Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help to remove 800000cb.@


  • This topic is locked This topic is locked
23 replies to this topic

#1 johpg

johpg

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 09 July 2012 - 09:48 PM

AVG keeps reporting c:\windows\installer\{41d4a247-4af9-8865-bacf-6c88bdc85c60}\u\800000cb.@

DDS run and TXT files attached.

Didn't run GMER as I am running 64 bit Vista Home Premium SP2.

Any help is much appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 AM

Posted 10 July 2012 - 12:19 AM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flash-drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.[/list]
Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 johpg

johpg
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 10 July 2012 - 03:20 AM

Scan result of Farbar Recovery Scan Tool Version: 09-07-2012
Ran by SYSTEM at 10-07-2012 17:40:13
Running from E:\Virus
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [2416480 2012-01-23] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-26] (Apple Inc.)
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKLM-x32\...\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray [462408 2012-04-03] (Malwarebytes Corporation)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\LogMeInRemoteUser\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Paul\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-07-01] (Google Inc.)
HKU\Paul\...\Run: [Google Update] "C:\Users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-03-03] (Google Inc.)
HKU\Paul\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-22] (Apple Inc.)
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1 10.1.1.1 192.168.1.1 203.134.64.66
AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
Tcpip\..\Interfaces\{14DE9B73-815C-4E55-89DD-F3963F6309C9}: [NameServer]208.67.222.222,208.67.222.220
Startup: C:\Users\All Users\Start Menu\Programs\Startup\MozyHome Status.lnk
ShortcutTarget: MozyHome Status.lnk -> C:\Program Files\MozyHome\mozystat.exe (Mozy, Inc.)
Startup: C:\Users\LogMeInRemoteUser\Start Menu\Programs\Startup\Dell Dock First Run.lnk
ShortcutTarget: Dell Dock First Run.lnk -> C:\Program Files\Dell\DellDock\DellDock.exe (No File)
Startup: C:\Users\Paul\Start Menu\Programs\Startup\Stash.lnk
ShortcutTarget: Stash.lnk -> C:\Program Files (x86)\Mozy\Stash\Stash.exe (Mozy, Inc.)

==================== Services (Whitelisted) ======

2 AppHostSvc; C:\Windows\SysWow64\inetsrv\apphostsvc.dll [52224 2009-04-10] (Microsoft Corporation)
2 AVGIDSAgent; "C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe" [4433248 2011-10-11] (AVG Technologies CZ, s.r.o.)
2 avgwd; "C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe" [192776 2011-08-01] (AVG Technologies CZ, s.r.o.)
2 BcmSqlStartupSvc; "C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [30312 2009-02-19] (Microsoft Corporation)
3 BrYNSvc; "C:\Program Files (x86)\Browny02\BrYNSvc.exe" [245760 2010-01-24] (Brother Industries, Ltd.)
2 EaseUS Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe [61064 2011-12-22] (CHENGDU YIWO Tech Development Co., Ltd)
2 Guard Agent; C:\Program Files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe [23176 2011-12-22] (CHENGDU YIWO Tech Development Co., Ltd)
2 MBAMService; "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe" [654408 2012-04-03] (Malwarebytes Corporation)
2 mozybackup; "C:\Program Files\MozyHome\mozybackup.exe" [54632 2012-02-06] (Mozy, Inc.)
3 MSSQL$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-09] (Microsoft Corporation)
2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [427008 2010-04-21] (Microsoft Corporation)
2 W3SVC; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [373760 2010-04-21] (Microsoft Corporation)
3 WAS; C:\Windows\SysWow64\inetsrv\iisw3adm.dll [373760 2010-04-21] (Microsoft Corporation)
3 rpcapd; "C:\Program Files (x86)\WinPcap\rpcapd.exe" -d -f "C:\Program Files (x86)\WinPcap\rpcapd.ini" [x]

========================== Drivers (Whitelisted) =============

3 AVGIDSDriver; C:\Windows\System32\Drivers\AVGIDSDriver.sys [120400 2011-07-10] (AVG Technologies CZ, s.r.o. )
0 AVGIDSEH; C:\Windows\System32\Drivers\AVGIDSEH.sys [26704 2011-07-10] (AVG Technologies CZ, s.r.o. )
3 AVGIDSFilter; C:\Windows\System32\Drivers\AVGIDSFilter.sys [29776 2011-07-10] (AVG Technologies CZ, s.r.o. )
1 Avgldx64; C:\Windows\System32\Drivers\Avgldx64.sys [283728 2011-10-06] (AVG Technologies CZ, s.r.o.)
1 Avgmfx64; C:\Windows\System32\Drivers\Avgmfx64.sys [46672 2011-08-07] (AVG Technologies CZ, s.r.o.)
0 Avgrkx64; C:\Windows\System32\Drivers\Avgrkx64.sys [37456 2011-09-12] (AVG Technologies CZ, s.r.o.)
0 EUBAKUP; C:\Windows\System32\Drivers\EUBAKUP.sys [57480 2011-12-22] (CHENGDU YIWO Tech Development Co., Ltd)
0 EUBKMON; C:\Windows\System32\Drivers\EUBKMON.sys [51336 2011-12-22] ()
1 EUDSKACS; C:\Windows\System32\Drivers\EUDSKACS.sys [19592 2011-12-22] (CHENGDU YIWO Tech Development Co., Ltd)
1 EUFDDISK; C:\Windows\System32\Drivers\EUFDDISK.sys [189576 2011-12-22] (CHENGDU YIWO Tech Development Co., Ltd)
3 lmimirr; C:\Windows\System32\Drivers\lmimirr.sys [11552 2010-09-16] (LogMeIn, Inc.)
2 LMIRfsDriver; C:\Windows\System32\Drivers\LMIRfsDriver.sys [72216 2010-09-16] (LogMeIn, Inc.)
3 MBAMProtector; \??\C:\Windows\system32\drivers\mbam.sys [24904 2012-04-03] (Malwarebytes Corporation)
1 mozyFilter; C:\Windows\System32\DRIVERS\mozy.sys [67328 2012-02-06] (Mozy, Inc.)
2 NPF; C:\Windows\System32\Drivers\NPF.sys [47632 2009-10-20] (CACE Technologies, Inc.)
2 RtNdPt60; C:\Windows\System32\Drivers\RtNdPt60.sys [26624 2007-12-10] (Windows ® Codename Longhorn DDK provider)
3 RTTEAMPT; C:\Windows\System32\DRIVERS\RtTeam60.sys [43008 2008-10-23] (Realtek Corporation)
3 RTVLANPT; C:\Windows\System32\DRIVERS\RtVlan60.sys [24064 2007-12-02] (Windows ® Codename Longhorn DDK provider)
1 StarOpen; C:\Windows\SysWow64\Drivers\StarOpen.sys [5632 2011-09-20] ()
3 TEAM; C:\Windows\System32\DRIVERS\RtTeam60.sys [43008 2008-10-23] (Realtek Corporation)
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
2 LMIInfo; \??\C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [x]
4 LMIRfsClientNP; [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]
3 PCD5SRVC{048DBD20-445E8C82-05040104}; \??\C:\PROGRA~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-10 17:40 - 2012-07-10 17:40 - 00000000 ____D C:\FRST
2012-07-09 23:48 - 2012-07-09 07:34 - 01434401 ____A (Farbar) C:\Users\Paul\Desktop\FRST64.exe
2012-07-09 18:41 - 2012-07-09 18:41 - 00011433 ____A C:\Users\Paul\Desktop\Attach.txt
2012-07-09 18:40 - 2012-07-09 18:40 - 00025168 ____A C:\Users\Paul\Desktop\DDS.txt
2012-07-09 18:36 - 2011-08-25 08:14 - 00607260 ____R (Swearware) C:\Users\Paul\Desktop\dds.scr
2012-07-09 18:01 - 2012-07-09 18:03 - 00000239 ____A C:\Users\Paul\Desktop\CFscript.txt
2012-07-09 18:01 - 2012-07-09 13:21 - 04574676 ____A (Swearware) C:\Users\Paul\Desktop\ComboFix.exe
2012-07-09 17:50 - 2012-07-09 17:50 - 00000000 ____D C:\Users\Paul\AppData\Roaming\Malwarebytes
2012-07-09 17:49 - 2012-07-09 17:49 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-09 17:48 - 2012-07-09 17:49 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-09 17:48 - 2012-07-09 17:48 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-09 17:48 - 2012-04-03 22:26 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-09 14:08 - 2012-06-12 02:17 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Paul\Desktop\mbam-setup-1.61.0.1400.exe
2012-07-09 04:43 - 2012-07-09 04:43 - 00000000 ____D C:\Users\Paul\AppData\Local\{B4ECBA53-C9C3-11E1-8270-B8AC6F996F26}
2012-07-09 04:43 - 2012-07-09 04:43 - 00000000 ____D C:\Users\Paul\AppData\Local\{B4EC8610-C9C3-11E1-8270-B8AC6F996F26}
2012-07-09 04:42 - 2012-07-09 04:45 - 00000000 ____D C:\Users\All Users\F4D55F3B00007AC4000003AE570F1C8B
2012-07-09 04:41 - 2012-07-09 04:45 - 00000000 ____D C:\Users\Paul\AppData\Roaming\Umeqar
2012-07-09 04:41 - 2012-07-09 04:43 - 00000000 ____D C:\Users\Paul\AppData\Roaming\Avveo
2012-07-09 04:41 - 2012-07-09 04:41 - 00000000 ____D C:\Users\Paul\AppData\Roaming\Moif
2012-07-05 21:36 - 2012-07-05 21:36 - 00000874 ____A C:\Users\Public\Desktop\MobileSiteBuilder.lnk
2012-07-05 21:36 - 2012-07-05 21:36 - 00000000 ____D C:\Program Files (x86)\MobileSiteBuilder
2012-07-05 21:32 - 2012-07-05 21:32 - 00000000 ____D C:\Users\Paul\AppData\Roaming\MobileSiteBuilder
2012-07-03 21:06 - 2012-07-08 23:55 - 00000000 ____D C:\Users\Paul\AppData\Roaming\Skype
2012-07-03 21:05 - 2012-07-03 21:06 - 00000000 ____D C:\Users\All Users\Skype
2012-07-03 21:05 - 2012-07-03 21:05 - 00001890 ____A C:\Users\Public\Desktop\Skype.lnk
2012-07-03 21:05 - 2012-07-03 21:05 - 00000000 ___RD C:\Program Files (x86)\Skype
2012-06-28 20:42 - 2012-06-28 20:42 - 00000339 ____A C:\Users\Paul\AppData\Roaming\poi_state.xml
2012-06-28 20:42 - 2012-06-28 20:42 - 00000000 ____D C:\Program Files (x86)\poi
2012-06-25 21:36 - 2012-06-28 20:42 - 00000722 ____A C:\Users\Public\Desktop\poi.lnk
2012-06-25 21:36 - 2012-06-26 21:27 - 00000000 ____D C:\Users\Paul\Documents\poi
2012-06-25 21:36 - 2012-06-25 21:36 - 00000000 ____D C:\Users\Paul\AppData\Roaming\poi
2012-06-25 15:02 - 2012-06-25 15:02 - 00000000 ____D C:\Users\Paul\AppData\Local\Macromedia
2012-06-21 14:45 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 14:45 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 14:45 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 14:45 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 14:44 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 14:44 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-21 14:44 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 14:44 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-21 14:44 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 14:44 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-21 14:44 - 2012-06-01 21:49 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 14:44 - 2012-06-01 21:49 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-21 14:44 - 2012-06-01 21:45 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-21 14:44 - 2012-06-01 21:42 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-20 01:17 - 2012-06-20 01:18 - 00000000 ____D C:\Program Files (x86)\QuickTime
2012-06-20 01:17 - 2012-06-20 01:17 - 00001758 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-06-13 06:05 - 2012-05-17 18:47 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-13 06:05 - 2012-05-17 18:16 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-13 06:05 - 2012-05-17 18:06 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-13 06:05 - 2012-05-17 17:59 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-13 06:05 - 2012-05-17 17:59 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-13 06:05 - 2012-05-17 17:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-13 06:05 - 2012-05-17 17:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-13 06:05 - 2012-05-17 17:56 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-13 06:05 - 2012-05-17 17:55 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-13 06:05 - 2012-05-17 17:55 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-13 06:05 - 2012-05-17 17:54 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-13 06:05 - 2012-05-17 17:51 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-13 06:05 - 2012-05-17 17:51 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-13 06:05 - 2012-05-17 17:47 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-13 06:05 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-13 06:05 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-13 06:05 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-13 06:05 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-13 06:05 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-13 06:05 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-13 06:05 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-13 06:05 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-13 06:05 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-13 06:05 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-13 06:05 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-13 06:05 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-13 06:05 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-13 06:05 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-12 14:20 - 2012-05-15 12:15 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-12 14:20 - 2012-05-01 06:29 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-12 14:20 - 2012-04-23 08:25 - 01267200 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-06-12 14:20 - 2012-04-23 08:25 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-06-12 14:20 - 2012-04-23 08:25 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-06-12 14:20 - 2012-04-23 08:00 - 00984064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-06-12 14:20 - 2012-04-23 08:00 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-06-12 14:20 - 2012-04-23 08:00 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll

