c:\users\Mary\AppData\Local\Temp\_MEI8402\wxmsw293u_webview_vc.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-06-08 to 2012-07-08 )))))))))))))))))))))))))))))))
.
.
2012-07-08 05:22 . 2012-07-08 05:24 -------- d-----w- c:\users\Mary\AppData\Local\temp
2012-07-08 05:22 . 2012-07-08 05:22 -------- d-----w- c:\users\QBDataServiceUser22\AppData\Local\temp
2012-07-08 05:22 . 2012-07-08 05:22 -------- d-----w- c:\users\QBDataServiceUser21\AppData\Local\temp
2012-07-08 05:22 . 2012-07-08 05:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-07 19:52 . 2012-07-07 19:52 29904 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A6CE075B-D29C-49CE-98F4-A423B9CCAB6F}\MpKsl5e742db9.sys
2012-07-07 17:56 . 2012-07-07 17:56 -------- d-----w- c:\users\Mary\AppData\Roaming\VS Revo Group
2012-07-07 17:32 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A6CE075B-D29C-49CE-98F4-A423B9CCAB6F}\mpengine.dll
2012-07-07 15:43 . 2012-07-07 15:43 -------- d-----w- c:\program files\CCleaner
2012-07-07 15:15 . 2012-07-07 15:15 -------- d-----w- c:\users\Mary\AppData\Roaming\Malwarebytes
2012-07-07 15:15 . 2012-07-07 15:15 -------- d-----w- c:\programdata\Malwarebytes
2012-07-07 15:15 . 2012-07-07 15:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-07 15:15 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-07 15:03 . 2012-07-07 15:03 -------- d-----w- c:\users\Mary\AppData\Local\VS Revo Group
2012-07-07 15:03 . 2009-12-30 16:21 27192 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-07-07 15:03 . 2012-07-07 15:03 -------- d-----w- c:\program files\VS Revo Group
2012-07-05 13:05 . 2012-05-31 03:41 6762896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-07-04 13:05 . 2012-02-11 01:05 713784 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9809CBC5-2D05-4959-BFCF-2A5F05347301}\gapaengine.dll
2012-06-21 08:55 . 2012-06-02 22:19 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 08:55 . 2012-06-02 22:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 08:55 . 2012-06-02 22:19 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 08:55 . 2012-06-02 22:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 08:54 . 2012-06-02 22:19 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-21 08:54 . 2012-06-02 22:19 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 08:54 . 2012-06-02 22:12 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 08:54 . 2012-06-02 20:19 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 08:54 . 2012-06-02 20:12 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-13 08:02 . 2012-04-28 03:17 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-13 08:02 . 2012-05-15 01:05 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-13 08:02 . 2012-04-07 11:26 2342400 ----a-w- c:\windows\system32\msi.dll
2012-06-13 08:02 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-06-13 08:02 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-13 08:02 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-13 12:24 . 2012-03-28 21:35 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-13 12:24 . 2011-06-16 12:23 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-18 00:12 . 2012-05-18 00:12 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-05-18 00:12 . 2011-02-24 19:50 4283672 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-05-18 00:12 . 2011-02-24 19:50 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-05-18 00:11 . 2011-02-24 19:50 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2012-04-19 01:56 . 2012-04-19 01:56 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2012-04-19 01:56 . 2012-04-19 01:56 69632 ----a-w- c:\windows\system32\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-06-21 00:02 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-06-21 00:02 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-06-21 00:02 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-06-21 00:02 556056 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OnlineBackupScheduler"="c:\program files\QuickBooks Online Backup\OnlineBackup.exe" [2007-11-02 610304]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"GoogleDriveSync"="c:\program files\Google\Drive\googledrivesync.exe" [2012-06-21 12163848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-24 150552]
"lxcymon.exe"="c:\program files\Lexmark 3400 Series\lxcymon.exe" [2006-03-06 286720]
"EzPrint"="c:\program files\Lexmark 3400 Series\ezprint.exe" [2006-02-07 98304]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 290816]
"LXCYCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-02-24 65536]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2012-06-19 2305912]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dyn Updater Tray Icon.lnk - c:\program files\DynDNS Updater\DynTray.exe [2011-11-15 78192]
Intuit Data Protect.lnk - c:\program files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe [2012-3-14 5986168]
Online Backup Scheduler.lnk - c:\windows\Installer\{A9255718-8A40-45F9-B738-93655FBD4F6F}\_C90BDFE323B95CEE248723.exe [2011-2-20 1078]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2012-6-5 1176464]
QuickBooks Web Connector.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe [2011-8-26 2938736]
QuickBooks_Standard_21.lnk - c:\program files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE [2012-6-5 1181584]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 HP1210FAX;HP1210MFP FAX;c:\windows\system32\Drivers\HPM1210FAX.sys [x]
R3 mvusbews;USB EWS Device;c:\windows\system32\Drivers\mvusbews.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 MpKsl5e742db9;MpKsl5e742db9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A6CE075B-D29C-49CE-98F4-A423B9CCAB6F}\MpKsl5e742db9.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 atnthost;WebEx Remote Access Agent;c:\programdata\WebEx\MyWebEx\319\atnthost.exe [x]
S2 Dyn Updater;Dyn Updater;c:\program files\DynDNS Updater\DynUpSvc.exe [x]
S2 HPM1210RcvFaxSrvc;HP LaserJet Professional M1210 MFP Series Receive Fax Service;c:\program files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe [x]
S2 HPSIService;HP SI Service;c:\windows\system32\HPSIsvc.exe [x]
S2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 QBVSS;QBIDPService;c:\program files\Common Files\Intuit\DataProtect\QBIDPService.exe [x]
S3 lxcy_device;lxcy_device;c:\windows\system32\lxcycoms.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 QuickBooksDB22;QuickBooksDB22;c:\progra~1\Intuit\QUICKB~1.0\QBDBMgrN.exe [x]
S3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 12:24]
.
2012-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-21 22:45]
.
2012-07-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-02-21 22:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://xfinity.comcast.net/
mStart Page = hxxp://search.foxtab.com/?s=0&chnl=tst01&cd=2XzutAtN2Y1L1QzutDtDtC0DtDzyzzzy0CzztAyC0C0F0C0CyCtN0D0TzutBtDtCtCtCtCtDyB&cr=587921026
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{D1CE410F-0972-4549-8052-AD98305D9616}: NameServer = 216.146.35.35,216.146.36.36,192.168.1.1
Handler: intu-help-qb5 - {867FCB77-9823-4cd6-8210-D85F968D466F} - c:\program files\Intuit\QuickBooks Enterprise Solutions 11.0\HelpAsyncPluggableProtocol.dll
DPF: {4125262D-2E47-11D3-9387-00C04F5B12B1} - hxxps://www.backup.com/user/webrestore.cab
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\programdata\WebEx\MyWebEx\319\RAAGTAPP.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\taskhost.exe
c:\progra~2\WebEx\MyWebEx\319\RaPanel.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\conhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\QuickBooks Online Backup\OnlineBackup.SHL
c:\program files\Common Files\Intuit\DataProtect\IBuEngHost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-07-08 00:28:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-08 05:28
ComboFix2.txt 2012-07-07 18:25
ComboFix3.txt 2012-07-07 17:40
.
Pre-Run: 231,168,790,528 bytes free
Post-Run: 231,256,526,848 bytes free
.
- - End Of File - - DD79C2A05EF55FB9AEAD08945E044DA5

*************



I'll wait to hear back from you. Thanks!

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 PM

Posted 08 July 2012 - 12:40 AM

Greetings

just looking at those files they may not be bad but being in a temp folder they will always be a target

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Giggsteve8

Giggsteve8
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 08 July 2012 - 12:57 AM

Hey there Gringo. The temp files DO seem to be associated with one of the business programs on here, maybe WebEx or something... Good call!! I hadn't thought of that.