============ 3 Months Modified Files ========================

2012-07-10 00:05 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-10 00:04 - 2006-11-02 07:42 - 00032568 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-10 00:04 - 2006-11-02 07:22 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-10 00:04 - 2006-11-02 07:22 - 00003744 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-10 00:03 - 2010-01-29 05:09 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-09 23:54 - 2009-10-15 14:41 - 1607025664 ____A C:\Users\Paul\AppData\archive.pst
2012-07-09 23:54 - 2009-06-18 09:23 - 01995334 ____A C:\Windows\WindowsUpdate.log
2012-07-09 23:49 - 2006-11-02 04:46 - 00904052 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-09 23:17 - 2010-03-03 22:19 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3806364039-2167549492-3954559941-1003UA.job
2012-07-09 23:13 - 2012-03-30 02:10 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-09 23:08 - 2010-05-30 01:23 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-09 18:41 - 2012-07-09 18:41 - 00011433 ____A C:\Users\Paul\Desktop\Attach.txt
2012-07-09 18:40 - 2012-07-09 18:40 - 00025168 ____A C:\Users\Paul\Desktop\DDS.txt
2012-07-09 18:03 - 2012-07-09 18:01 - 00000239 ____A C:\Users\Paul\Desktop\CFscript.txt
2012-07-09 17:49 - 2012-07-09 17:49 - 00000950 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2012-07-09 14:32 - 2012-02-06 17:12 - 00003688 ____A C:\Windows\mozy.blk
2012-07-09 14:32 - 2012-02-06 17:12 - 00002718 ____A C:\Windows\mozy.flt
2012-07-09 13:21 - 2012-07-09 18:01 - 04574676 ____A (Swearware) C:\Users\Paul\Desktop\ComboFix.exe
2012-07-09 07:34 - 2012-07-09 23:48 - 01434401 ____A (Farbar) C:\Users\Paul\Desktop\FRST64.exe
2012-07-07 01:17 - 2010-03-03 22:18 - 00000852 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3806364039-2167549492-3954559941-1003Core.job
2012-07-05 21:36 - 2012-07-05 21:36 - 00000874 ____A C:\Users\Public\Desktop\MobileSiteBuilder.lnk
2012-07-05 17:27 - 2012-03-22 19:55 - 00000952 ____A C:\Users\Paul\Desktop\Dropbox.lnk
2012-07-03 21:05 - 2012-07-03 21:05 - 00001890 ____A C:\Users\Public\Desktop\Skype.lnk
2012-06-30 18:19 - 2010-03-03 22:20 - 00002073 ____A C:\Users\Paul\Desktop\Google Chrome.lnk
2012-06-28 20:42 - 2012-06-28 20:42 - 00000339 ____A C:\Users\Paul\AppData\Roaming\poi_state.xml
2012-06-28 20:42 - 2012-06-25 21:36 - 00000722 ____A C:\Users\Public\Desktop\poi.lnk
2012-06-24 18:15 - 2012-03-30 02:10 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-24 18:15 - 2011-05-20 16:31 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-20 01:17 - 2012-06-20 01:17 - 00001758 ____A C:\Users\Public\Desktop\QuickTime Player.lnk
2012-06-20 01:09 - 2010-10-28 12:45 - 00001866 ____A C:\Users\Public\Desktop\Safari.lnk
2012-06-13 15:24 - 2006-11-02 07:21 - 00397640 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-13 06:00 - 2006-11-02 04:35 - 58957832 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-12 02:17 - 2012-07-09 14:08 - 10063000 ____A (Malwarebytes Corporation ) C:\Users\Paul\Desktop\mbam-setup-1.61.0.1400.exe
2012-06-06 22:59 - 2006-11-02 07:27 - 00181585 ____A C:\Windows\setupact.log
2012-06-05 14:30 - 2008-01-20 19:26 - 00049692 ____A C:\Windows\PFRO.log
2012-06-02 14:19 - 2012-06-21 14:45 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 14:45 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 14:45 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 14:44 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 14:44 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-21 14:44 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-21 14:44 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-21 14:45 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 14:44 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-21 14:44 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-01 21:49 - 2012-06-21 14:44 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-01 21:49 - 2012-06-21 14:44 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-01 21:45 - 2012-06-21 14:44 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:42 - 2012-06-21 14:44 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-05-27 00:33 - 2011-05-10 03:44 - 00038434 ____A C:\Users\Paul\AppData\Roaming\Comma Separated Values (DOS).ADR
2012-05-26 09:16 - 2012-05-26 09:16 - 00004096 __ASH C:\{D8A23DA7-E38E-4754-9121-7A834709631A}.CBM
2012-05-26 09:16 - 2012-04-15 06:14 - 00302080 __ASH C:\{34590286-336F-4C6E-91B6-7888288A3588}.CBM
2012-05-26 09:16 - 2012-04-05 03:33 - 00302080 __ASH C:\{525215E0-1776-4076-A87A-DA69CAD38CE0}.CBM
2012-05-26 06:28 - 2012-01-13 23:57 - 00298496 __ASH C:\EUMONBMP.SYS
2012-05-24 17:56 - 2012-05-24 17:56 - 00000899 ____A C:\Users\Public\Desktop\ICCPro.lnk
2012-05-17 18:47 - 2012-06-13 06:05 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 18:16 - 2012-06-13 06:05 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 18:06 - 2012-06-13 06:05 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 17:59 - 2012-06-13 06:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 17:59 - 2012-06-13 06:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 17:58 - 2012-06-13 06:05 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 17:58 - 2012-06-13 06:05 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 17:56 - 2012-06-13 06:05 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 17:55 - 2012-06-13 06:05 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 17:55 - 2012-06-13 06:05 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 17:54 - 2012-06-13 06:05 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 17:51 - 2012-06-13 06:05 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 17:51 - 2012-06-13 06:05 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 17:47 - 2012-06-13 06:05 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 15:11 - 2012-06-13 06:05 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-05-17 14:48 - 2012-06-13 06:05 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-05-17 14:45 - 2012-06-13 06:05 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-05-17 14:36 - 2012-06-13 06:05 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-05-17 14:35 - 2012-06-13 06:05 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-05-17 14:35 - 2012-06-13 06:05 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-17 14:33 - 2012-06-13 06:05 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-05-17 14:31 - 2012-06-13 06:05 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-17 14:29 - 2012-06-13 06:05 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-05-17 14:29 - 2012-06-13 06:05 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-05-17 14:27 - 2012-06-13 06:05 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-05-17 14:25 - 2012-06-13 06:05 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-05-17 14:24 - 2012-06-13 06:05 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-05-17 14:20 - 2012-06-13 06:05 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-05-15 12:15 - 2012-06-12 14:20 - 02767360 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-01 06:29 - 2012-06-12 14:20 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-23 08:25 - 2012-06-12 14:20 - 01267200 ____A (Microsoft Corporation) C:\Windows\System32\crypt32.dll
2012-04-23 08:25 - 2012-06-12 14:20 - 00174592 ____A (Microsoft Corporation) C:\Windows\System32\cryptsvc.dll
2012-04-23 08:25 - 2012-06-12 14:20 - 00132096 ____A (Microsoft Corporation) C:\Windows\System32\cryptnet.dll
2012-04-23 08:00 - 2012-06-12 14:20 - 00984064 ____A (Microsoft Corporation) C:\Windows\SysWOW64\crypt32.dll
2012-04-23 08:00 - 2012-06-12 14:20 - 00133120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptsvc.dll
2012-04-23 08:00 - 2012-06-12 14:20 - 00098304 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cryptnet.dll
2012-04-18 03:26 - 2012-04-18 03:26 - 00094208 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTimeVR.qtx
2012-04-18 03:26 - 2012-04-18 03:26 - 00069632 ____A (Apple Inc.) C:\Windows\SysWOW64\QuickTime.qts


ZeroAccess:
C:\Windows\Installer\{41d4a247-4af9-8865-bacf-6c88bdc85c60}
C:\Windows\Installer\{41d4a247-4af9-8865-bacf-6c88bdc85c60}\@
C:\Windows\Installer\{41d4a247-4af9-8865-bacf-6c88bdc85c60}\U
C:\Windows\Installer\{41d4a247-4af9-8865-bacf-6c88bdc85c60}\U\00000001.@

ZeroAccess:
C:\Users\Paul\AppData\Local\{41d4a247-4af9-8865-bacf-6c88bdc85c60}
C:\Users\Paul\AppData\Local\{41d4a247-4af9-8865-bacf-6c88bdc85c60}\@
C:\Users\Paul\AppData\Local\{41d4a247-4af9-8865-bacf-6c88bdc85c60}\L
C:\Users\Paul\AppData\Local\{41d4a247-4af9-8865-bacf-6c88bdc85c60}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 10%
Total physical RAM: 4093.27 MB
Available physical RAM: 3652.7 MB
Total Pagefile: 3964.92 MB
Available Pagefile: 3628.84 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:581.11 GB) (Free:254.71 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (G-USB) (Removable) (Total:0.95 GB) (Free:0.12 GB) FAT
4 Drive x: (RECOVERY) (Fixed) (Total:15 GB) (Free:7.71 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 976 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 63 MB 32 KB
Partition 2 Primary 15 GB 63 MB
Partition 3 Primary 581 GB 15 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 FAT Partition 63 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 X RECOVERY NTFS Partition 15 GB Healthy Boot

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C OS NTFS Partition 581 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 976 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E G-USB FAT Removable 976 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-09 13:52

======================= End Of Log ==========================

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 AM

Posted 10 July 2012 - 03:47 AM

Greetings

Ok lets see if we can find a replacement for the infected file

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 johpg

johpg
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 10 July 2012 - 05:27 AM

Farbar Recovery Scan Tool Version: 09-07-2012
Ran by SYSTEM at 2012-07-10 19:25:35
Running from E:\Virus

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-06-26 06:47] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-06-26 06:47] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2009-06-26 06:47] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\System32\services.exe
[2009-06-26 06:47] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229

====== End Of Search ======

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 AM

Posted 10 July 2012 - 07:31 AM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe C:\Windows\System32\services.exe
C:\Users\Paul\AppData\Local\{41d4a247-4af9-8865-bacf-6c88bdc85c60}
C:\Windows\Installer\{41d4a247-4af9-8865-bacf-6c88bdc85c60}


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 johpg

johpg
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 10 July 2012 - 07:45 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-07-2012
Ran by SYSTEM at 2012-07-10 22:11:17 Run:1
Running from D:\Virus

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Users\Paul\AppData\Local\{41d4a247-4af9-8865-bacf-6c88bdc85c60} moved successfully.
C:\Windows\Installer\{41d4a247-4af9-8865-bacf-6c88bdc85c60} moved successfully.

==== End of Fixlog ====

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 AM

Posted 10 July 2012 - 07:49 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 johpg

johpg
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 10 July 2012 - 08:58 AM

Combofix complained about AVG2012 even though I had temporarily disabled it.
I went ahead anyway.

After Combofix scan I re-enabled AVG and there has been no 800000cb.@ reports so far.

Combofix log:

ComboFix 12-07-10.01 - Paul 10/07/2012 22:58:31.1.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.4093.2635 [GMT 9.5:30]
Running from: c:\users\Paul\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\users\Paul\AppData\Local\assembly\tmp
c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\Paul\AppData\Roaming\ubot
.
.
((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))
.
.
2012-07-11 01:40 . 2012-07-11 01:40 -------- d-----w- C:\FRST
2012-07-10 13:39 . 2012-07-10 13:44 -------- d-----w- c:\users\Paul\AppData\Local\temp
2012-07-10 13:39 . 2012-07-10 13:39 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2012-07-10 13:39 . 2012-07-10 13:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-10 01:50 . 2012-07-10 01:50 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
2012-07-10 01:48 . 2012-07-10 01:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-10 01:48 . 2012-07-10 01:48 -------- d-----w- c:\programdata\Malwarebytes
2012-07-10 01:48 . 2012-04-04 06:26 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-09 12:43 . 2012-07-09 12:43 -------- d-----w- c:\users\Paul\AppData\Local\{B4ECBA53-C9C3-11E1-8270-B8AC6F996F26}
2012-07-09 12:43 . 2012-07-09 12:43 -------- d-----w- c:\users\Paul\AppData\Local\{B4EC8610-C9C3-11E1-8270-B8AC6F996F26}
2012-07-09 12:42 . 2012-07-09 12:45 -------- d-----w- c:\programdata\F4D55F3B00007AC4000003AE570F1C8B
2012-07-09 12:41 . 2012-07-09 12:45 -------- d-----w- c:\users\Paul\AppData\Roaming\Umeqar
2012-07-09 12:41 . 2012-07-09 12:43 -------- d-----w- c:\users\Paul\AppData\Roaming\Avveo
2012-07-09 12:41 . 2012-07-09 12:41 -------- d-----w- c:\users\Paul\AppData\Roaming\Moif
2012-07-06 05:36 . 2012-07-06 05:36 -------- d-----w- c:\program files (x86)\MobileSiteBuilder
2012-07-06 05:32 . 2012-07-06 05:32 -------- d-----w- c:\users\Paul\AppData\Roaming\MobileSiteBuilder
2012-07-04 05:06 . 2012-07-09 07:55 -------- d-----w- c:\users\Paul\AppData\Roaming\Skype
2012-07-04 05:05 . 2012-07-04 05:05 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-07-04 05:05 . 2012-07-04 05:05 -------- d-----r- c:\program files (x86)\Skype
2012-07-04 05:05 . 2012-07-04 05:06 -------- d-----w- c:\programdata\Skype
2012-06-29 04:42 . 2012-06-29 04:42 -------- d-----w- c:\program files (x86)\poi
2012-06-26 05:36 . 2012-06-26 05:36 -------- d-----w- c:\users\Paul\AppData\Roaming\poi
2012-06-25 23:02 . 2012-06-25 23:02 -------- d-----w- c:\users\Paul\AppData\Local\Macromedia
2012-06-21 22:45 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 22:45 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 22:45 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 22:45 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 22:44 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 22:44 . 2012-06-02 22:19 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-21 22:44 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 22:44 . 2012-06-02 22:19 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-21 22:44 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 22:44 . 2012-06-02 22:12 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-21 22:44 . 2012-06-02 05:49 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 22:44 . 2012-06-02 05:49 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-21 22:44 . 2012-06-02 05:45 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-21 22:44 . 2012-06-02 05:42 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-13 14:05 . 2012-05-18 02:51 174200 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2012-06-12 22:20 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-12 22:20 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys
2012-06-12 22:20 . 2012-04-23 16:25 174592 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-12 22:20 . 2012-04-23 16:25 132096 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-12 22:20 . 2012-04-23 16:25 1267200 ----a-w- c:\windows\system32\crypt32.dll
2012-06-12 22:20 . 2012-04-23 16:00 984064 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-12 22:20 . 2012-04-23 16:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-12 22:20 . 2012-04-23 16:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-08 22:42 . 2011-02-07 04:33 164880 ---ha-w- c:\users\Paul\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2012-06-25 02:15 . 2012-03-30 10:10 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-25 02:15 . 2011-05-21 00:31 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-18 11:26 . 2012-04-18 11:26 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-18 11:26 . 2012-04-18 11:26 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-02 39408]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-26 421736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stash.lnk - c:\program files (x86)\Mozy\Stash\Stash.exe [2012-4-26 5592576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2012-6-4 6271376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 250056]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-01-13 88576]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-10 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 02:15]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-29 13:08]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-29 13:08]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3806364039-2167549492-3954559941-1003Core.job
- c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-04 06:18]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3806364039-2167549492-3954559941-1003UA.job
- c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-04 06:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\HardLinkMenu]
@="{0A479751-02BC-11d3-A855-0004AC2568AA}"
[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568AA}]
2012-03-17 08:14 517832 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHardLink]
@="{0A479751-02BC-11d3-A855-0004AC2568DD}"
[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568DD}]
2012-03-17 08:14 517832 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlaySymbolicLink]
@="{0A479751-02BC-11d3-A855-0004AC2568EE}"
[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568EE}]
2012-03-17 08:14 517832 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2012-06-04 06:47 6301584 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2012-06-04 06:47 6301584 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com.au/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/201
IE: &Explode All Tables - c:\windows\web\expld_tb.htm
IE: &Grab video by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Resize &Window - c:\windowresizer\winresize.html
TCP: DhcpNameServer = 192.168.2.1 10.1.1.1 192.168.1.1 203.134.64.66
TCP: Interfaces\{14DE9B73-815C-4E55-89DD-F3963F6309C9}: NameServer = 208.67.222.222,208.67.222.220
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\yx6iq2xd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bom.gov.au/products/IDS65031.shtml|http://www.coastalwatch.com/components/popup7dayforecast.aspx?swellSection=WaveHeightPeriodandWindSpeed&regionID=50|http://www.surfsouthoz.com/index2.php|http://www.swellnet.com.au/reports/mid-coast/daily|http://www.swellnet.com.au/reports/victor-harbor/daily|http://www.swellnet.com.au/surfcams/middleton|http://www.seabreeze.com.au/graphs/sa_synoptic.asp?loc=ADEL&stateid=4|http://www.bom.gov.au/sa/forecasts/south-central-coast.shtml
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-BacklinkSyndicator 2.1 - c:\users\Paul\Documents\BacklinkSyndicator 2.1\Uninstall-BacklinkSyndicator.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{048DBD20-445E8C82-05040104}]
"ImagePath"="\??\c:\progra~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
c:\program files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files (x86)\EaseUS\Todo Backup\bin\Agent.exe
c:\program files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe
c:\program files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
.
**************************************************************************
.
Completion time: 2012-07-10 23:21:40 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-10 13:51
.
Pre-Run: 274,154,291,200 bytes free
Post-Run: 276,420,222,976 bytes free
.
- - End Of File - - D967DA04433FFB47426749DCE9D53AE0


Thank you for all your help.
I am going to sleep now because it is late, so I will not reply to any new posts for about 7 hours.

#10 johpg

johpg
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 10 July 2012 - 05:09 PM

Rebooted my system and have not seen any AVG notifications of 800000cb.@
Computer seems to be running normally.

Does this mean that the problem has been fixed?

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 AM

Posted 10 July 2012 - 08:46 PM

Greetings

that is the first step but it looks very good

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 johpg

johpg
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 10 July 2012 - 10:47 PM