Things are the same, but I suppose we didn't run any fixes, so that's to be expected :D

Anyway, here are the logs:


*************
TDSSKiller
*************

00:43:34.0383 3464 TDSS rootkit removing tool 2.7.44.0 Jul 2 2012 20:01:08
00:43:34.0695 3464 ============================================================
00:43:34.0695 3464 Current date / time: 2012/07/08 00:43:34.0695
00:43:34.0695 3464 SystemInfo:
00:43:34.0695 3464
00:43:34.0695 3464 OS Version: 6.1.7601 ServicePack: 1.0
00:43:34.0695 3464 Product type: Workstation
00:43:34.0695 3464 ComputerName: MARY-PC
00:43:34.0695 3464 UserName: Mary
00:43:34.0695 3464 Windows directory: C:\Windows
00:43:34.0695 3464 System windows directory: C:\Windows
00:43:34.0695 3464 Processor architecture: Intel x86
00:43:34.0695 3464 Number of processors: 2
00:43:34.0695 3464 Page size: 0x1000
00:43:34.0695 3464 Boot type: Normal boot
00:43:34.0695 3464 ============================================================
00:43:35.0584 3464 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0xA181, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000050
00:43:35.0584 3464 ============================================================
00:43:35.0584 3464 \Device\Harddisk0\DR0:
00:43:35.0584 3464 MBR partitions:
00:43:35.0584 3464 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
00:43:35.0584 3464 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x253FB800
00:43:35.0584 3464 ============================================================
00:43:35.0600 3464 C: <-> \Device\Harddisk0\DR0\Partition1
00:43:35.0600 3464 ============================================================
00:43:35.0600 3464 Initialize success
00:43:35.0600 3464 ============================================================
00:43:38.0657 6100 ============================================================
00:43:38.0657 6100 Scan started
00:43:38.0657 6100 Mode: Manual;
00:43:38.0657 6100 ============================================================
00:43:39.0110 6100 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
00:43:39.0110 6100 1394ohci - ok
00:43:39.0156 6100 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
00:43:39.0156 6100 ACPI - ok
00:43:39.0203 6100 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
00:43:39.0203 6100 AcpiPmi - ok
00:43:39.0297 6100 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
00:43:39.0312 6100 AdobeARMservice - ok
00:43:39.0375 6100 AdobeFlashPlayerUpdateSvc (f3cd7b20b27d1772c946df993ff3635c) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
00:43:39.0375 6100 AdobeFlashPlayerUpdateSvc - ok
00:43:39.0437 6100 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
00:43:39.0437 6100 adp94xx - ok
00:43:39.0468 6100 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
00:43:39.0484 6100 adpahci - ok
00:43:39.0515 6100 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
00:43:39.0515 6100 adpu320 - ok
00:43:39.0562 6100 AeLookupSvc (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
00:43:39.0562 6100 AeLookupSvc - ok
00:43:39.0624 6100 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
00:43:39.0640 6100 AFD - ok
00:43:39.0671 6100 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
00:43:39.0671 6100 agp440 - ok
00:43:39.0702 6100 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
00:43:39.0702 6100 aic78xx - ok
00:43:39.0734 6100 ALG (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
00:43:39.0734 6100 ALG - ok
00:43:39.0765 6100 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
00:43:39.0765 6100 aliide - ok
00:43:39.0812 6100 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
00:43:39.0812 6100 amdagp - ok
00:43:39.0827 6100 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
00:43:39.0827 6100 amdide - ok
00:43:39.0858 6100 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
00:43:39.0858 6100 AmdK8 - ok
00:43:39.0874 6100 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
00:43:39.0874 6100 AmdPPM - ok
00:43:39.0921 6100 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
00:43:39.0921 6100 amdsata - ok
00:43:39.0936 6100 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
00:43:39.0952 6100 amdsbs - ok
00:43:39.0968 6100 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
00:43:39.0968 6100 amdxata - ok
00:43:39.0999 6100 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
00:43:39.0999 6100 AppID - ok
00:43:40.0014 6100 AppIDSvc (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
00:43:40.0014 6100 AppIDSvc - ok
00:43:40.0030 6100 Appinfo (fb1959012294d6ad43e5304df65e3c26) C:\Windows\System32\appinfo.dll
00:43:40.0046 6100 Appinfo - ok
00:43:40.0077 6100 AppMgmt (a45d184df6a8803da13a0b329517a64a) C:\Windows\System32\appmgmts.dll
00:43:40.0077 6100 AppMgmt - ok
00:43:40.0092 6100 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
00:43:40.0092 6100 arc - ok
00:43:40.0108 6100 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
00:43:40.0124 6100 arcsas - ok
00:43:40.0217 6100 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
00:43:40.0217 6100 aspnet_state - ok
00:43:40.0248 6100 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
00:43:40.0248 6100 AsyncMac - ok
00:43:40.0280 6100 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
00:43:40.0280 6100 atapi - ok
00:43:40.0373 6100 atnthost (a122f48531654c51a81e6f61388549a8) C:\ProgramData\WebEx\MyWebEx\319\atnthost.exe
00:43:40.0373 6100 atnthost - ok
00:43:40.0436 6100 AudioEndpointBuilder (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
00:43:40.0436 6100 AudioEndpointBuilder - ok
00:43:40.0451 6100 Audiosrv (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
00:43:40.0467 6100 Audiosrv - ok
00:43:40.0482 6100 AxInstSV (6e30d02aac9cac84f421622e3a2f6178) C:\Windows\System32\AxInstSV.dll
00:43:40.0498 6100 AxInstSV - ok
00:43:40.0529 6100 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
00:43:40.0529 6100 b06bdrv - ok
00:43:40.0560 6100 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
00:43:40.0576 6100 b57nd60x - ok
00:43:40.0607 6100 BDESVC (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
00:43:40.0607 6100 BDESVC - ok
00:43:40.0638 6100 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
00:43:40.0638 6100 Beep - ok
00:43:40.0685 6100 BFE (1e2bac209d184bb851e1a187d8a29136) C:\Windows\System32\bfe.dll
00:43:40.0701 6100 BFE - ok
00:43:40.0732 6100 BITS (e585445d5021971fae10393f0f1c3961) C:\Windows\system32\qmgr.dll
00:43:40.0748 6100 BITS - ok
00:43:40.0763 6100 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
00:43:40.0763 6100 blbdrive - ok
00:43:40.0810 6100 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
00:43:40.0810 6100 bowser - ok
00:43:40.0810 6100 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
00:43:40.0810 6100 BrFiltLo - ok
00:43:40.0826 6100 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
00:43:40.0826 6100 BrFiltUp - ok
00:43:40.0857 6100 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
00:43:40.0857 6100 BridgeMP - ok
00:43:40.0904 6100 Browser (6e11f33d14d020f58d5e02e4d67dfa19) C:\Windows\System32\browser.dll
00:43:40.0904 6100 Browser - ok
00:43:40.0935 6100 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
00:43:40.0935 6100 Brserid - ok
00:43:40.0950 6100 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
00:43:40.0950 6100 BrSerWdm - ok
00:43:40.0950 6100 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
00:43:40.0966 6100 BrUsbMdm - ok
00:43:40.0966 6100 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
00:43:40.0966 6100 BrUsbSer - ok
00:43:40.0997 6100 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
00:43:40.0997 6100 BTHMODEM - ok
00:43:41.0013 6100 bthserv (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
00:43:41.0013 6100 bthserv - ok
00:43:41.0075 6100 catchme - ok
00:43:41.0106 6100 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
00:43:41.0106 6100 cdfs - ok
00:43:41.0184 6100 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\DRIVERS\cdrom.sys
00:43:41.0184 6100 cdrom - ok
00:43:41.0216 6100 CertPropSvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
00:43:41.0231 6100 CertPropSvc - ok
00:43:41.0247 6100 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
00:43:41.0247 6100 circlass - ok
00:43:41.0262 6100 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
00:43:41.0278 6100 CLFS - ok
00:43:41.0325 6100 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
00:43:41.0325 6100 clr_optimization_v2.0.50727_32 - ok