11:43:16.0318 8156 TDSS rootkit removing tool 2.7.45.0 Jul 9 2012 12:46:35
11:43:18.0097 8156 ============================================================
11:43:18.0097 8156 Current date / time: 2012/07/11 11:43:18.0097
11:43:18.0097 8156 SystemInfo:
11:43:18.0097 8156
11:43:18.0097 8156 OS Version: 6.0.6002 ServicePack: 2.0
11:43:18.0097 8156 Product type: Workstation
11:43:18.0097 8156 ComputerName: PJ
11:43:18.0097 8156 UserName: Paul
11:43:18.0097 8156 Windows directory: C:\Windows
11:43:18.0097 8156 System windows directory: C:\Windows
11:43:18.0097 8156 Running under WOW64
11:43:18.0097 8156 Processor architecture: Intel x64
11:43:18.0097 8156 Number of processors: 2
11:43:18.0097 8156 Page size: 0x1000
11:43:18.0097 8156 Boot type: Normal boot
11:43:18.0097 8156 ============================================================
11:43:18.0861 8156 Drive \Device\Harddisk0\DR0 - Size: 0x950B056000 (596.17 Gb), SectorSize: 0x200, Cylinders: 0x13001, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
11:43:18.0861 8156 Drive \Device\Harddisk1\DR1 - Size: 0x3D000000 (0.95 Gb), SectorSize: 0x200, Cylinders: 0x7C, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
11:43:18.0861 8156 ============================================================
11:43:18.0861 8156 \Device\Harddisk0\DR0:
11:43:18.0877 8156 MBR partitions:
11:43:18.0877 8156 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1F800, BlocksNum 0x1E00000
11:43:18.0877 8156 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1E1F800, BlocksNum 0x48A38000
11:43:18.0877 8156 \Device\Harddisk1\DR1:
11:43:18.0877 8156 MBR partitions:
11:43:18.0877 8156 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x1E7FE0
11:43:18.0877 8156 ============================================================
11:43:18.0908 8156 C: <-> \Device\Harddisk0\DR0\Partition1
11:43:18.0939 8156 D: <-> \Device\Harddisk0\DR0\Partition0
11:43:18.0939 8156 ============================================================
11:43:18.0939 8156 Initialize success
11:43:18.0939 8156 ============================================================
11:43:22.0356 5008 ============================================================
11:43:22.0356 5008 Scan started
11:43:22.0356 5008 Mode: Manual;
11:43:22.0356 5008 ============================================================
11:43:23.0635 5008 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys
11:43:23.0650 5008 ACPI - ok
11:43:23.0728 5008 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
11:43:23.0728 5008 AdobeARMservice - ok
11:43:23.0822 5008 AdobeFlashPlayerUpdateSvc (990dc6edc9f933194d7cd4e65146bc94) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
11:43:23.0838 5008 AdobeFlashPlayerUpdateSvc - ok
11:43:23.0884 5008 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
11:43:23.0931 5008 adp94xx - ok
11:43:23.0962 5008 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
11:43:23.0962 5008 adpahci - ok
11:43:23.0994 5008 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
11:43:23.0994 5008 adpu160m - ok
11:43:24.0025 5008 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
11:43:24.0025 5008 adpu320 - ok
11:43:24.0056 5008 AeLookupSvc (0f421175574bfe0bf2f4d8e910a253bb) C:\Windows\System32\aelupsvc.dll
11:43:24.0056 5008 AeLookupSvc - ok
11:43:24.0103 5008 AERTFilters (7394641611ef3ab2d041f104f1e8c1b9) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
11:43:24.0103 5008 AERTFilters - ok
11:43:24.0134 5008 AFD (c4f6ce6087760ad70960c9eb130e7943) C:\Windows\system32\drivers\afd.sys
11:43:24.0150 5008 AFD - ok
11:43:24.0165 5008 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
11:43:24.0165 5008 agp440 - ok
11:43:24.0181 5008 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
11:43:24.0181 5008 aic78xx - ok
11:43:24.0196 5008 ALG (5922f4f59b7868f3d74bbbbeb7b825a3) C:\Windows\System32\alg.exe
11:43:24.0196 5008 ALG - ok
11:43:24.0212 5008 aliide (9544c2c55541c0c6bfd7b489d0e7d430) C:\Windows\system32\drivers\aliide.sys
11:43:24.0212 5008 aliide - ok
11:43:24.0259 5008 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
11:43:24.0259 5008 amdide - ok
11:43:24.0274 5008 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
11:43:24.0274 5008 AmdK8 - ok
11:43:24.0337 5008 AppHostSvc (b11291cbc71231c373743055fb7f5b48) C:\Windows\system32\inetsrv\apphostsvc.dll
11:43:24.0337 5008 AppHostSvc - ok
11:43:24.0368 5008 Appinfo (9c37b3fd5615477cb9a0cd116cf43f5c) C:\Windows\System32\appinfo.dll
11:43:24.0368 5008 Appinfo - ok
11:43:24.0446 5008 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
11:43:24.0446 5008 Apple Mobile Device - ok
11:43:24.0462 5008 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
11:43:24.0462 5008 arc - ok
11:43:24.0462 5008 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
11:43:24.0462 5008 arcsas - ok
11:43:24.0555 5008 aspnet_state (e5a3bcbad12c9d01d36b14d4830462a4) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe
11:43:24.0555 5008 aspnet_state - ok
11:43:24.0586 5008 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
11:43:24.0586 5008 AsyncMac - ok
11:43:24.0618 5008 atapi (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys
11:43:24.0618 5008 atapi - ok
11:43:24.0680 5008 Ati External Event Utility (25508c3a6565f06f30d645e11c6c25ec) C:\Windows\system32\Ati2evxx.exe
11:43:24.0696 5008 Ati External Event Utility - ok
11:43:24.0930 5008 atikmdag (db96850170c9895d855463c207fbd4ad) C:\Windows\system32\DRIVERS\atikmdag.sys
11:43:25.0008 5008 atikmdag - ok
11:43:25.0101 5008 AudioEndpointBuilder (79318c744693ec983d20e9337a2f8196) C:\Windows\System32\Audiosrv.dll
11:43:25.0117 5008 AudioEndpointBuilder - ok
11:43:25.0117 5008 AudioSrv (79318c744693ec983d20e9337a2f8196) C:\Windows\System32\Audiosrv.dll
11:43:25.0132 5008 AudioSrv - ok
11:43:25.0382 5008 AVGIDSAgent (6d440ff3f44ca72edfd6176c6d6a89c0) C:\Program Files (x86)\AVG\AVG2012\AVGIDSAgent.exe
11:43:25.0429 5008 AVGIDSAgent - ok
11:43:25.0538 5008 AVGIDSDriver (fa46adf6e497cf185160f09e603ce2a3) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
11:43:25.0538 5008 AVGIDSDriver - ok
11:43:25.0569 5008 AVGIDSEH (d6b93e5d8b96a66f55a4d2ee7f24667c) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
11:43:25.0569 5008 AVGIDSEH - ok
11:43:25.0600 5008 AVGIDSFilter (ff6551f1ab0da3b30c9dec923f21b504) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
11:43:25.0600 5008 AVGIDSFilter - ok
11:43:25.0647 5008 Avgldx64 (979cf8912449a10b987218bff80a1fa3) C:\Windows\system32\DRIVERS\avgldx64.sys
11:43:25.0663 5008 Avgldx64 - ok
11:43:25.0694 5008 Avgmfx64 (36b1a5843695766eac714daffc5b84d1) C:\Windows\system32\DRIVERS\avgmfx64.sys
11:43:25.0694 5008 Avgmfx64 - ok
11:43:25.0725 5008 Avgrkx64 (1102239fb724527f1febbbbccf6bf313) C:\Windows\system32\DRIVERS\avgrkx64.sys
11:43:25.0725 5008 Avgrkx64 - ok
11:43:25.0788 5008 avgwd (6699ece24fe4b3f752a66c66a602ee86) C:\Program Files (x86)\AVG\AVG2012\avgwdsvc.exe
11:43:25.0788 5008 avgwd - ok
11:43:25.0850 5008 BcmSqlStartupSvc (6163664c7e9cd110af70180c126c3fdc) C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
11:43:25.0850 5008 BcmSqlStartupSvc - ok
11:43:25.0850 5008 Beep - ok
11:43:25.0897 5008 BFE (ffb96c2589ffa60473ead78b39fbde29) C:\Windows\System32\bfe.dll
11:43:25.0912 5008 BFE - ok
11:43:26.0474 5008 BITS (6d316f4859634071cc25c4fd4589ad2c) C:\Windows\system32\qmgr.dll
11:43:26.0474 5008 BITS - ok
11:43:26.0802 5008 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
11:43:26.0833 5008 blbdrive - ok
11:43:27.0457 5008 Bonjour Service (ebbcd5dfbb1de70e8f4af8fa59e401fd) C:\Program Files\Bonjour\mDNSResponder.exe
11:43:27.0472 5008 Bonjour Service - ok
11:43:27.0519 5008 bowser (2348447a80920b2493a9b582a23e81e1) C:\Windows\system32\DRIVERS\bowser.sys
11:43:27.0519 5008 bowser - ok
11:43:27.0566 5008 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
11:43:27.0566 5008 BrFiltLo - ok
11:43:27.0597 5008 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
11:43:27.0597 5008 BrFiltUp - ok
11:43:27.0628 5008 Browser (a1b39de453433b115b4ea69ee0343816) C:\Windows\System32\browser.dll
11:43:27.0628 5008 Browser - ok
11:43:27.0644 5008 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
11:43:27.0644 5008 Brserid - ok
11:43:27.0660 5008 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
11:43:27.0660 5008 BrSerWdm - ok
11:43:27.0675 5008 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
11:43:27.0675 5008 BrUsbMdm - ok
11:43:27.0691 5008 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
11:43:27.0691 5008 BrUsbSer - ok
11:43:28.0502 5008 BrYNSvc (ea7e57f87d6fee5fd6c5f813c04e8cd2) C:\Program Files (x86)\Browny02\BrYNSvc.exe
11:43:28.0502 5008 BrYNSvc - ok
11:43:28.0518 5008 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
11:43:28.0518 5008 BTHMODEM - ok
11:43:28.0658 5008 catchme - ok
11:43:28.0689 5008 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
11:43:28.0689 5008 cdfs - ok
11:43:28.0720 5008 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys
11:43:28.0736 5008 cdrom - ok
11:43:28.0767 5008 CertPropSvc (5a268127633c7ee2a7fb87f39d748d56) C:\Windows\System32\certprop.dll
11:43:28.0767 5008 CertPropSvc - ok
11:43:28.0798 5008 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\drivers\circlass.sys
11:43:28.0798 5008 circlass - ok
11:43:29.0142 5008 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys
11:43:29.0454 5008 CLFS - ok
11:43:29.0500 5008 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:43:29.0500 5008 clr_optimization_v2.0.50727_32 - ok
11:43:29.0578 5008 clr_optimization_v2.0.50727_64 (ce07a466201096f021cd09d631b21540) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
11:43:29.0594 5008 clr_optimization_v2.0.50727_64 - ok
11:43:29.0641 5008 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
11:43:29.0641 5008 clr_optimization_v4.0.30319_32 - ok
11:43:29.0672 5008 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
11:43:29.0672 5008 clr_optimization_v4.0.30319_64 - ok
11:43:29.0703 5008 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
11:43:29.0703 5008 cmdide - ok
11:43:29.0734 5008 Compbatt (34a6aa82aa36c87fc8816f2097efa345) C:\Windows\system32\drivers\compbatt.sys
11:43:29.0734 5008 Compbatt - ok
11:43:29.0734 5008 COMSysApp - ok
11:43:29.0750 5008 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
11:43:29.0750 5008 crcdisk - ok
11:43:29.0797 5008 CryptSvc (62740b9d2a137e8ced41a9e4239a7a31) C:\Windows\system32\cryptsvc.dll
11:43:29.0812 5008 CryptSvc - ok
11:43:29.0859 5008 DcomLaunch (cf8b9a3a5e7dc57724a89d0c3e8cf9ef) C:\Windows\system32\rpcss.dll
11:43:29.0875 5008 DcomLaunch - ok
11:43:29.0906 5008 DfsC (8b722ba35205c71e7951cdc4cdbade19) C:\Windows\system32\Drivers\dfsc.sys
11:43:29.0906 5008 DfsC - ok
11:43:30.0078 5008 DFSR (c647f468f7de343df8c143655c5557d4) C:\Windows\system32\DFSR.exe
11:43:30.0124 5008 DFSR - ok
11:43:30.0202 5008 Dhcp (3ed0321127ce70acdaabbf77e157c2a7) C:\Windows\System32\dhcpcsvc.dll
11:43:30.0218 5008 Dhcp - ok
11:43:30.0249 5008 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys
11:43:30.0249 5008 disk - ok
11:43:30.0280 5008 Dnscache (06230f1b721494a6df8d47fd395bb1b0) C:\Windows\System32\dnsrslvr.dll
11:43:30.0280 5008 Dnscache - ok
11:43:30.0327 5008 dot3svc (1a7156dd1e850e9914e5e991e3225b94) C:\Windows\System32\dot3svc.dll
11:43:30.0343 5008 dot3svc - ok
11:43:30.0358 5008 DPS (1583b39790db3eaec7edb0cb0140c708) C:\Windows\system32\dps.dll
11:43:30.0358 5008 DPS - ok
11:43:30.0390 5008 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
11:43:30.0390 5008 drmkaud - ok
11:43:30.0452 5008 DXGKrnl (b8e554e502d5123bc111f99d6a2181b4) C:\Windows\System32\drivers\dxgkrnl.sys
11:43:30.0468 5008 DXGKrnl - ok
11:43:30.0514 5008 e1express (17d40652ef3e55eeae187a89df40965a) C:\Windows\system32\DRIVERS\e1e6032e.sys
11:43:30.0561 5008 e1express - ok
11:43:30.0592 5008 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
11:43:30.0608 5008 E1G60 - ok
11:43:30.0655 5008 EapHost (c2303883fd9be49dc36a6400643002ea) C:\Windows\System32\eapsvc.dll
11:43:30.0655 5008 EapHost - ok
11:43:30.0733 5008 EaseUS Agent (64585b1d85ff7566b99ced303a02f357) C:\Program Files (x86)\EaseUS\Todo Backup\bin\Agent.exe
11:43:30.0733 5008 EaseUS Agent - ok
11:43:30.0764 5008 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys
11:43:30.0764 5008 Ecache - ok
11:43:30.0826 5008 ehRecvr (14ce384d2e27b64c256bda4dc39c312d) C:\Windows\ehome\ehRecvr.exe
11:43:30.0826 5008 ehRecvr - ok
11:43:30.0842 5008 ehSched (b93159c1313d66fdfbbe876f5189cd52) C:\Windows\ehome\ehsched.exe
11:43:30.0858 5008 ehSched - ok
11:43:30.0873 5008 ehstart (f5ee2527d74449868e3c3227a59bcd28) C:\Windows\ehome\ehstart.dll
11:43:30.0873 5008 ehstart - ok
11:43:30.0904 5008 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
11:43:30.0904 5008 elxstor - ok
11:43:30.0967 5008 EMDMgmt (a9b18b63a4fd6baab83326706d857fab) C:\Windows\system32\emdmgmt.dll
11:43:30.0967 5008 EMDMgmt - ok
11:43:30.0982 5008 ErrDev (991fab6aa066e1214efb5b496fb7959a) C:\Windows\system32\drivers\errdev.sys
11:43:30.0982 5008 ErrDev - ok
11:43:31.0014 5008 EUBAKUP (bf217be3db6907579c13438c6efe002d) C:\Windows\system32\drivers\eubakup.sys
11:43:31.0014 5008 EUBAKUP - ok
11:43:31.0014 5008 EUBKMON (92e3bd1f7d6d29a10929c1f9f7660fc3) C:\Windows\system32\drivers\EUBKMON.sys
11:43:31.0014 5008 EUBKMON - ok
11:43:31.0029 5008 EUDSKACS (d17446353e4fee5b7d710610e8b18ac4) C:\Windows\system32\drivers\eudskacs.sys
11:43:31.0029 5008 EUDSKACS - ok
11:43:31.0045 5008 EUFDDISK (8ad925da2e4bcd1a6e657a7248ccded2) C:\Windows\system32\drivers\EuFdDisk.sys
11:43:31.0060 5008 EUFDDISK - ok
11:43:31.0107 5008 EventSystem (e12f22b73f153dece721cd45ec05b4af) C:\Windows\system32\es.dll
11:43:31.0107 5008 EventSystem - ok
11:43:31.0138 5008 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys
11:43:31.0154 5008 exfat - ok
11:43:31.0185 5008 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys
11:43:31.0185 5008 fastfat - ok
11:43:31.0216 5008 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
11:43:31.0216 5008 fdc - ok
11:43:31.0232 5008 fdPHost (bb9267acacd8b7533dd936c34a0cba5e) C:\Windows\system32\fdPHost.dll
11:43:31.0232 5008 fdPHost - ok
11:43:31.0248 5008 FDResPub (300c80931eabbe1db7591c516efe8d0f) C:\Windows\system32\fdrespub.dll
11:43:31.0248 5008 FDResPub - ok
11:43:31.0248 5008 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
11:43:31.0263 5008 FileInfo - ok
11:43:31.0263 5008 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
11:43:31.0279 5008 Filetrace - ok
11:43:31.0294 5008 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
11:43:31.0294 5008 flpydisk - ok
11:43:31.0326 5008 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys
11:43:31.0341 5008 FltMgr - ok
11:43:31.0419 5008 FontCache (be1c5bd1ca7ed015bc6fa1ae67e592c8) C:\Windows\system32\FntCache.dll
11:43:31.0450 5008 FontCache - ok
11:43:31.0497 5008 FontCache3.0.0.0 (bc5b0be5af3510b0fd8c140ee42c6d3e) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
11:43:31.0497 5008 FontCache3.0.0.0 - ok
11:43:31.0528 5008 Fs_Rec (5779b86cd8b32519fbecb136394d946a) C:\Windows\system32\drivers\Fs_Rec.sys
11:43:31.0528 5008 Fs_Rec - ok
11:43:31.0560 5008 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
11:43:31.0560 5008 gagp30kx - ok
11:43:31.0591 5008 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
11:43:31.0591 5008 GEARAspiWDM - ok
11:43:31.0669 5008 GoToAssist (d3316f6e3c011435f36e3d6e49b3196c) C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
11:43:31.0669 5008 GoToAssist - ok
11:43:31.0731 5008 gpsvc (a0e1b575ba8f504968cd40c0faeb2384) C:\Windows\System32\gpsvc.dll
11:43:31.0747 5008 gpsvc - ok
11:43:31.0825 5008 Guard Agent (a6a4223573cfcf87843cfcb3a9c237c7) C:\Program Files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe
11:43:31.0825 5008 Guard Agent - ok
11:43:31.0887 5008 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
11:43:31.0887 5008 gupdate - ok
11:43:31.0918 5008 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
11:43:31.0918 5008 gupdatem - ok
11:43:31.0965 5008 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
11:43:31.0981 5008 gusvc - ok
11:43:32.0028 5008 HdAudAddService (68e732382b32417ff61fd663259b4b09) C:\Windows\system32\drivers\HdAudio.sys
11:43:32.0043 5008 HdAudAddService - ok
11:43:32.0106 5008 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys
11:43:32.0121 5008 HDAudBus - ok
11:43:32.0152 5008 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
11:43:32.0152 5008 HidBth - ok
11:43:32.0168 5008 HidIr (4e77a77e2c986e8f88f996bb3e1ad829) C:\Windows\system32\drivers\hidir.sys
11:43:32.0168 5008 HidIr - ok
11:43:32.0215 5008 hidserv (59361d38a297755d46a540e450202b2a) C:\Windows\System32\hidserv.dll
11:43:32.0215 5008 hidserv - ok
11:43:32.0230 5008 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys
11:43:32.0230 5008 HidUsb - ok
11:43:32.0262 5008 hkmsvc (b12f367ea39c0795fd57e31242ce1a5a) C:\Windows\system32\kmsvc.dll
11:43:32.0262 5008 hkmsvc - ok
11:43:32.0293 5008 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
11:43:32.0293 5008 HpCISSs - ok
11:43:32.0355 5008 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys
11:43:32.0355 5008 HTTP - ok
11:43:32.0386 5008 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
11:43:32.0386 5008 i2omp - ok
11:43:32.0418 5008 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
11:43:32.0433 5008 i8042prt - ok
11:43:32.0480 5008 iaStor (756879fa65978df948437ce3fd1eaccd) C:\Windows\system32\drivers\iastor.sys
11:43:32.0496 5008 iaStor - ok
11:43:32.0511 5008 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
11:43:32.0527 5008 iaStorV - ok
11:43:32.0620 5008 idsvc (749f5f8cedca70f2a512945325fc489d) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
11:43:32.0636 5008 idsvc - ok
11:43:32.0652 5008 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
11:43:32.0652 5008 iirsp - ok
11:43:32.0698 5008 IKEEXT (0c9ea6e654e7b0471741e343a6c671af) C:\Windows\System32\ikeext.dll
11:43:32.0714 5008 IKEEXT - ok
11:43:32.0792 5008 IntcAzAudAddService (49a1c3833af724b2555c0689347dcd05) C:\Windows\system32\drivers\RTKVHD64.sys
11:43:32.0808 5008 IntcAzAudAddService - ok
11:43:32.0870 5008 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\DRIVERS\intelide.sys
11:43:32.0870 5008 intelide - ok
11:43:32.0886 5008 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
11:43:32.0886 5008 intelppm - ok
11:43:32.0901 5008 IPBusEnum (5624bc1bc5eeb49c0ab76a8114f05ea3) C:\Windows\system32\ipbusenum.dll
11:43:32.0901 5008 IPBusEnum - ok
11:43:32.0932 5008 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys
11:43:32.0932 5008 IpFilterDriver - ok
11:43:32.0964 5008 iphlpsvc (bf0dbfa9792c5c14fa00f61c75116c1b) C:\Windows\System32\iphlpsvc.dll
11:43:32.0964 5008 iphlpsvc - ok
11:43:32.0964 5008 IpInIp - ok
11:43:32.0995 5008 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
11:43:32.0995 5008 IPMIDRV - ok
11:43:33.0010 5008 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
11:43:33.0010 5008 IPNAT - ok
11:43:33.0135 5008 iPod Service (50d6ccc6ff5561f9f56946b3e6164fb8) C:\Program Files\iPod\bin\iPodService.exe
11:43:33.0135 5008 iPod Service - ok
11:43:33.0151 5008 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
11:43:33.0151 5008 IRENUM - ok
11:43:33.0182 5008 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
11:43:33.0182 5008 isapnp - ok
11:43:33.0244 5008 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys
11:43:33.0244 5008 iScsiPrt - ok
11:43:33.0260 5008 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
11:43:33.0260 5008 iteatapi - ok
11:43:33.0291 5008 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
11:43:33.0291 5008 iteraid - ok
11:43:33.0307 5008 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
11:43:33.0307 5008 kbdclass - ok
11:43:33.0338 5008 kbdhid (dbdf75d51464fbc47d0104ec3d572c05) C:\Windows\system32\DRIVERS\kbdhid.sys
11:43:33.0338 5008 kbdhid - ok
11:43:33.0354 5008 KeyIso (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
11:43:33.0354 5008 KeyIso - ok
11:43:33.0400 5008 KSecDD (2758d174604f597bbc8a217ff667913d) C:\Windows\system32\Drivers\ksecdd.sys
11:43:33.0416 5008 KSecDD - ok
11:43:33.0416 5008 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
11:43:33.0416 5008 ksthunk - ok
11:43:33.0447 5008 KtmRm (1faf6926f3416d3da05c5b265491bdae) C:\Windows\system32\msdtckrm.dll
11:43:33.0463 5008 KtmRm - ok
11:43:33.0494 5008 LanmanServer (50c7a3cb427e9bb5ed0708a669956ab5) C:\Windows\System32\srvsvc.dll
11:43:33.0510 5008 LanmanServer - ok
11:43:33.0541 5008 LanmanWorkstation (caf86fc1388be1e470f1a7b43e348adb) C:\Windows\System32\wkssvc.dll
11:43:33.0556 5008 LanmanWorkstation - ok
11:43:33.0572 5008 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
11:43:33.0572 5008 lltdio - ok
11:43:33.0619 5008 lltdsvc (961ccbd0b1ccb5675d64976fae37d092) C:\Windows\System32\lltdsvc.dll
11:43:33.0634 5008 lltdsvc - ok
11:43:33.0650 5008 lmhosts (a47f8080cacc23c91fe823ad19aa5612) C:\Windows\System32\lmhsvc.dll
11:43:33.0650 5008 lmhosts - ok
11:43:33.0697 5008 LMIInfo - ok
11:43:33.0728 5008 lmimirr (413ecdcfad9a82804d3674c8d7eec24e) C:\Windows\system32\DRIVERS\lmimirr.sys
11:43:33.0728 5008 lmimirr - ok
11:43:33.0744 5008 LMIRfsClientNP - ok
11:43:33.0775 5008 LMIRfsDriver (c57d3faa50e6f395759ffb7c709bd944) C:\Windows\system32\drivers\LMIRfsDriver.sys
11:43:33.0775 5008 LMIRfsDriver - ok
11:43:33.0806 5008 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
11:43:33.0806 5008 LSI_FC - ok
11:43:33.0822 5008 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
11:43:33.0822 5008 LSI_SAS - ok
11:43:33.0837 5008 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
11:43:33.0853 5008 LSI_SCSI - ok
11:43:33.0884 5008 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
11:43:33.0884 5008 luafv - ok
11:43:33.0946 5008 MBAMProtector (dbc08862a71459e74f7538b432c114cc) C:\Windows\system32\drivers\mbam.sys
11:43:33.0946 5008 MBAMProtector - ok
11:43:34.0056 5008 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
11:43:34.0056 5008 MBAMService - ok
11:43:34.0087 5008 Mcx2Svc (76a58df02bd4ea29f189b82d0bef17f8) C:\Windows\system32\Mcx2Svc.dll
11:43:34.0087 5008 Mcx2Svc - ok
11:43:34.0134 5008 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
11:43:34.0134 5008 megasas - ok
11:43:34.0196 5008 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
11:43:34.0212 5008 MegaSR - ok
11:43:34.0243 5008 MMCSS (3cbe4995e80e13ccfbc42e5dcf3ac81a) C:\Windows\system32\mmcss.dll
11:43:34.0243 5008 MMCSS - ok
11:43:34.0274 5008 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
11:43:34.0274 5008 Modem - ok
11:43:34.0321 5008 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
11:43:34.0321 5008 monitor - ok
11:43:34.0321 5008 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
11:43:34.0321 5008 mouclass - ok
11:43:34.0352 5008 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
11:43:34.0352 5008 mouhid - ok
11:43:34.0352 5008 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
11:43:34.0352 5008 MountMgr - ok
11:43:34.0414 5008 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
11:43:34.0414 5008 MozillaMaintenance - ok
11:43:34.0524 5008 mozybackup (de05af0201f216ac8c99b2c116ecd80a) C:\Program Files\MozyHome\mozybackup.exe
11:43:34.0524 5008 mozybackup - ok
11:43:34.0555 5008 mozyFilter (63aacae26891eddd23ce697651582c35) C:\Windows\system32\DRIVERS\mozy.sys
11:43:34.0555 5008 mozyFilter - ok
11:43:34.0586 5008 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
11:43:34.0586 5008 mpio - ok
11:43:34.0602 5008 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
11:43:34.0602 5008 mpsdrv - ok
11:43:34.0648 5008 MpsSvc (897e3baf68ba406a61682ae39c83900c) C:\Windows\system32\mpssvc.dll
11:43:34.0648 5008 MpsSvc - ok
11:43:34.0680 5008 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
11:43:34.0695 5008 Mraid35x - ok
11:43:34.0726 5008 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys
11:43:34.0726 5008 MRxDAV - ok
11:43:34.0742 5008 mrxsmb (1485811b320ff8c7edad1caebb1c6c2b) C:\Windows\system32\DRIVERS\mrxsmb.sys
11:43:34.0742 5008 mrxsmb - ok
11:43:34.0773 5008 mrxsmb10 (3b929a60c833fc615fd97fba82bc7632) C:\Windows\system32\DRIVERS\mrxsmb10.sys
11:43:34.0789 5008 mrxsmb10 - ok
11:43:34.0789 5008 mrxsmb20 (c64ab3e1f53b4f5b5bb6d796b2d7bec3) C:\Windows\system32\DRIVERS\mrxsmb20.sys
11:43:34.0789 5008 mrxsmb20 - ok
11:43:34.0820 5008 msahci (730b784962d22d2c6481eae2370e7c8c) C:\Windows\system32\drivers\msahci.sys
11:43:34.0820 5008 msahci - ok
11:43:34.0836 5008 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
11:43:34.0836 5008 msdsm - ok
11:43:34.0867 5008 MSDTC (7ec02ce772f068ed0beafa3da341a9bc) C:\Windows\System32\msdtc.exe
11:43:34.0882 5008 MSDTC - ok
11:43:34.0882 5008 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
11:43:34.0882 5008 Msfs - ok
11:43:34.0914 5008 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
11:43:34.0914 5008 msisadrv - ok
11:43:34.0945 5008 MSiSCSI (366b0c1f4478b519c181e37d43dcda32) C:\Windows\system32\iscsiexe.dll
11:43:34.0945 5008 MSiSCSI - ok
11:43:34.0960 5008 msiserver - ok
11:43:34.0976 5008 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
11:43:34.0976 5008 MSKSSRV - ok
11:43:34.0992 5008 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
11:43:34.0992 5008 MSPCLOCK - ok
11:43:34.0992 5008 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
11:43:34.0992 5008 MSPQM - ok
11:43:35.0038 5008 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys
11:43:35.0038 5008 MsRPC - ok
11:43:35.0054 5008 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
11:43:35.0054 5008 mssmbios - ok
11:43:35.0101 5008 MSSQL$MSSMLBIZ - ok
11:43:35.0132 5008 MSSQLServerADHelper (1d89eb4e2a99cabd4e81225f4f4c4b25) c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqladhlp90.exe
11:43:35.0132 5008 MSSQLServerADHelper - ok
11:43:35.0179 5008 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
11:43:35.0179 5008 MSTEE - ok
11:43:35.0194 5008 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys
11:43:35.0194 5008 Mup - ok
11:43:35.0226 5008 napagent (a5b10c845e7538c60c0f5d87a57cb3f5) C:\Windows\system32\qagentRT.dll
11:43:35.0241 5008 napagent - ok
11:43:35.0288 5008 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys
11:43:35.0304 5008 NativeWifiP - ok
11:43:35.0366 5008 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys
11:43:35.0382 5008 NDIS - ok
11:43:35.0382 5008 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
11:43:35.0382 5008 NdisTapi - ok
11:43:35.0397 5008 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
11:43:35.0397 5008 Ndisuio - ok
11:43:35.0428 5008 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys
11:43:35.0444 5008 NdisWan - ok
11:43:35.0460 5008 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
11:43:35.0460 5008 NDProxy - ok
11:43:35.0491 5008 Netaapl (6f4607e2333fe21e9e3ff8133a88b35b) C:\Windows\system32\DRIVERS\netaapl64.sys
11:43:35.0491 5008 Netaapl - ok
11:43:35.0491 5008 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
11:43:35.0491 5008 NetBIOS - ok
11:43:35.0522 5008 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys
11:43:35.0538 5008 netbt - ok
11:43:35.0538 5008 Netlogon (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
11:43:35.0538 5008 Netlogon - ok
11:43:35.0584 5008 Netman (9b63b29defc0f3115a559d2597bf5d75) C:\Windows\System32\netman.dll
11:43:35.0584 5008 Netman - ok
11:43:35.0616 5008 netprofm (7846d0136cc2b264926a73047ba7688a) C:\Windows\System32\netprofm.dll
11:43:35.0631 5008 netprofm - ok
11:43:35.0662 5008 NetTcpPortSharing (74751dda198165947fd7454d83f49825) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:43:35.0678 5008 NetTcpPortSharing - ok
11:43:35.0709 5008 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
11:43:35.0709 5008 nfrd960 - ok
11:43:35.0756 5008 NlaSvc (f145bf4c4668e7e312069f81ef847cfc) C:\Windows\System32\nlasvc.dll
11:43:35.0772 5008 NlaSvc - ok
11:43:35.0803 5008 NPF (c31fa031335eff434b2d94278e74bcce) C:\Windows\system32\drivers\npf.sys
11:43:35.0803 5008 NPF - ok
11:43:35.0834 5008 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys
11:43:35.0834 5008 Npfs - ok
11:43:35.0834 5008 nsi (acb62baa1c319b17752553df3026eeeb) C:\Windows\system32\nsisvc.dll
11:43:35.0834 5008 nsi - ok
11:43:35.0850 5008 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
11:43:35.0850 5008 nsiproxy - ok
11:43:35.0944 5008 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys
11:43:35.0960 5008 Ntfs - ok
11:43:36.0007 5008 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
11:43:36.0022 5008 Null - ok
11:43:36.0022 5008 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
11:43:36.0038 5008 nvraid - ok
11:43:36.0053 5008 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
11:43:36.0069 5008 nvstor - ok
11:43:36.0100 5008 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
11:43:36.0116 5008 nv_agp - ok
11:43:36.0116 5008 NwlnkFlt - ok
11:43:36.0116 5008 NwlnkFwd - ok
11:43:36.0225 5008 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
11:43:36.0241 5008 odserv - ok
11:43:36.0287 5008 ohci1394 (7b58953e2f263421fdbb09a192712a85) C:\Windows\system32\drivers\ohci1394.sys
11:43:36.0287 5008 ohci1394 - ok
11:43:36.0350 5008 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:43:36.0350 5008 ose - ok
11:43:36.0506 5008 p2pimsvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
11:43:36.0537 5008 p2pimsvc - ok
11:43:36.0537 5008 p2psvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
11:43:36.0537 5008 p2psvc - ok
11:43:36.0553 5008 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
11:43:36.0553 5008 Parport - ok
11:43:36.0584 5008 partmgr (b43751085e2abe389da466bc62a4b987) C:\Windows\system32\drivers\partmgr.sys
11:43:36.0584 5008 partmgr - ok
11:43:36.0615 5008 PcaSvc (9ab157b374192ff276c1628fbdba2b0e) C:\Windows\System32\pcasvc.dll
11:43:36.0615 5008 PcaSvc - ok
11:43:36.0615 5008 PCD5SRVC{048DBD20-445E8C82-05040104} - ok
11:43:37.0301 5008 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys
11:43:37.0348 5008 pci - ok
11:43:37.0379 5008 pciide (2657f6c0b78c36d95034be109336e382) C:\Windows\system32\drivers\pciide.sys
11:43:37.0379 5008 pciide - ok
11:43:37.0411 5008 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
11:43:37.0411 5008 pcmcia - ok
11:43:37.0442 5008 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
11:43:37.0473 5008 PEAUTH - ok
11:43:37.0535 5008 PerfHost (0ed8727ea0172860f47258456c06caea) C:\Windows\SysWow64\perfhost.exe
11:43:37.0535 5008 PerfHost - ok
11:43:37.0629 5008 pla (e9e68c1a0f25cf4a7ac966eea74ee89e) C:\Windows\system32\pla.dll
11:43:37.0676 5008 pla - ok
11:43:37.0707 5008 PlugPlay (fe6b0f59215c9fd9f9d26539c58c8b82) C:\Windows\system32\umpnpmgr.dll
11:43:37.0723 5008 PlugPlay - ok
11:43:38.0627 5008 PNRPAutoReg (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
11:43:38.0627 5008 PNRPAutoReg - ok
11:43:38.0627 5008 PNRPsvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
11:43:38.0643 5008 PNRPsvc - ok
11:43:38.0861 5008 PolicyAgent (89a5560671c2d8b4a4b51f3e1aa069d8) C:\Windows\System32\ipsecsvc.dll
11:43:38.0877 5008 PolicyAgent - ok
11:43:38.0924 5008 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys
11:43:38.0924 5008 PptpMiniport - ok
11:43:38.0955 5008 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
11:43:38.0955 5008 Processor - ok
11:43:38.0986 5008 ProfSvc (e058ce4fc2449d8bfa14739c83b7ff2a) C:\Windows\system32\profsvc.dll
11:43:38.0986 5008 ProfSvc - ok
11:43:39.0017 5008 ProtectedStorage (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
11:43:39.0017 5008 ProtectedStorage - ok
11:43:39.0532 5008 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys
11:43:39.0532 5008 PSched - ok
11:43:39.0563 5008 PxHlpa64 (46851bc18322da70f3f2299a1007c479) C:\Windows\system32\Drivers\PxHlpa64.sys
11:43:39.0563 5008 PxHlpa64 - ok
11:43:39.0641 5008 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
11:43:39.0688 5008 ql2300 - ok
11:43:39.0704 5008 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
11:43:39.0704 5008 ql40xx - ok
11:43:39.0751 5008 QWAVE (90574842c3da781e279061a3eff91f07) C:\Windows\system32\qwave.dll
11:43:39.0766 5008 QWAVE - ok
11:43:39.0782 5008 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
11:43:39.0782 5008 QWAVEdrv - ok
11:43:42.0683 5008 R300 (db96850170c9895d855463c207fbd4ad) C:\Windows\system32\DRIVERS\atikmdag.sys
11:43:42.0699 5008 R300 - ok
11:43:43.0682 5008 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
11:43:43.0697 5008 RasAcd - ok
11:43:43.0713 5008 RasAuto (b2ae18f847d07f0044404ddf7cb04497) C:\Windows\System32\rasauto.dll
11:43:43.0713 5008 RasAuto - ok
11:43:43.0744 5008 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys
11:43:43.0744 5008 Rasl2tp - ok
11:43:43.0775 5008 RasMan (3ad83e4046c43be510de681588acb8af) C:\Windows\System32\rasmans.dll
11:43:43.0775 5008 RasMan - ok
11:43:43.0807 5008 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys
11:43:43.0807 5008 RasPppoe - ok
11:43:43.0822 5008 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys
11:43:43.0822 5008 RasSstp - ok
11:43:43.0853 5008 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys
11:43:43.0853 5008 rdbss - ok
11:43:43.0853 5008 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
11:43:43.0853 5008 RDPCDD - ok
11:43:43.0885 5008 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
11:43:43.0916 5008 rdpdr - ok
11:43:43.0916 5008 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
11:43:43.0916 5008 RDPENCDD - ok
11:43:44.0758 5008 RDPWD (ae4bd9e1c33d351d8e607fc81f15160c) C:\Windows\system32\drivers\RDPWD.sys
11:43:44.0774 5008 RDPWD - ok
11:43:44.0821 5008 RemoteAccess (c612b9557da73f70d41f8a6fbc8e5344) C:\Windows\System32\mprdim.dll
11:43:44.0821 5008 RemoteAccess - ok
11:43:44.0852 5008 RemoteRegistry (44b9d8ec2f3ef3a0efb00857af70d861) C:\Windows\system32\regsvc.dll
11:43:44.0867 5008 RemoteRegistry - ok
11:43:45.0632 5008 rpcapd (a780d3eaa74582ea1deb6bd9c7a3d9c9) C:\Program Files (x86)\WinPcap\rpcapd.exe
11:43:45.0647 5008 rpcapd - ok
11:43:45.0663 5008 RpcLocator (f46c457840d4b7a4daafee739ce04102) C:\Windows\system32\locator.exe
11:43:45.0663 5008 RpcLocator - ok