00:43:41.0387 6100 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
00:43:41.0387 6100 clr_optimization_v4.0.30319_32 - ok
00:43:41.0403 6100 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
00:43:41.0403 6100 CmBatt - ok
00:43:41.0434 6100 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
00:43:41.0434 6100 cmdide - ok
00:43:41.0496 6100 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
00:43:41.0512 6100 CNG - ok
00:43:41.0512 6100 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
00:43:41.0512 6100 Compbatt - ok
00:43:41.0543 6100 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
00:43:41.0559 6100 CompositeBus - ok
00:43:41.0559 6100 COMSysApp - ok
00:43:41.0574 6100 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
00:43:41.0574 6100 crcdisk - ok
00:43:41.0621 6100 CryptSvc (06e771aa596b8761107ab57e99f128d7) C:\Windows\system32\cryptsvc.dll
00:43:41.0637 6100 CryptSvc - ok
00:43:41.0684 6100 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
00:43:41.0699 6100 CSC - ok
00:43:41.0746 6100 CscService (15f93b37f6801943360d9eb42485d5d3) C:\Windows\System32\cscsvc.dll
00:43:41.0777 6100 CscService - ok
00:43:41.0793 6100 DcomLaunch (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
00:43:41.0808 6100 DcomLaunch - ok
00:43:41.0824 6100 defragsvc (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
00:43:41.0840 6100 defragsvc - ok
00:43:41.0886 6100 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
00:43:41.0886 6100 DfsC - ok
00:43:41.0933 6100 Dhcp (e9e01eb683c132f7fa27cd607b8a2b63) C:\Windows\system32\dhcpcore.dll
00:43:41.0949 6100 Dhcp - ok
00:43:41.0964 6100 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
00:43:41.0964 6100 discache - ok
00:43:41.0996 6100 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
00:43:41.0996 6100 Disk - ok
00:43:42.0027 6100 Dnscache (33ef4861f19a0736b11314aad9ae28d0) C:\Windows\System32\dnsrslvr.dll
00:43:42.0027 6100 Dnscache - ok
00:43:42.0074 6100 dot3svc (366ba8fb4b7bb7435e3b9eacb3843f67) C:\Windows\System32\dot3svc.dll
00:43:42.0089 6100 dot3svc - ok
00:43:42.0136 6100 DPS (8ec04ca86f1d68da9e11952eb85973d6) C:\Windows\system32\dps.dll
00:43:42.0136 6100 DPS - ok
00:43:42.0167 6100 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
00:43:42.0183 6100 drmkaud - ok
00:43:42.0245 6100 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
00:43:42.0261 6100 DXGKrnl - ok
00:43:42.0323 6100 Dyn Updater (c3cdc19b715514200f5cec8be5b9c9a8) C:\Program Files\DynDNS Updater\DynUpSvc.exe
00:43:42.0323 6100 Dyn Updater - ok
00:43:42.0354 6100 e1express (cf0a6015f437161698c5b2a0a12cf052) C:\Windows\system32\DRIVERS\e1e6032.sys
00:43:42.0370 6100 e1express - ok
00:43:42.0401 6100 EapHost (8600142fa91c1b96367d3300ad0f3f3a) C:\Windows\System32\eapsvc.dll
00:43:42.0401 6100 EapHost - ok
00:43:42.0557 6100 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
00:43:42.0620 6100 ebdrv - ok
00:43:42.0729 6100 EFS (81951f51e318aecc2d68559e47485cc4) C:\Windows\System32\lsass.exe
00:43:42.0729 6100 EFS - ok
00:43:42.0791 6100 ehRecvr (a8c362018efc87beb013ee28f29c0863) C:\Windows\ehome\ehRecvr.exe
00:43:42.0822 6100 ehRecvr - ok
00:43:42.0854 6100 ehSched (d389bff34f80caede417bf9d1507996a) C:\Windows\ehome\ehsched.exe
00:43:42.0854 6100 ehSched - ok
00:43:42.0900 6100 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
00:43:42.0916 6100 elxstor - ok
00:43:42.0947 6100 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
00:43:42.0947 6100 ErrDev - ok
00:43:42.0994 6100 EventSystem (f6916efc29d9953d5d0df06882ae8e16) C:\Windows\system32\es.dll
00:43:43.0010 6100 EventSystem - ok
00:43:43.0025 6100 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
00:43:43.0025 6100 exfat - ok
00:43:43.0041 6100 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
00:43:43.0056 6100 fastfat - ok
00:43:43.0119 6100 Fax (967ea5b213e9984cbe270205df37755b) C:\Windows\system32\fxssvc.exe
00:43:43.0134 6100 Fax - ok
00:43:43.0166 6100 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
00:43:43.0166 6100 fdc - ok
00:43:43.0181 6100 fdPHost (f3222c893bd2f5821a0179e5c71e88fb) C:\Windows\system32\fdPHost.dll
00:43:43.0181 6100 fdPHost - ok
00:43:43.0197 6100 FDResPub (7dbe8cbfe79efbdeb98c9fb08d3a9a5b) C:\Windows\system32\fdrespub.dll
00:43:43.0197 6100 FDResPub - ok
00:43:43.0212 6100 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
00:43:43.0212 6100 FileInfo - ok
00:43:43.0212 6100 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
00:43:43.0228 6100 Filetrace - ok
00:43:43.0228 6100 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
00:43:43.0228 6100 flpydisk - ok
00:43:43.0259 6100 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
00:43:43.0259 6100 FltMgr - ok
00:43:43.0337 6100 FontCache (b3a5ec6b6b6673db7e87c2bcdbddc074) C:\Windows\system32\FntCache.dll
00:43:43.0353 6100 FontCache - ok
00:43:43.0400 6100 FontCache3.0.0.0 (e56f39f6b7fda0ac77a79b0fd3de1a2f) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
00:43:43.0431 6100 FontCache3.0.0.0 - ok
00:43:43.0493 6100 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
00:43:43.0509 6100 FsDepends - ok
00:43:43.0556 6100 Fs_Rec (7dae5ebcc80e45d3253f4923dc424d05) C:\Windows\system32\drivers\Fs_Rec.sys
00:43:43.0556 6100 Fs_Rec - ok
00:43:43.0587 6100 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
00:43:43.0587 6100 fvevol - ok
00:43:43.0618 6100 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
00:43:43.0618 6100 gagp30kx - ok
00:43:43.0680 6100 gpsvc (e897eaf5ed6ba41e081060c9b447a673) C:\Windows\System32\gpsvc.dll
00:43:43.0696 6100 gpsvc - ok
00:43:43.0790 6100 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
00:43:43.0790 6100 gupdate - ok
00:43:43.0805 6100 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
00:43:43.0805 6100 gupdatem - ok
00:43:43.0836 6100 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
00:43:43.0852 6100 gusvc - ok
00:43:43.0868 6100 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
00:43:43.0868 6100 hcw85cir - ok
00:43:43.0914 6100 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
00:43:43.0930 6100 HdAudAddService - ok
00:43:43.0961 6100 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
00:43:43.0961 6100 HDAudBus - ok
00:43:43.0977 6100 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
00:43:43.0977 6100 HidBatt - ok
00:43:43.0992 6100 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
00:43:43.0992 6100 HidBth - ok
00:43:44.0024 6100 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
00:43:44.0024 6100 HidIr - ok
00:43:44.0055 6100 hidserv (2bc6f6a1992b3a77f5f41432ca6b3b6b) C:\Windows\System32\hidserv.dll
00:43:44.0055 6100 hidserv - ok
00:43:44.0086 6100 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
00:43:44.0086 6100 HidUsb - ok
00:43:44.0117 6100 hkmsvc (196b4e3f4cccc24af836ce58facbb699) C:\Windows\system32\kmsvc.dll
00:43:44.0117 6100 hkmsvc - ok
00:43:44.0164 6100 HomeGroupListener (6658f4404de03d75fe3ba09f7aba6a30) C:\Windows\system32\ListSvc.dll
00:43:44.0180 6100 HomeGroupListener - ok
00:43:44.0226 6100 HomeGroupProvider (dbc02d918fff1cad628acbe0c0eaa8e8) C:\Windows\system32\provsvc.dll
00:43:44.0242 6100 HomeGroupProvider - ok
00:43:44.0258 6100 HP1210FAX (445f95d591e100d6f9b3b847354896b0) C:\Windows\system32\Drivers\HPM1210FAX.sys
00:43:44.0258 6100 HP1210FAX - ok
00:43:44.0320 6100 HPM1210RcvFaxSrvc (6cfb90c1ced3b8054551954239e485c2) C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
00:43:44.0336 6100 HPM1210RcvFaxSrvc - ok
00:43:44.0351 6100 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
00:43:44.0351 6100 HpSAMD - ok
00:43:44.0367 6100 HPSIService (61bffbf840eb7285f630b5b4f1ccbc08) C:\Windows\system32\HPSIsvc.exe
00:43:44.0367 6100 HPSIService - ok
00:43:44.0429 6100 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
00:43:44.0445 6100 HTTP - ok
00:43:44.0476 6100 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
00:43:44.0476 6100 hwpolicy - ok
00:43:44.0507 6100 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
00:43:44.0507 6100 i8042prt - ok
00:43:44.0570 6100 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
00:43:44.0570 6100 iaStorV - ok
00:43:44.0694 6100 idsvc (c521d7eb6497bb1af6afa89e322fb43c) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
00:43:44.0710 6100 idsvc - ok
00:43:45.0022 6100 igfx (9467514ea189475a6e7fdc5d7bde9d3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
00:43:45.0131 6100 igfx - ok
00:43:45.0209 6100 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