11:43:45.0710 5008 RpcSs (cf8b9a3a5e7dc57724a89d0c3e8cf9ef) C:\Windows\system32\rpcss.dll
11:43:45.0725 5008 RpcSs - ok
11:43:45.0741 5008 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
11:43:45.0757 5008 rspndr - ok
11:43:45.0788 5008 RTL8169 (b263b3aebcde2210d1cc25756601b8ea) C:\Windows\system32\DRIVERS\Rtlh64.sys
11:43:45.0819 5008 RTL8169 - ok
11:43:45.0850 5008 RtNdPt60 (5532c4bf15173270757a75b46baeb960) C:\Windows\system32\DRIVERS\RtNdPt60.sys
11:43:45.0850 5008 RtNdPt60 - ok
11:43:45.0881 5008 RTTEAMPT (bc85bdc1c30066c78b8c67af1241d0b7) C:\Windows\system32\DRIVERS\RtTeam60.sys
11:43:45.0881 5008 RTTEAMPT - ok
11:43:45.0913 5008 RTVLANPT (8b6b42d782202363a562f82b0e13b1c0) C:\Windows\system32\DRIVERS\RtVlan60.sys
11:43:45.0913 5008 RTVLANPT - ok
11:43:45.0944 5008 SamSs (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
11:43:45.0944 5008 SamSs - ok
11:43:46.0069 5008 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
11:43:46.0069 5008 sbp2port - ok
11:43:46.0100 5008 SCardSvr (fd1cdcf108d5ef3366f00d18b70fb89b) C:\Windows\System32\SCardSvr.dll
11:43:46.0115 5008 SCardSvr - ok
11:43:46.0193 5008 Schedule (0f838c811ad295d2a4489b9993096c63) C:\Windows\system32\schedsvc.dll
11:43:46.0209 5008 Schedule - ok
11:43:46.0240 5008 SCPolicySvc (5a268127633c7ee2a7fb87f39d748d56) C:\Windows\System32\certprop.dll
11:43:46.0240 5008 SCPolicySvc - ok
11:43:46.0599 5008 SDRSVC (4ff71b076a7760fe75ea5ae2d0ee0018) C:\Windows\System32\SDRSVC.dll
11:43:46.0630 5008 SDRSVC - ok
11:43:46.0739 5008 SeaPort (4a5809a1d796e2675ac0332bf7b0cb11) C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
11:43:46.0739 5008 SeaPort - ok
11:43:46.0786 5008 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
11:43:46.0786 5008 secdrv - ok
11:43:46.0802 5008 seclogon (5acdcbc67fcf894a1815b9f96d704490) C:\Windows\system32\seclogon.dll
11:43:46.0802 5008 seclogon - ok
11:43:46.0817 5008 SENS (90973a64b96cd647ff81c79443618eed) C:\Windows\system32\sens.dll
11:43:46.0817 5008 SENS - ok
11:43:46.0833 5008 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys
11:43:46.0833 5008 Serenum - ok
11:43:46.0864 5008 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys
11:43:46.0864 5008 Serial - ok
11:43:46.0895 5008 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
11:43:46.0895 5008 sermouse - ok
11:43:46.0911 5008 SessionEnv (a8e4a4407a09f35dccc3771af590b0c4) C:\Windows\system32\sessenv.dll
11:43:46.0911 5008 SessionEnv - ok
11:43:46.0942 5008 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
11:43:46.0942 5008 sffdisk - ok
11:43:46.0958 5008 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
11:43:46.0958 5008 sffp_mmc - ok
11:43:46.0973 5008 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
11:43:46.0973 5008 sffp_sd - ok
11:43:46.0989 5008 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
11:43:46.0989 5008 sfloppy - ok
11:43:47.0036 5008 SharedAccess (4c5aee179da7e1ee9a9ccb9da289af34) C:\Windows\System32\ipnathlp.dll
11:43:47.0036 5008 SharedAccess - ok
11:43:47.0083 5008 ShellHWDetection (56793271ecdedd350c5add305603e963) C:\Windows\System32\shsvcs.dll
11:43:47.0083 5008 ShellHWDetection - ok
11:43:47.0129 5008 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
11:43:47.0129 5008 SiSRaid2 - ok
11:43:47.0145 5008 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
11:43:47.0161 5008 SiSRaid4 - ok
11:43:47.0488 5008 SkypeUpdate (ddaa5f4a6b958fc313ebd02dd925752f) C:\Program Files (x86)\Skype\Updater\Updater.exe
11:43:47.0488 5008 SkypeUpdate - ok
11:43:48.0050 5008 slsvc (a9a27a8e257b45a604fdad4f26fe7241) C:\Windows\system32\SLsvc.exe
11:43:48.0112 5008 slsvc - ok
11:43:48.0799 5008 SLUINotify (fd74b4b7c2088e390a30c85a896fc3af) C:\Windows\system32\SLUINotify.dll
11:43:48.0799 5008 SLUINotify - ok
11:43:48.0861 5008 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys
11:43:48.0861 5008 Smb - ok
11:43:48.0892 5008 SNMPTRAP (f8f47f38909823b1af28d60b96340cff) C:\Windows\System32\snmptrap.exe
11:43:48.0892 5008 SNMPTRAP - ok
11:43:48.0923 5008 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys
11:43:48.0923 5008 spldr - ok
11:43:48.0955 5008 Spooler (f66ff751e7efc816d266977939ef5dc3) C:\Windows\System32\spoolsv.exe
11:43:48.0955 5008 Spooler - ok
11:43:49.0111 5008 SQLBrowser (86ebd8b1f23e743aad21f4d5b4d40985) c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
11:43:49.0111 5008 SQLBrowser - ok
11:43:49.0719 5008 SQLWriter (3c432a96363097870995e2a3c8b66abd) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
11:43:49.0735 5008 SQLWriter - ok
11:43:49.0781 5008 srv (880a57fccb571ebd063d4dd50e93e46d) C:\Windows\system32\DRIVERS\srv.sys
11:43:49.0859 5008 srv - ok
11:43:50.0125 5008 srv2 (a1ad14a6d7a37891fffeca35ebbb0730) C:\Windows\system32\DRIVERS\srv2.sys
11:43:50.0140 5008 srv2 - ok
11:43:50.0171 5008 srvnet (4bed62f4fa4d8300973f1151f4c4d8a7) C:\Windows\system32\DRIVERS\srvnet.sys
11:43:50.0171 5008 srvnet - ok
11:43:50.0203 5008 SSDPSRV (192c74646ec5725aef3f80d19ff75f6a) C:\Windows\System32\ssdpsrv.dll
11:43:50.0218 5008 SSDPSRV - ok
11:43:50.0234 5008 SstpSvc (2ee3fa0308e6185ba64a9a7f2e74332b) C:\Windows\system32\sstpsvc.dll
11:43:50.0234 5008 SstpSvc - ok
11:43:50.0234 5008 StarOpen - ok
11:43:50.0281 5008 StillCam (14b4db4381e4a55f570d8bb699b791d6) C:\Windows\system32\DRIVERS\serscan.sys
11:43:50.0281 5008 StillCam - ok
11:43:50.0312 5008 stisvc (15825c1fbfb8779992cb65087f316af5) C:\Windows\System32\wiaservc.dll
11:43:50.0374 5008 stisvc - ok
11:43:50.0608 5008 stllssvr (1d0063597c3666404fcf97698abeb019) C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
11:43:50.0671 5008 stllssvr - ok
11:43:50.0686 5008 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
11:43:50.0686 5008 swenum - ok
11:43:50.0717 5008 swprv (6de37f4de19d4efd9c48c43addbc949a) C:\Windows\System32\swprv.dll
11:43:50.0733 5008 swprv - ok
11:43:50.0764 5008 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
11:43:50.0764 5008 Symc8xx - ok
11:43:50.0780 5008 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
11:43:50.0780 5008 Sym_hi - ok
11:43:50.0795 5008 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
11:43:50.0795 5008 Sym_u3 - ok
11:43:51.0139 5008 SysMain (92d7a8b0f87b036f17d25885937897a6) C:\Windows\system32\sysmain.dll
11:43:51.0154 5008 SysMain - ok
11:43:51.0357 5008 TabletInputService (005ce42567f9113a3bccb3b20073b029) C:\Windows\System32\TabSvc.dll
11:43:51.0373 5008 TabletInputService - ok
11:43:51.0404 5008 TapiSrv (cc2562b4d55e0b6a4758c65407f63b79) C:\Windows\System32\tapisrv.dll
11:43:51.0404 5008 TapiSrv - ok
11:43:51.0419 5008 TBS (cdbe8d7c1e201b911cdc346d06617fb5) C:\Windows\System32\tbssvc.dll
11:43:51.0419 5008 TBS - ok
11:43:51.0825 5008 Tcpip (46d448e9117464e4d3bbf36d7e3fa48e) C:\Windows\system32\drivers\tcpip.sys
11:43:51.0841 5008 Tcpip - ok
11:43:51.0856 5008 Tcpip6 (46d448e9117464e4d3bbf36d7e3fa48e) C:\Windows\system32\DRIVERS\tcpip.sys
11:43:51.0856 5008 Tcpip6 - ok
11:43:51.0887 5008 tcpipreg (c7e72a4071ee0200e3c075dacfb2b334) C:\Windows\system32\drivers\tcpipreg.sys
11:43:51.0887 5008 tcpipreg - ok
11:43:51.0903 5008 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
11:43:51.0903 5008 TDPIPE - ok
11:43:51.0934 5008 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
11:43:51.0934 5008 TDTCP - ok
11:43:51.0965 5008 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys
11:43:51.0965 5008 tdx - ok
11:43:51.0997 5008 TEAM (bc85bdc1c30066c78b8c67af1241d0b7) C:\Windows\system32\DRIVERS\RtTeam60.sys
11:43:51.0997 5008 TEAM - ok
11:43:52.0043 5008 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys
11:43:52.0059 5008 TermDD - ok
11:43:52.0106 5008 TermService (5cdd30bc217082dac71a9878d9bfd566) C:\Windows\System32\termsrv.dll
11:43:52.0106 5008 TermService - ok
11:43:52.0153 5008 Themes (56793271ecdedd350c5add305603e963) C:\Windows\system32\shsvcs.dll
11:43:52.0153 5008 Themes - ok
11:43:52.0262 5008 THREADORDER (3cbe4995e80e13ccfbc42e5dcf3ac81a) C:\Windows\system32\mmcss.dll
11:43:52.0262 5008 THREADORDER - ok
11:43:52.0402 5008 TrkWks (f4689f05af472a651a7b1b7b02d200e7) C:\Windows\System32\trkwks.dll
11:43:52.0418 5008 TrkWks - ok
11:43:52.0465 5008 TrustedInstaller (66328b08ef5a9305d8ede36b93930369) C:\Windows\servicing\TrustedInstaller.exe
11:43:52.0465 5008 TrustedInstaller - ok
11:43:52.0496 5008 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
11:43:52.0496 5008 tssecsrv - ok
11:43:52.0511 5008 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
11:43:52.0511 5008 tunmp - ok
11:43:52.0543 5008 tunnel (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys
11:43:52.0543 5008 tunnel - ok
11:43:52.0558 5008 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
11:43:52.0558 5008 uagp35 - ok
11:43:52.0589 5008 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys
11:43:52.0636 5008 udfs - ok
11:43:52.0636 5008 UI0Detect (060507c4113391394478f6953a79eedc) C:\Windows\system32\UI0Detect.exe
11:43:52.0636 5008 UI0Detect - ok
11:43:52.0652 5008 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
11:43:52.0652 5008 uliagpkx - ok
11:43:52.0683 5008 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
11:43:52.0683 5008 uliahci - ok
11:43:52.0699 5008 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
11:43:52.0714 5008 UlSata - ok
11:43:52.0730 5008 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
11:43:52.0745 5008 ulsata2 - ok
11:43:52.0761 5008 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
11:43:52.0761 5008 umbus - ok
11:43:52.0792 5008 upnphost (7093799ff80e9deca0680d2e3535be60) C:\Windows\System32\upnphost.dll
11:43:52.0792 5008 upnphost - ok
11:43:52.0823 5008 USBAAPL64 (fb251567f41bc61988b26731dec19e4b) C:\Windows\system32\Drivers\usbaapl64.sys
11:43:52.0823 5008 USBAAPL64 - ok
11:43:52.0870 5008 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
11:43:52.0870 5008 usbccgp - ok
11:43:52.0901 5008 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
11:43:52.0901 5008 usbcir - ok
11:43:52.0933 5008 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys
11:43:52.0933 5008 usbehci - ok
11:43:52.0964 5008 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys
11:43:52.0995 5008 usbhub - ok
11:43:53.0042 5008 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
11:43:53.0042 5008 usbohci - ok
11:43:53.0073 5008 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys
11:43:53.0073 5008 usbprint - ok
11:43:53.0089 5008 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS
11:43:53.0104 5008 USBSTOR - ok
11:43:53.0135 5008 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
11:43:53.0135 5008 usbuhci - ok
11:43:53.0151 5008 UxSms (d76e231e4850bb3f88a3d9a78df191e3) C:\Windows\System32\uxsms.dll
11:43:53.0151 5008 UxSms - ok
11:43:53.0198 5008 vds (294945381dfa7ce58cecf0a9896af327) C:\Windows\System32\vds.exe
11:43:53.0213 5008 vds - ok
11:43:53.0291 5008 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
11:43:53.0291 5008 vga - ok
11:43:53.0307 5008 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
11:43:53.0307 5008 VgaSave - ok
11:43:53.0307 5008 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
11:43:53.0307 5008 viaide - ok
11:43:53.0354 5008 vmm (b2e25db5a6a178c056342abd747b7326) C:\Windows\system32\Drivers\vmm.sys
11:43:53.0369 5008 vmm - ok
11:43:53.0385 5008 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys
11:43:53.0385 5008 volmgr - ok
11:43:53.0432 5008 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys
11:43:53.0447 5008 volmgrx - ok
11:43:53.0479 5008 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys
11:43:53.0479 5008 volsnap - ok
11:43:53.0510 5008 VPCNetS2 (6bdca00fc57cc40da3c8e88b2cea21ab) C:\Windows\system32\DRIVERS\VMNetSrv.sys
11:43:53.0510 5008 VPCNetS2 - ok
11:43:53.0541 5008 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
11:43:53.0541 5008 vsmraid - ok
11:43:53.0853 5008 VSS (b75232dad33bfd95bf6f0a3e6bff51e1) C:\Windows\system32\vssvc.exe
11:43:53.0915 5008 VSS - ok
11:43:54.0165 5008 W32Time (f14a7de2ea41883e250892e1e5230a9a) C:\Windows\system32\w32time.dll
11:43:54.0227 5008 W32Time - ok
11:43:54.0415 5008 W3SVC (1ed89751bbc0b2a050b6367a613c1c51) C:\Windows\system32\inetsrv\iisw3adm.dll
11:43:54.0446 5008 W3SVC - ok
11:43:54.0477 5008 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
11:43:54.0477 5008 WacomPen - ok
11:43:54.0508 5008 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
11:43:54.0508 5008 Wanarp - ok
11:43:54.0524 5008 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
11:43:54.0524 5008 Wanarpv6 - ok
11:43:54.0524 5008 WAS (1ed89751bbc0b2a050b6367a613c1c51) C:\Windows\system32\inetsrv\iisw3adm.dll
11:43:54.0524 5008 WAS - ok
11:43:54.0851 5008 wcncsvc (b4e4c37d0aa6100090a53213ee2bf1c1) C:\Windows\System32\wcncsvc.dll
11:43:54.0867 5008 wcncsvc - ok
11:43:54.0929 5008 WcsPlugInService (ea4b369560e986f19d93f45a881484ac) C:\Windows\System32\WcsPlugInService.dll
11:43:54.0929 5008 WcsPlugInService - ok
11:43:54.0961 5008 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
11:43:54.0961 5008 Wd - ok
11:43:55.0007 5008 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
11:43:55.0007 5008 Wdf01000 - ok
11:43:55.0023 5008 WdiServiceHost (c5efda73ebfca8b02a094898de0a9276) C:\Windows\system32\wdi.dll
11:43:55.0023 5008 WdiServiceHost - ok
11:43:55.0039 5008 WdiSystemHost (c5efda73ebfca8b02a094898de0a9276) C:\Windows\system32\wdi.dll
11:43:55.0039 5008 WdiSystemHost - ok
11:43:55.0070 5008 WebClient (3e6d05381cf35f75ebb055544a8ed9ac) C:\Windows\System32\webclnt.dll
11:43:55.0070 5008 WebClient - ok
11:43:55.0101 5008 Wecsvc (8d40bc587993f876658bf9fb0f7d3462) C:\Windows\system32\wecsvc.dll
11:43:55.0117 5008 Wecsvc - ok
11:43:55.0132 5008 wercplsupport (9c980351d7e96288ea0c23ae232bd065) C:\Windows\System32\wercplsupport.dll
11:43:55.0132 5008 wercplsupport - ok
11:43:55.0148 5008 WerSvc (66b9ecebc46683f47edc06333c075fef) C:\Windows\System32\WerSvc.dll
11:43:55.0148 5008 WerSvc - ok
11:43:55.0195 5008 WinDefend - ok
11:43:55.0195 5008 WinHttpAutoProxySvc - ok
11:43:55.0475 5008 Winmgmt (d2e7296ed1bd26d8db2799770c077a02) C:\Windows\system32\wbem\WMIsvc.dll
11:43:55.0507 5008 Winmgmt - ok
11:43:55.0709 5008 WinRM (6cbb0c68f13b9c2ec1b16f5fa5e7c869) C:\Windows\system32\WsmSvc.dll
11:43:55.0741 5008 WinRM - ok
11:43:56.0053 5008 Wlansvc (ec339c8115e91baed835957e9a677f16) C:\Windows\System32\wlansvc.dll
11:43:56.0053 5008 Wlansvc - ok
11:43:56.0162 5008 wlcrasvc (06c8fa1cf39de6a735b54d906ba791c6) C:\Program Files\Windows Live\Mesh\wlcrasvc.exe
11:43:56.0162 5008 wlcrasvc - ok
11:43:56.0817 5008 wlidsvc (7e47c328fc4768cb8beafbcfafa70362) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
11:43:56.0848 5008 wlidsvc - ok
11:43:56.0942 5008 WmiAcpi (7999dfb1c555efc0db69576f70027867) C:\Windows\system32\drivers\wmiacpi.sys
11:43:56.0942 5008 WmiAcpi - ok
11:43:56.0989 5008 wmiApSrv (21fa389e65a852698b6a1341f36ee02d) C:\Windows\system32\wbem\WmiApSrv.exe
11:43:57.0004 5008 wmiApSrv - ok
11:43:57.0035 5008 WMPNetworkSvc - ok
11:43:57.0238 5008 WPCSvc (cbc156c913f099e6680d1df9307db7a8) C:\Windows\System32\wpcsvc.dll
11:43:57.0238 5008 WPCSvc - ok
11:43:57.0285 5008 WPDBusEnum (490a18b4e4d53dc10879deaa8e8b70d9) C:\Windows\system32\wpdbusenum.dll
11:43:57.0285 5008 WPDBusEnum - ok
11:43:57.0316 5008 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys
11:43:57.0316 5008 WpdUsb - ok
11:43:57.0909 5008 WPFFontCache_v0400 (991e2c2cf3bc204c2bb2ee1476149e4e) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe
11:43:57.0956 5008 WPFFontCache_v0400 - ok
11:43:58.0049 5008 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
11:43:58.0049 5008 ws2ifsl - ok
11:43:58.0096 5008 wscsvc (9ea3e6d0ef7a5c2b9181961052a4b01a) C:\Windows\system32\wscsvc.dll
11:43:58.0096 5008 wscsvc - ok
11:43:58.0096 5008 WSearch - ok
11:43:58.0939 5008 wuauserv (d9ef901dca379cfe914e9fa13b73b4c4) C:\Windows\system32\wuaueng.dll
11:43:59.0017 5008 wuauserv - ok
11:43:59.0110 5008 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
11:43:59.0126 5008 WUDFRd - ok
11:43:59.0141 5008 wudfsvc (6cbd51ff913c851d56ed9dc7f2a27dde) C:\Windows\System32\WUDFSvc.dll
11:43:59.0157 5008 wudfsvc - ok
11:43:59.0173 5008 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
11:44:00.0405 5008 \Device\Harddisk0\DR0 - ok
11:44:00.0405 5008 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR1
11:44:02.0152 5008 \Device\Harddisk1\DR1 - ok
11:44:02.0183 5008 Boot (0x1200) (4c9e48e864b098a70216e0c624c18cd7) \Device\Harddisk0\DR0\Partition0
11:44:02.0215 5008 \Device\Harddisk0\DR0\Partition0 - ok
11:44:02.0246 5008 Boot (0x1200) (764fe940902843e2cffd816b729edc18) \Device\Harddisk0\DR0\Partition1
11:44:02.0277 5008 \Device\Harddisk0\DR0\Partition1 - ok
11:44:02.0277 5008 Boot (0x1200) (a9e6ea01e5639cb17d7696f25dae8a87) \Device\Harddisk1\DR1\Partition0
11:44:02.0277 5008 \Device\Harddisk1\DR1\Partition0 - ok
11:44:02.0277 5008 ============================================================
11:44:02.0277 5008 Scan finished
11:44:02.0277 5008 ============================================================
11:44:02.0293 5784 Detected object count: 0
11:44:02.0293 5784 Actual detected object count: 0


swMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-11 11:45:13
-----------------------------
11:45:13.274 OS Version: Windows x64 6.0.6002 Service Pack 2
11:45:13.274 Number of processors: 2 586 0x170A
11:45:13.274 ComputerName: PJ UserName:
11:45:14.803 Initialize success
11:47:57.454 AVAST engine defs: 12071001
11:50:25.888 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:50:25.888 Disk 0 Vendor: WDC_WD6400AAKS-75A7B2 01.03B01 Size: 610480MB BusType: 3
11:50:25.935 Disk 0 MBR read successfully
11:50:25.935 Disk 0 MBR scan
11:50:25.935 Disk 0 Windows VISTA default MBR code
11:50:25.950 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 62 MB offset 63
11:50:25.966 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 15360 MB offset 129024
11:50:25.982 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 595056 MB offset 31586304
11:50:26.013 Disk 0 scanning C:\Windows\system32\drivers
11:50:49.226 Service scanning
11:51:15.549 Modules scanning
11:51:15.549 Disk 0 trace - called modules:
11:51:15.580 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS pciide.sys
11:51:15.580 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b05790]
11:51:15.580 3 CLASSPNP.SYS[fffffa6000dd2c33] -> nt!IofCallDriver -> [0xfffffa800488d520]
11:51:15.580 5 acpi.sys[fffffa60008bffde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004889940]
11:51:17.904 AVAST engine scan C:\Windows
11:51:34.284 AVAST engine scan C:\Windows\system32
11:56:25.653 AVAST engine scan C:\Windows\system32\drivers
11:56:46.467 AVAST engine scan C:\Users\Paul
13:00:51.344 AVAST engine scan C:\ProgramData
13:04:52.707 Scan finished successfully
13:14:37.863 Disk 0 MBR has been saved successfully to "C:\Users\Paul\Desktop\MBR.dat"
13:14:37.863 The log file has been saved successfully to "C:\Users\Paul\Desktop\aswMBR.txt"