00:43:45.0209 6100 iirsp - ok
00:43:45.0287 6100 IKEEXT (f95622f161474511b8d80d6b093aa610) C:\Windows\System32\ikeext.dll
00:43:45.0303 6100 IKEEXT - ok
00:43:45.0350 6100 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
00:43:45.0350 6100 intelide - ok
00:43:45.0381 6100 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
00:43:45.0381 6100 intelppm - ok
00:43:45.0412 6100 IPBusEnum (acb364b9075a45c0736e5c47be5cae19) C:\Windows\system32\ipbusenum.dll
00:43:45.0412 6100 IPBusEnum - ok
00:43:45.0428 6100 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
00:43:45.0428 6100 IpFilterDriver - ok
00:43:45.0490 6100 iphlpsvc (4d65a07b795d6674312f879d09aa7663) C:\Windows\System32\iphlpsvc.dll
00:43:45.0490 6100 iphlpsvc - ok
00:43:45.0521 6100 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
00:43:45.0521 6100 IPMIDRV - ok
00:43:45.0537 6100 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
00:43:45.0537 6100 IPNAT - ok
00:43:45.0568 6100 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
00:43:45.0568 6100 IRENUM - ok
00:43:45.0599 6100 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
00:43:45.0599 6100 isapnp - ok
00:43:45.0646 6100 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
00:43:45.0646 6100 iScsiPrt - ok
00:43:45.0677 6100 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
00:43:45.0677 6100 kbdclass - ok
00:43:45.0724 6100 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\DRIVERS\kbdhid.sys
00:43:45.0724 6100 kbdhid - ok
00:43:45.0755 6100 KeyIso (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
00:43:45.0755 6100 KeyIso - ok
00:43:45.0771 6100 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
00:43:45.0771 6100 KSecDD - ok
00:43:45.0818 6100 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
00:43:45.0818 6100 KSecPkg - ok
00:43:45.0849 6100 KtmRm (89a7b9cc98d0d80c6f31b91c0a310fcd) C:\Windows\system32\msdtckrm.dll
00:43:45.0864 6100 KtmRm - ok
00:43:45.0911 6100 LanmanServer (d64af876d53eca3668bb97b51b4e70ab) C:\Windows\System32\srvsvc.dll
00:43:45.0927 6100 LanmanServer - ok
00:43:45.0974 6100 LanmanWorkstation (58405e4f68ba8e4057c6e914f326aba2) C:\Windows\System32\wkssvc.dll
00:43:45.0974 6100 LanmanWorkstation - ok
00:43:46.0005 6100 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
00:43:46.0005 6100 lltdio - ok
00:43:46.0020 6100 lltdsvc (5700673e13a2117fa3b9020c852c01e2) C:\Windows\System32\lltdsvc.dll
00:43:46.0036 6100 lltdsvc - ok
00:43:46.0036 6100 lmhosts (55ca01ba19d0006c8f2639b6c045e08b) C:\Windows\System32\lmhsvc.dll
00:43:46.0036 6100 lmhosts - ok
00:43:46.0067 6100 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
00:43:46.0067 6100 LSI_FC - ok
00:43:46.0083 6100 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
00:43:46.0083 6100 LSI_SAS - ok
00:43:46.0114 6100 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
00:43:46.0114 6100 LSI_SAS2 - ok
00:43:46.0130 6100 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
00:43:46.0130 6100 LSI_SCSI - ok
00:43:46.0145 6100 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
00:43:46.0145 6100 luafv - ok
00:43:46.0161 6100 lxcy_device - ok
00:43:46.0176 6100 lxeb_device - ok
00:43:46.0223 6100 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\Windows\system32\drivers\mbam.sys
00:43:46.0223 6100 MBAMProtector - ok
00:43:46.0301 6100 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
00:43:46.0301 6100 MBAMService - ok
00:43:46.0348 6100 Mcx2Svc (bfb9ee8ee977efe85d1a3105abef6dd1) C:\Windows\system32\Mcx2Svc.dll
00:43:46.0348 6100 Mcx2Svc - ok
00:43:46.0379 6100 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
00:43:46.0379 6100 megasas - ok
00:43:46.0395 6100 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
00:43:46.0395 6100 MegaSR - ok
00:43:46.0410 6100 MMCSS (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
00:43:46.0410 6100 MMCSS - ok
00:43:46.0426 6100 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
00:43:46.0426 6100 Modem - ok
00:43:46.0442 6100 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
00:43:46.0442 6100 monitor - ok
00:43:46.0488 6100 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
00:43:46.0488 6100 mouclass - ok
00:43:46.0504 6100 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
00:43:46.0504 6100 mouhid - ok
00:43:46.0535 6100 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
00:43:46.0535 6100 mountmgr - ok
00:43:46.0582 6100 MpFilter (d993bea500e7382dc4e760bf4f35efcb) C:\Windows\system32\DRIVERS\MpFilter.sys
00:43:46.0582 6100 MpFilter - ok
00:43:46.0629 6100 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
00:43:46.0629 6100 mpio - ok
00:43:46.0644 6100 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
00:43:46.0644 6100 mpsdrv - ok
00:43:46.0707 6100 MpsSvc (9835584e999d25004e1ee8e5f3e3b881) C:\Windows\system32\mpssvc.dll
00:43:46.0722 6100 MpsSvc - ok
00:43:46.0785 6100 MREMP50 - ok
00:43:46.0800 6100 MREMPR5 - ok
00:43:46.0816 6100 MRENDIS5 - ok
00:43:46.0832 6100 MRESP50 - ok
00:43:46.0863 6100 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
00:43:46.0863 6100 MRxDAV - ok
00:43:46.0910 6100 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
00:43:46.0925 6100 mrxsmb - ok
00:43:46.0956 6100 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
00:43:46.0972 6100 mrxsmb10 - ok
00:43:46.0988 6100 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
00:43:46.0988 6100 mrxsmb20 - ok
00:43:47.0003 6100 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
00:43:47.0003 6100 msahci - ok
00:43:47.0050 6100 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
00:43:47.0050 6100 msdsm - ok
00:43:47.0081 6100 MSDTC (e1bce74a3bd9902b72599c0192a07e27) C:\Windows\System32\msdtc.exe
00:43:47.0097 6100 MSDTC - ok
00:43:47.0112 6100 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
00:43:47.0112 6100 Msfs - ok
00:43:47.0128 6100 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
00:43:47.0128 6100 mshidkmdf - ok
00:43:47.0159 6100 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
00:43:47.0159 6100 msisadrv - ok
00:43:47.0206 6100 MSiSCSI (90f7d9e6b6f27e1a707d4a297f077828) C:\Windows\system32\iscsiexe.dll
00:43:47.0206 6100 MSiSCSI - ok
00:43:47.0206 6100 msiserver - ok
00:43:47.0237 6100 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
00:43:47.0237 6100 MSKSSRV - ok
00:43:47.0268 6100 MsMpSvc (24516bf4e12a46cb67302e2cdcb8cddf) c:\Program Files\Microsoft Security Client\MsMpEng.exe
00:43:47.0268 6100 MsMpSvc - ok
00:43:47.0284 6100 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
00:43:47.0284 6100 MSPCLOCK - ok
00:43:47.0300 6100 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
00:43:47.0300 6100 MSPQM - ok
00:43:47.0315 6100 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
00:43:47.0331 6100 MsRPC - ok
00:43:47.0346 6100 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
00:43:47.0346 6100 mssmbios - ok
00:43:47.0346 6100 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
00:43:47.0346 6100 MSTEE - ok
00:43:47.0362 6100 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
00:43:47.0362 6100 MTConfig - ok
00:43:47.0378 6100 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
00:43:47.0378 6100 Mup - ok
00:43:47.0424 6100 mvusbews (f0cf56d0dd02d33a34998f87541b2a50) C:\Windows\system32\Drivers\mvusbews.sys
00:43:47.0424 6100 mvusbews - ok
00:43:47.0471 6100 napagent (61d57a5d7c6d9afe10e77dae6e1b445e) C:\Windows\system32\qagentRT.dll
00:43:47.0471 6100 napagent - ok
00:43:47.0502 6100 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
00:43:47.0502 6100 NativeWifiP - ok
00:43:47.0565 6100 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
00:43:47.0580 6100 NDIS - ok
00:43:47.0580 6100 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
00:43:47.0580 6100 NdisCap - ok
00:43:47.0612 6100 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
00:43:47.0612 6100 NdisTapi - ok
00:43:47.0643 6100 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
00:43:47.0643 6100 Ndisuio - ok
00:43:47.0690 6100 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
00:43:47.0690 6100 NdisWan - ok
00:43:47.0721 6100 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
00:43:47.0721 6100 NDProxy - ok
00:43:47.0752 6100 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
00:43:47.0752 6100 NetBIOS - ok
00:43:47.0783 6100 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
00:43:47.0799 6100 NetBT - ok
00:43:47.0830 6100 Netlogon (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