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 AM

Posted 10 July 2012 - 10:57 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 johpg

johpg
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:05 PM

Posted 11 July 2012 - 12:42 AM

No problems when running Conmbofix.

Computer is running well with no issues and AVG is no longer reporting c:\windows\installer\{41d4a247-4af9-8865-bacf-6c88bdc85c60}\u\800000cb.@ anymore


ComboFix 12-07-10.01 - Paul 11/07/2012 14:50:13.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.61.1033.18.4093.1890 [GMT 9.5:30]
Running from: c:\users\Paul\Desktop\ComboFix.exe
Command switches used :: c:\users\Paul\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Paul\AppData\Roaming\Moif
c:\users\Paul\AppData\Roaming\Moif\elwyt.app
.
.
((((((((((((((((((((((((( Files Created from 2012-06-11 to 2012-07-11 )))))))))))))))))))))))))))))))
.
.
2012-07-11 05:27 . 2012-07-11 05:27 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2012-07-11 05:27 . 2012-07-11 05:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-11 01:40 . 2012-07-11 01:40 -------- d-----w- C:\FRST
2012-07-11 01:39 . 2012-07-11 01:39 -------- d-----w- c:\program files\DIPS64
2012-07-10 13:51 . 2012-07-11 05:30 -------- d-----w- c:\users\Paul\AppData\Local\temp
2012-07-10 01:50 . 2012-07-10 01:50 -------- d-----w- c:\users\Paul\AppData\Roaming\Malwarebytes
2012-07-10 01:48 . 2012-07-10 01:49 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-10 01:48 . 2012-07-10 01:48 -------- d-----w- c:\programdata\Malwarebytes
2012-07-10 01:48 . 2012-04-04 06:26 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-09 12:43 . 2012-07-09 12:43 -------- d-----w- c:\users\Paul\AppData\Local\{B4ECBA53-C9C3-11E1-8270-B8AC6F996F26}
2012-07-09 12:43 . 2012-07-09 12:43 -------- d-----w- c:\users\Paul\AppData\Local\{B4EC8610-C9C3-11E1-8270-B8AC6F996F26}
2012-07-09 12:42 . 2012-07-09 12:45 -------- d-----w- c:\programdata\F4D55F3B00007AC4000003AE570F1C8B
2012-07-09 12:41 . 2012-07-09 12:45 -------- d-----w- c:\users\Paul\AppData\Roaming\Umeqar
2012-07-09 12:41 . 2012-07-09 12:43 -------- d-----w- c:\users\Paul\AppData\Roaming\Avveo
2012-07-06 05:36 . 2012-07-06 05:36 -------- d-----w- c:\program files (x86)\MobileSiteBuilder
2012-07-06 05:32 . 2012-07-06 05:32 -------- d-----w- c:\users\Paul\AppData\Roaming\MobileSiteBuilder
2012-07-04 05:06 . 2012-07-09 07:55 -------- d-----w- c:\users\Paul\AppData\Roaming\Skype
2012-07-04 05:05 . 2012-07-04 05:05 -------- d-----w- c:\program files (x86)\Common Files\Skype
2012-07-04 05:05 . 2012-07-04 05:05 -------- d-----r- c:\program files (x86)\Skype
2012-07-04 05:05 . 2012-07-04 05:06 -------- d-----w- c:\programdata\Skype
2012-06-29 04:42 . 2012-06-29 04:42 -------- d-----w- c:\program files (x86)\poi
2012-06-26 05:36 . 2012-06-26 05:36 -------- d-----w- c:\users\Paul\AppData\Roaming\poi
2012-06-25 23:02 . 2012-06-25 23:02 -------- d-----w- c:\users\Paul\AppData\Local\Macromedia
2012-06-21 22:45 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 22:45 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 22:45 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 22:45 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 22:44 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 22:44 . 2012-06-02 22:19 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-21 22:44 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 22:44 . 2012-06-02 22:19 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-21 22:44 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 22:44 . 2012-06-02 22:12 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-21 22:44 . 2012-06-02 05:49 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 22:44 . 2012-06-02 05:49 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-21 22:44 . 2012-06-02 05:45 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-21 22:44 . 2012-06-02 05:42 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-13 14:05 . 2012-05-18 02:51 174200 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2012-06-12 22:20 . 2012-05-01 14:29 209920 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-12 22:20 . 2012-05-15 20:15 2767360 ----a-w- c:\windows\system32\win32k.sys
2012-06-12 22:20 . 2012-04-23 16:25 174592 ----a-w- c:\windows\system32\cryptsvc.dll
2012-06-12 22:20 . 2012-04-23 16:25 132096 ----a-w- c:\windows\system32\cryptnet.dll
2012-06-12 22:20 . 2012-04-23 16:25 1267200 ----a-w- c:\windows\system32\crypt32.dll
2012-06-12 22:20 . 2012-04-23 16:00 984064 ----a-w- c:\windows\SysWow64\crypt32.dll
2012-06-12 22:20 . 2012-04-23 16:00 98304 ----a-w- c:\windows\SysWow64\cryptnet.dll
2012-06-12 22:20 . 2012-04-23 16:00 133120 ----a-w- c:\windows\SysWow64\cryptsvc.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-08 22:42 . 2011-02-07 04:33 164880 ---ha-w- c:\users\Paul\AppData\Roaming\Microsoft\Virtual PC\VPCKeyboard.dll
2012-06-25 02:15 . 2012-03-30 10:10 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-25 02:15 . 2011-05-21 00:31 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-04-18 11:26 . 2012-04-18 11:26 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2012-04-18 11:26 . 2012-04-18 11:26 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-10_13.44.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2012-07-11 05:31 75012 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-07-11 05:31 81728 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-06-24 12:25 . 2012-07-11 05:31 19142 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3806364039-2167549492-3954559941-1003_UserData.bin
- 2012-07-10 13:42 . 2012-07-10 13:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-11 05:29 . 2012-07-11 05:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-10 13:42 . 2012-07-10 13:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-07-11 05:29 . 2012-07-11 05:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-11-18 11:47 . 2012-07-11 05:28 416496 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-11-18 11:47 . 2012-07-10 13:41 416496 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2006-11-02 12:33 . 2012-06-25 01:37 11010048 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 12:33 . 2012-07-11 05:28 11010048 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-11-18 11:47 . 2012-07-11 05:28 32568796 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-3806364039-2167549492-3954559941-1003-8192.dat
+ 2012-07-11 05:16 . 2012-07-11 05:16 10964992 c:\windows\erdnt\Hiv-backup\SCHEMA.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 94208 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-02 39408]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files (x86)\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-20 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-26 421736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-18 421888]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
c:\users\Paul\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Stash.lnk - c:\program files (x86)\Mozy\Stash\Stash.exe [2012-4-26 5592576]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2012-6-4 6271376]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~2\AVG\AVG2012\avgrsa.exe /sync /restart
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 250056]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [2009-01-13 88576]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 02:15]
.
2012-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-29 13:08]
.
2012-07-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-29 13:08]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3806364039-2167549492-3954559941-1003Core.job
- c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-04 06:18]
.
2012-07-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3806364039-2167549492-3954559941-1003UA.job
- c:\users\Paul\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-04 06:18]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-02-14 22:58 97792 ----a-w- c:\users\Paul\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\HardLinkMenu]
@="{0A479751-02BC-11d3-A855-0004AC2568AA}"
[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568AA}]
2012-03-17 08:14 517832 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHardLink]
@="{0A479751-02BC-11d3-A855-0004AC2568DD}"
[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568DD}]
2012-03-17 08:14 517832 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlaySymbolicLink]
@="{0A479751-02BC-11d3-A855-0004AC2568EE}"
[HKEY_CLASSES_ROOT\CLSID\{0A479751-02BC-11d3-A855-0004AC2568EE}]
2012-03-17 08:14 517832 ----a-w- c:\program files\LinkShellExtension\HardlinkShellExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2012-06-04 06:47 6301584 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2012-06-04 06:47 6301584 ----a-w- c:\program files\MozyHome\mozyshell.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com.au/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/201
IE: &Explode All Tables - c:\windows\web\expld_tb.htm
IE: &Grab video by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files (x86)\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: Resize &Window - c:\windowresizer\winresize.html
TCP: DhcpNameServer = 192.168.2.1 10.1.1.1 192.168.1.1 203.134.64.66
TCP: Interfaces\{14DE9B73-815C-4E55-89DD-F3963F6309C9}: NameServer = 208.67.222.222,208.67.222.220
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\yx6iq2xd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.bom.gov.au/products/IDS65031.shtml|http://www.coastalwatch.com/components/popup7dayforecast.aspx?swellSection=WaveHeightPeriodandWindSpeed&regionID=50|http://www.surfsouthoz.com/index2.php|http://www.swellnet.com.au/reports/mid-coast/daily|http://www.swellnet.com.au/reports/victor-harbor/daily|http://www.swellnet.com.au/surfcams/middleton|http://www.seabreeze.com.au/graphs/sa_synoptic.asp?loc=ADEL&stateid=4|http://www.bom.gov.au/sa/forecasts/south-central-coast.shtml
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{048DBD20-445E8C82-05040104}]
"ImagePath"="\??\c:\progra~2\DELLSU~1\HWDiag\bin\PCD5SRVC_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\AVG\AVG2012\avgwdsvc.exe
c:\program files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files (x86)\EaseUS\Todo Backup\bin\Agent.exe
c:\program files (x86)\EaseUS\Todo Backup\bin\GuardAgent.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\AVG\AVG2012\AVGIDSAgent.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
.
**************************************************************************
.
Completion time: 2012-07-11 15:07:46 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-11 05:37
ComboFix2.txt 2012-07-10 13:51
.
Pre-Run: 273,129,816,064 bytes free
Post-Run: 273,288,179,712 bytes free
.
- - End Of File - - BA768CDC5E888E0F6D25F6BBF2EA01BA

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:35 AM

Posted 11 July 2012 - 12:50 AM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java™ 6 Update 20
Java™ 6 Update 31
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users