00:43:47.0830 6100 Netlogon - ok
00:43:47.0877 6100 Netman (7cccfca7510684768da22092d1fa4db2) C:\Windows\System32\netman.dll
00:43:47.0908 6100 Netman - ok
00:43:48.0002 6100 NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
00:43:48.0002 6100 NetMsmqActivator - ok
00:43:48.0002 6100 NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
00:43:48.0017 6100 NetPipeActivator - ok
00:43:48.0048 6100 netprofm (8c338238c16777a802d6a9211eb2ba50) C:\Windows\System32\netprofm.dll
00:43:48.0048 6100 netprofm - ok
00:43:48.0064 6100 NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
00:43:48.0064 6100 NetTcpActivator - ok
00:43:48.0064 6100 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
00:43:48.0064 6100 NetTcpPortSharing - ok
00:43:48.0095 6100 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
00:43:48.0095 6100 nfrd960 - ok
00:43:48.0142 6100 NisDrv (b52f26bade7d7e4a79706e3fd91834cd) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
00:43:48.0142 6100 NisDrv - ok
00:43:48.0204 6100 NisSrv (290c0d4c4889398797f8df3be00b9698) c:\Program Files\Microsoft Security Client\NisSrv.exe
00:43:48.0220 6100 NisSrv - ok
00:43:48.0251 6100 NlaSvc (912084381d30d8b89ec4e293053f4710) C:\Windows\System32\nlasvc.dll
00:43:48.0267 6100 NlaSvc - ok
00:43:48.0282 6100 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
00:43:48.0282 6100 Npfs - ok
00:43:48.0314 6100 nsi (ba387e955e890c8a88306d9b8d06bf17) C:\Windows\system32\nsisvc.dll
00:43:48.0314 6100 nsi - ok
00:43:48.0329 6100 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
00:43:48.0329 6100 nsiproxy - ok
00:43:48.0407 6100 Ntfs (a7266d82db9675afbded39695b69edac) C:\Windows\system32\drivers\Ntfs.sys
00:43:48.0438 6100 Ntfs - ok
00:43:48.0532 6100 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
00:43:48.0548 6100 Null - ok
00:43:48.0610 6100 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
00:43:48.0610 6100 nvraid - ok
00:43:48.0641 6100 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
00:43:48.0641 6100 nvstor - ok
00:43:48.0672 6100 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
00:43:48.0672 6100 nv_agp - ok
00:43:48.0704 6100 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
00:43:48.0704 6100 ohci1394 - ok
00:43:48.0750 6100 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
00:43:48.0750 6100 ose - ok
00:43:49.0016 6100 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
00:43:49.0047 6100 osppsvc - ok
00:43:49.0156 6100 p2pimsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
00:43:49.0172 6100 p2pimsvc - ok
00:43:49.0203 6100 p2psvc (59c3ddd501e39e006dac31bf55150d91) C:\Windows\system32\p2psvc.dll
00:43:49.0218 6100 p2psvc - ok
00:43:49.0250 6100 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
00:43:49.0265 6100 Parport - ok
00:43:49.0296 6100 partmgr (3f34a1b4c5f6475f320c275e63afce9b) C:\Windows\system32\drivers\partmgr.sys
00:43:49.0296 6100 partmgr - ok
00:43:49.0312 6100 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
00:43:49.0312 6100 Parvdm - ok
00:43:49.0328 6100 PcaSvc (358ab7956d3160000726574083dfc8a6) C:\Windows\System32\pcasvc.dll
00:43:49.0343 6100 PcaSvc - ok
00:43:49.0374 6100 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
00:43:49.0390 6100 pci - ok
00:43:49.0406 6100 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
00:43:49.0406 6100 pciide - ok
00:43:49.0437 6100 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
00:43:49.0437 6100 pcmcia - ok
00:43:49.0452 6100 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
00:43:49.0452 6100 pcw - ok
00:43:49.0499 6100 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
00:43:49.0530 6100 PEAUTH - ok
00:43:49.0608 6100 PeerDistSvc (af4d64d2a57b9772cf3801950b8058a6) C:\Windows\system32\peerdistsvc.dll
00:43:49.0640 6100 PeerDistSvc - ok
00:43:49.0764 6100 pla (414bba67a3ded1d28437eb66aeb8a720) C:\Windows\system32\pla.dll
00:43:49.0780 6100 pla - ok
00:43:49.0905 6100 PlugPlay (ec7bc28d207da09e79b3e9faf8b232ca) C:\Windows\system32\umpnpmgr.dll
00:43:49.0920 6100 PlugPlay - ok
00:43:49.0936 6100 PNRPAutoReg (63ff8572611249931eb16bb8eed6afc8) C:\Windows\system32\pnrpauto.dll
00:43:49.0952 6100 PNRPAutoReg - ok
00:43:49.0983 6100 PNRPsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
00:43:49.0998 6100 PNRPsvc - ok
00:43:50.0030 6100 PolicyAgent (53946b69ba0836bd95b03759530c81ec) C:\Windows\System32\ipsecsvc.dll
00:43:50.0030 6100 PolicyAgent - ok
00:43:50.0076 6100 Power (f87d30e72e03d579a5199ccb3831d6ea) C:\Windows\system32\umpo.dll
00:43:50.0092 6100 Power - ok
00:43:50.0123 6100 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
00:43:50.0123 6100 PptpMiniport - ok
00:43:50.0139 6100 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
00:43:50.0139 6100 Processor - ok
00:43:50.0186 6100 ProfSvc (cadefac453040e370a1bdff3973be00d) C:\Windows\system32\profsvc.dll
00:43:50.0201 6100 ProfSvc - ok
00:43:50.0232 6100 ProtectedStorage (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
00:43:50.0232 6100 ProtectedStorage - ok
00:43:50.0264 6100 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
00:43:50.0264 6100 Psched - ok
00:43:50.0357 6100 QBCFMonitorService (291e76c02c0994e4e6f1f97a4bcf6c0e) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
00:43:50.0357 6100 QBCFMonitorService - ok
00:43:50.0404 6100 QBFCService (6bee1814470dc12fa20c53dfc3c97ebb) C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
00:43:50.0404 6100 QBFCService - ok
00:43:50.0529 6100 QBVSS (25fc19badf78b7fb1d835aac4b0b91a5) C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
00:43:50.0544 6100 QBVSS - ok
00:43:50.0700 6100 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
00:43:50.0716 6100 ql2300 - ok
00:43:50.0794 6100 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
00:43:50.0794 6100 ql40xx - ok
00:43:50.0841 6100 QuickBooksDB22 - ok
00:43:50.0888 6100 QWAVE (31ac809e7707eb580b2bdb760390765a) C:\Windows\system32\qwave.dll
00:43:50.0903 6100 QWAVE - ok
00:43:50.0903 6100 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
00:43:50.0903 6100 QWAVEdrv - ok
00:43:50.0919 6100 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
00:43:50.0919 6100 RasAcd - ok
00:43:50.0950 6100 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
00:43:50.0950 6100 RasAgileVpn - ok
00:43:50.0966 6100 RasAuto (a60f1839849c0c00739787fd5ec03f13) C:\Windows\System32\rasauto.dll
00:43:50.0981 6100 RasAuto - ok
00:43:50.0997 6100 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
00:43:50.0997 6100 Rasl2tp - ok
00:43:51.0044 6100 RasMan (cb9e04dc05eacf5b9a36ca276d475006) C:\Windows\System32\rasmans.dll
00:43:51.0059 6100 RasMan - ok
00:43:51.0075 6100 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
00:43:51.0075 6100 RasPppoe - ok
00:43:51.0090 6100 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
00:43:51.0090 6100 RasSstp - ok
00:43:51.0137 6100 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
00:43:51.0137 6100 rdbss - ok
00:43:51.0153 6100 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
00:43:51.0153 6100 rdpbus - ok
00:43:51.0184 6100 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
00:43:51.0184 6100 RDPCDD - ok
00:43:51.0215 6100 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
00:43:51.0215 6100 RDPDR - ok
00:43:51.0231 6100 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
00:43:51.0231 6100 RDPENCDD - ok
00:43:51.0246 6100 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
00:43:51.0246 6100 RDPREFMP - ok
00:43:51.0293 6100 RDPWD (f031683e6d1fea157abb2ff260b51e61) C:\Windows\system32\drivers\RDPWD.sys
00:43:51.0309 6100 RDPWD - ok
00:43:51.0340 6100 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
00:43:51.0356 6100 rdyboost - ok
00:43:51.0371 6100 RemoteAccess (7b5e1419717fac363a31cc302895217a) C:\Windows\System32\mprdim.dll
00:43:51.0387 6100 RemoteAccess - ok
00:43:51.0402 6100 RemoteRegistry (cb9a8683f4ef2bf99e123d79950d7935) C:\Windows\system32\regsvc.dll
00:43:51.0402 6100 RemoteRegistry - ok
00:43:51.0449 6100 Revoflt (b9bb8e2093c1615ad6ea55ad96214354) C:\Windows\system32\DRIVERS\revoflt.sys
00:43:51.0449 6100 Revoflt - ok
00:43:51.0496 6100 RpcEptMapper (78d072f35bc45d9e4e1b61895c152234) C:\Windows\System32\RpcEpMap.dll
00:43:51.0496 6100 RpcEptMapper - ok
00:43:51.0512 6100 RpcLocator (94d36c0e44677dd26981d2bfeef2a29d) C:\Windows\system32\locator.exe
00:43:51.0527 6100 RpcLocator - ok
00:43:51.0574 6100 RpcSs (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
00:43:51.0590 6100 RpcSs - ok
00:43:51.0605 6100 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
00:43:51.0605 6100 rspndr - ok
00:43:51.0636 6100 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
00:43:51.0652 6100 s3cap - ok
00:43:51.0683 6100 SamSs (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
00:43:51.0683 6100 SamSs - ok
00:43:51.0746 6100 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
00:43:51.0746 6100 sbp2port - ok
00:43:51.0761 6100 SCardSvr (8fc518ffe9519c2631d37515a68009c4) C:\Windows\System32\SCardSvr.dll
00:43:51.0777 6100 SCardSvr - ok
00:43:51.0808 6100 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
00:43:51.0824 6100 scfilter - ok
00:43:51.0886 6100 Schedule (a04bb13f8a72f8b6e8b4071723e4e336) C:\Windows\system32\schedsvc.dll
00:43:51.0902 6100 Schedule - ok
00:43:51.0948 6100 SCPolicySvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
00:43:51.0948 6100 SCPolicySvc - ok
00:43:51.0995 6100 SDRSVC (08236c4bce5edd0a0318a438af28e0f7) C:\Windows\System32\SDRSVC.dll
00:43:51.0995 6100 SDRSVC - ok
00:43:52.0026 6100 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
00:43:52.0026 6100 secdrv - ok
00:43:52.0042 6100 seclogon (a59b3a4442c52060cc7a85293aa3546f) C:\Windows\system32\seclogon.dll
00:43:52.0042 6100 seclogon - ok
00:43:52.0058 6100 SENS (dcb7fcdcc97f87360f75d77425b81737) C:\Windows\system32\sens.dll
00:43:52.0058 6100 SENS - ok
00:43:52.0089 6100 SensrSvc (50087fe1ee447009c9cc2997b90de53f) C:\Windows\system32\sensrsvc.dll
00:43:52.0089 6100 SensrSvc - ok
00:43:52.0104 6100 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
00:43:52.0104 6100 Serenum - ok
00:43:52.0120 6100 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
00:43:52.0120 6100 Serial - ok
00:43:52.0151 6100 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
00:43:52.0151 6100 sermouse - ok
00:43:52.0214 6100 SessionEnv (4ae380f39a0032eab7dd953030b26d28) C:\Windows\system32\sessenv.dll
00:43:52.0214 6100 SessionEnv - ok
00:43:52.0245 6100 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
00:43:52.0245 6100 sffdisk - ok
00:43:52.0260 6100 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
00:43:52.0260 6100 sffp_mmc - ok
00:43:52.0276 6100 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
00:43:52.0276 6100 sffp_sd - ok
00:43:52.0292 6100 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
00:43:52.0292 6100 sfloppy - ok
00:43:52.0354 6100 SharedAccess (d1a079a0de2ea524513b6930c24527a2) C:\Windows\System32\ipnathlp.dll
00:43:52.0370 6100 SharedAccess - ok
00:43:52.0401 6100 ShellHWDetection (414da952a35bf5d50192e28263b40577) C:\Windows\System32\shsvcs.dll
00:43:52.0416 6100 ShellHWDetection - ok
00:43:52.0463 6100 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
00:43:52.0463 6100 sisagp - ok
00:43:52.0494 6100 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
00:43:52.0494 6100 SiSRaid2 - ok
00:43:52.0526 6100 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
00:43:52.0526 6100 SiSRaid4 - ok
00:43:52.0541 6100 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
00:43:52.0541 6100 Smb - ok
00:43:52.0572 6100 SNMPTRAP (6a984831644eca1a33ffeae4126f4f37) C:\Windows\System32\snmptrap.exe
00:43:52.0588 6100 SNMPTRAP - ok
00:43:52.0604 6100 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
00:43:52.0604 6100 spldr - ok
00:43:52.0666 6100 Spooler (866a43013535dc8587c258e43579c764) C:\Windows\System32\spoolsv.exe
00:43:52.0666 6100 Spooler - ok
00:43:52.0853 6100 sppsvc (cf87a1de791347e75b98885214ced2b8) C:\Windows\system32\sppsvc.exe
00:43:52.0884 6100 sppsvc - ok
00:43:52.0994 6100 sppuinotify (b0180b20b065d89232a78a40fe56eaa6) C:\Windows\system32\sppuinotify.dll
00:43:52.0994 6100 sppuinotify - ok
00:43:53.0072 6100 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
00:43:53.0087 6100 srv - ok
00:43:53.0134 6100 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
00:43:53.0150 6100 srv2 - ok
00:43:53.0181 6100 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
00:43:53.0181 6100 srvnet - ok
00:43:53.0196 6100 SSDPSRV (d887c9fd02ac9fa880f6e5027a43e118) C:\Windows\System32\ssdpsrv.dll
00:43:53.0212 6100 SSDPSRV - ok
00:43:53.0228 6100 SstpSvc (d318f23be45d5e3a107469eb64815b50) C:\Windows\system32\sstpsvc.dll
00:43:53.0243 6100 SstpSvc - ok
00:43:53.0274 6100 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
00:43:53.0274 6100 stexstor - ok
00:43:53.0337 6100 StiSvc (e1fb3706030fb4578a0d72c2fc3689e4) C:\Windows\System32\wiaservc.dll
00:43:53.0352 6100 StiSvc - ok
00:43:53.0384 6100 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
00:43:53.0384 6100 storflt - ok
00:43:53.0415 6100 StorSvc (0bf669f0a910beda4a32258d363af2a5) C:\Windows\system32\storsvc.dll
00:43:53.0415 6100 StorSvc - ok
00:43:53.0430 6100 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
00:43:53.0430 6100 storvsc - ok
00:43:53.0477 6100 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
00:43:53.0477 6100 swenum - ok
00:43:53.0493 6100 swprv (a28bd92df340e57b024ba433165d34d7) C:\Windows\System32\swprv.dll
00:43:53.0508 6100 swprv - ok
00:43:53.0618 6100 SysMain (36650d618ca34c9d357dfd3d89b2c56f) C:\Windows\system32\sysmain.dll
00:43:53.0618 6100 SysMain - ok
00:43:53.0649 6100 TabletInputService (763fecdc3d30c815fe72dd57936c6cd1) C:\Windows\System32\TabSvc.dll
00:43:53.0664 6100 TabletInputService - ok
00:43:53.0711 6100 TapiSrv (613bf4820361543956909043a265c6ac) C:\Windows\System32\tapisrv.dll
00:43:53.0711 6100 TapiSrv - ok
00:43:53.0727 6100 TBS (b799d9fdb26111737f58288d8dc172d9) C:\Windows\System32\tbssvc.dll
00:43:53.0727 6100 TBS - ok
00:43:53.0852 6100 Tcpip (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\drivers\tcpip.sys
00:43:53.0883 6100 Tcpip - ok
00:43:54.0008 6100 TCPIP6 (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\DRIVERS\tcpip.sys
00:43:54.0023 6100 TCPIP6 - ok
00:43:54.0086 6100 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
00:43:54.0086 6100 tcpipreg - ok
00:43:54.0117 6100 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
00:43:54.0117 6100 TDPIPE - ok
00:43:54.0148 6100 TDTCP (2c2c5afe7ee4f620d69c23c0617651a8) C:\Windows\system32\drivers\tdtcp.sys
00:43:54.0148 6100 TDTCP - ok
00:43:54.0195 6100 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
00:43:54.0195 6100 tdx - ok
00:43:54.0226 6100 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
00:43:54.0226 6100 TermDD - ok
00:43:54.0288 6100 TermService (382c804c92811be57829d8e550a900e2) C:\Windows\System32\termsrv.dll
00:43:54.0304 6100 TermService - ok
00:43:54.0320 6100 Themes (42fb6afd6b79d9fe07381609172e7ca4) C:\Windows\system32\themeservice.dll
00:43:54.0320 6100 Themes - ok
00:43:54.0351 6100 THREADORDER (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
00:43:54.0351 6100 THREADORDER - ok
00:43:54.0382 6100 TrkWks (4792c0378db99a9bc2ae2de6cfff0c3a) C:\Windows\System32\trkwks.dll
00:43:54.0382 6100 TrkWks - ok
00:43:54.0413 6100 TrustedInstaller (2c49b175aee1d4364b91b531417fe583) C:\Windows\servicing\TrustedInstaller.exe
00:43:54.0413 6100 TrustedInstaller - ok
00:43:54.0444 6100 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
00:43:54.0444 6100 tssecsrv - ok
00:43:54.0476 6100 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
00:43:54.0476 6100 TsUsbFlt - ok
00:43:54.0538 6100 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
00:43:54.0538 6100 tunnel - ok
00:43:54.0569 6100 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
00:43:54.0569 6100 uagp35 - ok
00:43:54.0616 6100 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
00:43:54.0632 6100 udfs - ok
00:43:54.0663 6100 UI0Detect (8344fd4fce927880aa1aa7681d4927e5) C:\Windows\system32\UI0Detect.exe
00:43:54.0663 6100 UI0Detect - ok
00:43:54.0678 6100 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
00:43:54.0678 6100 uliagpkx - ok
00:43:54.0725 6100 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
00:43:54.0725 6100 umbus - ok
00:43:54.0741 6100 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
00:43:54.0741 6100 UmPass - ok
00:43:54.0788 6100 UmRdpService (409994a8eaceee4e328749c0353527a0) C:\Windows\System32\umrdp.dll
00:43:54.0803 6100 UmRdpService - ok
00:43:54.0819 6100 upnphost (833fbb672460efce8011d262175fad33) C:\Windows\System32\upnphost.dll
00:43:54.0834 6100 upnphost - ok
00:43:54.0881 6100 usbaudio (1d9f2bd026e8e2d45033a4df3f16b78c) C:\Windows\system32\drivers\usbaudio.sys
00:43:54.0881 6100 usbaudio - ok
00:43:54.0912 6100 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
00:43:54.0912 6100 usbccgp - ok
00:43:54.0944 6100 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
00:43:54.0959 6100 usbcir - ok
00:43:54.0975 6100 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
00:43:54.0975 6100 usbehci - ok
00:43:55.0006 6100 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
00:43:55.0006 6100 usbhub - ok
00:43:55.0053 6100 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
00:43:55.0053 6100 usbohci - ok
00:43:55.0068 6100 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
00:43:55.0068 6100 usbprint - ok
00:43:55.0100 6100 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
00:43:55.0100 6100 usbscan - ok
00:43:55.0115 6100 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
00:43:55.0115 6100 USBSTOR - ok
00:43:55.0146 6100 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\DRIVERS\usbuhci.sys
00:43:55.0146 6100 usbuhci - ok
00:43:55.0162 6100 UxSms (081e6e1c91aec36758902a9f727cd23c) C:\Windows\System32\uxsms.dll
00:43:55.0162 6100 UxSms - ok
00:43:55.0193 6100 VaultSvc (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
00:43:55.0193 6100 VaultSvc - ok
00:43:55.0240 6100 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
00:43:55.0240 6100 vdrvroot - ok
00:43:55.0287 6100 vds (c3cd30495687c2a2f66a65ca6fd89be9) C:\Windows\System32\vds.exe
00:43:55.0318 6100 vds - ok
00:43:55.0349 6100 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
00:43:55.0349 6100 vga - ok
00:43:55.0349 6100 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
00:43:55.0349 6100 VgaSave - ok
00:43:55.0380 6100 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
00:43:55.0380 6100 vhdmp - ok
00:43:55.0396 6100 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
00:43:55.0412 6100 viaagp - ok
00:43:55.0427 6100 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
00:43:55.0427 6100 ViaC7 - ok
00:43:55.0427 6100 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
00:43:55.0427 6100 viaide - ok
00:43:55.0458 6100 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
00:43:55.0458 6100 vmbus - ok
00:43:55.0474 6100 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
00:43:55.0474 6100 VMBusHID - ok
00:43:55.0490 6100 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
00:43:55.0490 6100 volmgr - ok
00:43:55.0521 6100 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
00:43:55.0536 6100 volmgrx - ok
00:43:55.0552 6100 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
00:43:55.0568 6100 volsnap - ok
00:43:55.0599 6100 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
00:43:55.0599 6100 vsmraid - ok
00:43:55.0692 6100 VSS (209a3b1901b83aeb8527ed211cce9e4c) C:\Windows\system32\vssvc.exe
00:43:55.0708 6100 VSS - ok
00:43:55.0755 6100 VSTHWBS2 (682fcf7d2eb5158cd30408e976562408) C:\Windows\system32\DRIVERS\VSTBS23.SYS
00:43:55.0755 6100 VSTHWBS2 - ok
00:43:55.0817 6100 VST_DPV (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
00:43:55.0833 6100 VST_DPV - ok
00:43:55.0848 6100 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
00:43:55.0848 6100 vwifibus - ok
00:43:55.0880 6100 W32Time (55187fd710e27d5095d10a472c8baf1c) C:\Windows\system32\w32time.dll
00:43:55.0895 6100 W32Time - ok
00:43:55.0911 6100 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
00:43:55.0911 6100 WacomPen - ok
00:43:55.0958 6100 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
00:43:55.0958 6100 WANARP - ok
00:43:55.0958 6100 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
00:43:55.0958 6100 Wanarpv6 - ok
00:43:56.0067 6100 WatAdminSvc (353a04c273ec58475d8633e75ccd5604) C:\Windows\system32\Wat\WatAdminSvc.exe
00:43:56.0067 6100 WatAdminSvc - ok
00:43:56.0238 6100 wbengine (691e3285e53dca558e1a84667f13e15a) C:\Windows\system32\wbengine.exe
00:43:56.0270 6100 wbengine - ok
00:43:56.0301 6100 WbioSrvc (9614b5d29dc76ac3c29f6d2d3aa70e67) C:\Windows\System32\wbiosrvc.dll
00:43:56.0301 6100 WbioSrvc - ok
00:43:56.0363 6100 wcncsvc (34eee0dfaadb4f691d6d5308a51315dc) C:\Windows\System32\wcncsvc.dll
00:43:56.0379 6100 wcncsvc - ok
00:43:56.0394 6100 WcsPlugInService (5d930b6357a6d2af4d7653bdabbf352f) C:\Windows\System32\WcsPlugInService.dll
00:43:56.0394 6100 WcsPlugInService - ok
00:43:56.0426 6100 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
00:43:56.0426 6100 Wd - ok
00:43:56.0457 6100 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
00:43:56.0472 6100 Wdf01000 - ok
00:43:56.0488 6100 WdiServiceHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
00:43:56.0488 6100 WdiServiceHost - ok
00:43:56.0488 6100 WdiSystemHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
00:43:56.0504 6100 WdiSystemHost - ok
00:43:56.0535 6100 WebClient (a9d880f97530d5b8fee278923349929d) C:\Windows\System32\webclnt.dll
00:43:56.0550 6100 WebClient - ok
00:43:56.0582 6100 Wecsvc (760f0afe937a77cff27153206534f275) C:\Windows\system32\wecsvc.dll
00:43:56.0582 6100 Wecsvc - ok
00:43:56.0613 6100 wercplsupport (ac804569bb2364fb6017370258a4091b) C:\Windows\System32\wercplsupport.dll
00:43:56.0613 6100 wercplsupport - ok
00:43:56.0644 6100 WerSvc (08e420d873e4fd85241ee2421b02c4a4) C:\Windows\System32\WerSvc.dll
00:43:56.0644 6100 WerSvc - ok
00:43:56.0675 6100 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
00:43:56.0675 6100 WfpLwf - ok
00:43:56.0691 6100 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
00:43:56.0691 6100 WIMMount - ok
00:43:56.0738 6100 winachsf (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
00:43:56.0753 6100 winachsf - ok
00:43:56.0831 6100 WinDefend (3fae8f94296001c32eab62cd7d82e0fd) C:\Program Files\Windows Defender\mpsvc.dll
00:43:56.0847 6100 WinDefend - ok
00:43:56.0862 6100 WinHttpAutoProxySvc - ok
00:43:56.0987 6100 Winmgmt (f62e510b6ad4c21eb9fe8668ed251826) C:\Windows\system32\wbem\WMIsvc.dll
00:43:56.0987 6100 Winmgmt - ok
00:43:57.0065 6100 WinRM (1b91cd34ea3a90ab6a4ef0550174f4cc) C:\Windows\system32\WsmSvc.dll
00:43:57.0112 6100 WinRM - ok
00:43:57.0190 6100 Wlansvc (16935c98ff639d185086a3529b1f2067) C:\Windows\System32\wlansvc.dll
00:43:57.0206 6100 Wlansvc - ok
00:43:57.0362 6100 wlidsvc (fb01d4ae207b9efdbabfc55dc95c7e31) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
00:43:57.0377 6100 wlidsvc - ok
00:43:57.0471 6100 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
00:43:57.0471 6100 WmiAcpi - ok
00:43:57.0533 6100 wmiApSrv (6eb6b66517b048d87dc1856ddf1f4c3f) C:\Windows\system32\wbem\WmiApSrv.exe
00:43:57.0533 6100 wmiApSrv - ok
00:43:57.0642 6100 WMPNetworkSvc (3b40d3a61aa8c21b88ae57c58ab3122e) C:\Program Files\Windows Media Player\wmpnetwk.exe
00:43:57.0658 6100 WMPNetworkSvc - ok
00:43:57.0720 6100 WPCSvc (a2f0ec770a92f2b3f9de6d518e11409c) C:\Windows\System32\wpcsvc.dll
00:43:57.0720 6100 WPCSvc - ok
00:43:57.0752 6100 WPDBusEnum (aa53356d60af47eacc85bc617a4f3f66) C:\Windows\system32\wpdbusenum.dll
00:43:57.0767 6100 WPDBusEnum - ok
00:43:57.0783 6100 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
00:43:57.0783 6100 ws2ifsl - ok
00:43:57.0814 6100 wscsvc (6f5d49efe0e7164e03ae773a3fe25340) C:\Windows\system32\wscsvc.dll
00:43:57.0814 6100 wscsvc - ok
00:43:57.0814 6100 WSearch - ok
00:43:57.0954 6100 wuauserv (fc3ec24fce372c89423e015a2ac1a31e) C:\Windows\system32\wuaueng.dll
00:43:58.0001 6100 wuauserv - ok
00:43:58.0064 6100 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
00:43:58.0064 6100 WudfPf - ok
00:43:58.0110 6100 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
00:43:58.0110 6100 WUDFRd - ok
00:43:58.0157 6100 wudfsvc (8d1e1e529a2c9e9b6a85b55a345f7629) C:\Windows\System32\WUDFSvc.dll
00:43:58.0157 6100 wudfsvc - ok
00:43:58.0188 6100 WwanSvc (ff2d745b560f7c71b31f30f4d49f73d2) C:\Windows\System32\wwansvc.dll
00:43:58.0188 6100 WwanSvc - ok
00:43:58.0220 6100 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
00:43:58.0391 6100 \Device\Harddisk0\DR0 - ok
00:43:58.0407 6100 Boot (0x1200) (3aa0d245e43062d53c34cbb73df986da) \Device\Harddisk0\DR0\Partition0
00:43:58.0407 6100 \Device\Harddisk0\DR0\Partition0 - ok
00:43:58.0422 6100 Boot (0x1200) (89327184d1c88a0b3047439f00d942c2) \Device\Harddisk0\DR0\Partition1
00:43:58.0422 6100 \Device\Harddisk0\DR0\Partition1 - ok
00:43:58.0422 6100 ============================================================
00:43:58.0422 6100 Scan finished
00:43:58.0422 6100 ============================================================
00:43:58.0438 2548 Detected object count: 0
00:43:58.0438 2548 Actual detected object count: 0

****************








******************
aswMBR Log
******************


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-08 00:47:16
-----------------------------
00:47:16.643 OS Version: Windows 6.1.7601 Service Pack 1
00:47:16.643 Number of processors: 2 586 0xF0D
00:47:16.643 ComputerName: MARY-PC UserName: Mary
00:47:17.595 Initialize success
00:47:56.756 AVAST engine defs: 12070701
00:48:29.048 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
00:48:29.048 Disk 0 Vendor: WDC_WD3200AAKS-75VYA0 12.01B02 Size: 305245MB BusType: 3
00:48:29.080 Disk 0 MBR read successfully
00:48:29.080 Disk 0 MBR scan
00:48:29.095 Disk 0 Windows 7 default MBR code
00:48:29.126 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
00:48:29.142 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 305143 MB offset 206848
00:48:29.158 Disk 0 scanning sectors +625139712
00:48:29.282 Disk 0 scanning C:\Windows\system32\drivers
00:48:38.268 Service scanning
00:48:57.706 Modules scanning
00:49:04.928 Disk 0 trace - called modules:
00:49:04.944 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
00:49:04.960 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85a30588]
00:49:04.975 3 CLASSPNP.SYS[88c0459e] -> nt!IofCallDriver -> [0x85954918]
00:49:04.975 5 ACPI.sys[888a93d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84c9d610]
00:49:05.958 AVAST engine scan C:\Windows
00:49:08.906 AVAST engine scan C:\Windows\system32
00:52:13.533 AVAST engine scan C:\Windows\system32\drivers
00:52:24.936 AVAST engine scan C:\Users\Mary
00:54:27.787 AVAST engine scan C:\ProgramData
00:55:14.977 Scan finished successfully
00:55:28.393 Disk 0 MBR has been saved successfully to "C:\Users\Mary\Desktop\MBR.dat"
00:55:28.408 The log file has been saved successfully to "C:\Users\Mary\Desktop\aswMBR.txt"


*****************

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 PM

Posted 08 July 2012 - 01:01 AM

the reports are looking good - what symptoms does the computer have


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Giggsteve8

Giggsteve8
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 08 July 2012 - 01:09 AM

It looked okay to me as well, Gringo.

There are no visual symptoms present at this time. I was worried and came here for two reasons:

1. I continued to get those deletions in ComboFix (I know, I shouldn't have been using it!! Sorry! :D ). This is ok, after hearing your explanation that it may simply be because they're in the temp folder.

2. The OTHER big reason I was worried is because aswMBR crashed the first time I ran it (again, before I came here for help.) after returning a RED entry when it came across something with Microsoft Security Essentials.


How does this sound to you:

I'll uninstall/reinstall MSE, get Malwarebytes running again, remove/update Java, and see what happens?

Anything else, let me know. I feel much better now that you have taken a look, and I really appreciate it.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 PM

Posted 08 July 2012 - 02:41 AM

greetings

1. I continued to get those deletions in ComboFix (I know, I shouldn't have been using it!! Sorry! :D ). This is ok, after hearing your explanation that it may simply be because they're in the temp folder. - logitech has a habit of putting files in the temp folder sometimes and they will get deleted each time - it seems as these programs expect it as they put them back each time they get deleted


2. The OTHER big reason I was worried is because aswMBR crashed the first time I ran it (again, before I came here for help.) after returning a RED entry when it came across something with Microsoft Security Essentials. - programs like this one crashing is common as windows is very touchy about what digs around in the subsystems

aswMBR is coming back clean now so that is good




uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java™ 6 Update 29 [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Giggsteve8

Giggsteve8
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 08 July 2012 - 02:45 AM

Looks good, my man. Must sleep now, you can ignore me for the rest of the night... I'll be back tomorrow morning to finish up! :thumbup2:

As always, thanks again! Talk to you tomorrow.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 PM

Posted 08 July 2012 - 02:55 AM

expect me in the afternoon


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Giggsteve8

Giggsteve8
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 08 July 2012 - 12:39 PM

Hi Gringo!

Everything went as planned, computer is doing well. Here are the logs:



********
MBAM
********



Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.08.06

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Mary :: MARY-PC [administrator]

Protection: Disabled

7/8/2012 12:28:48 PM
mbam-log-2012-07-08 (12-28-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 240830
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

************







***********
HiJackThis
***********


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:36:27 PM, on 7/8/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16446)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~2\WebEx\MyWebEx\319\RaPanel.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\QuickBooks Online Backup\OnlineBackup.exe
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Users\Mary\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xfinity.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.foxtab.com/?s=0&chnl=tst01&cd=2XzutAtN2Y1L1QzutDtDtC0DtDzyzzzy0CzztAyC0C0F0C0CyCtN0D0TzutBtDtCtCtCtCtDyB&cr=587921026
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [OnlineBackupScheduler] C:\Program Files\QuickBooks Online Backup\OnlineBackup.exe
O4 - HKCU\..\Run: [GoogleDriveSync] "C:\Program Files\Google\Drive\googledrivesync.exe" /autostart
O4 - HKUS\S-1-5-21-4143447114-1016029743-3019991648-1004\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'QBDataServiceUser22')
O4 - HKUS\S-1-5-21-4143447114-1016029743-3019991648-1004\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'QBDataServiceUser22')
O4 - Global Startup: Dyn Updater Tray Icon.lnk = C:\Program Files\DynDNS Updater\DynTray.exe
O4 - Global Startup: Intuit Data Protect.lnk = C:\Program Files\Common Files\Intuit\DataProtect\IntuitDataProtect.exe
O4 - Global Startup: Online Backup Scheduler.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks Web Connector.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBWebConnector\QBWebConnector.exe
O4 - Global Startup: QuickBooks_Standard_21.lnk = C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\QBW32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {4125262D-2E47-11D3-9387-00C04F5B12B1} (WRXCtl Class) - https://www.backup.com/user/webrestore.cab
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://samsclubus.pnimedia.com/upload/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://qb.webex.com/client/v_mywebex-qb20/ra/ieatgpc1.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D1CE410F-0972-4549-8052-AD98305D9616}: NameServer = 216.146.35.35,216.146.36.36,192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{D1CE410F-0972-4549-8052-AD98305D9616}: NameServer = 216.146.35.35,216.146.36.36,192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{D1CE410F-0972-4549-8052-AD98305D9616}: NameServer = 216.146.35.35,216.146.36.36,192.168.1.1
O18 - Protocol: intu-help-qb5 - {867FCB77-9823-4CD6-8210-D85F968D466F} - C:\Program Files\Intuit\QuickBooks Enterprise Solutions 11.0\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: WebEx Remote Access Agent (atnthost) - WebEx Communications, Inc. - C:\ProgramData\WebEx\MyWebEx\319\atnthost.exe
O23 - Service: Dyn Updater - Dyn, Inc. - C:\Program Files\DynDNS Updater\DynUpSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP LaserJet Professional M1210 MFP Series Receive Fax Service (HPM1210RcvFaxSrvc) - Marvell - C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
O23 - Service: HP SI Service (HPSIService) - HP - C:\Windows\system32\HPSIsvc.exe
O23 - Service: lxcy_device - - C:\Windows\system32\lxcycoms.exe
O23 - Service: lxeb_device - - C:\Windows\system32\lxebcoms.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QBIDPService (QBVSS) - Intuit Inc. - C:\Program Files\Common Files\Intuit\DataProtect\QBIDPService.exe
O23 - Service: QuickBooksDB22 - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~1.0\QBDBMgrN.exe

--
End of file - 10136 bytes

*************

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 PM

Posted 08 July 2012 - 03:25 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKUS\S-1-5-21-4143447114-1016029743-3019991648-1004\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'QBDataServiceUser22')
      O4 - HKUS\S-1-5-21-4143447114-1016029743-3019991648-1004\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'QBDataServiceUser22')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Giggsteve8

Giggsteve8
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 08 July 2012 - 07:13 PM

Here you go, sir!



***********
ESET log
***********


C:\Program Files\NetViewer\windows.7.codec.pack.v2.3.0.setup.exe Win32/Toolbar.Widgi application
C:\Users\Mary\Downloads\invoice77547B788DFBE6E.html HTML/Iframe.B.Gen virus

***********

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:45 PM

Posted 08 July 2012 - 09:06 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Program Files\NetViewer\windows.7.codec.pack.v2.3.0.setup.exe"
    del /f /s /q "C:\Users\Mary\Downloads\invoice77547B788DFBE6E.html"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)


    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Giggsteve8

Giggsteve8
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:45 PM

Posted 08 July 2012 - 09:44 PM

Thank you Gringo, you've been kind, patient, and helpful... like always. I appreciate your time, and will most certainly return when the need arises.

Thank you!!!!!!!!!!!!!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users