Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus scans reporting sirefef.r


  • This topic is locked This topic is locked
23 replies to this topic

#1 jason1213

jason1213

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 15 July 2012 - 12:04 PM

I have been getting reports from my Vipre virus scanner of a sirefef.r infection for a little more than a week, but it does not seem like the software can remove it. Every other day or so, a second, different type is identified and allegedly removed, but the sirefef.r remains.

The machine will not respond if left idle for several hours, something that is a new behavior over the same timeframe. There does not yet appear to any other strange behavior, save perhaps some strange pauses where controls slow way down for several minutes, but I'm not yet convinced that this much be a result of the virus.


the body here contains the dds.txt log.
As it appears in other threads that people dealing with sirefef.r have been instructed to run and paste an FRST.txt report, I will do that in a followup post.

DDS.txt log:
-
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.2.1
Run by jeshleman at 18:30:14 on 2012-07-14
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3027.1927 [GMT -7:00]
.
AV: Sunbelt VIPRE *Enabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Sunbelt VIPRE *Enabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k apphost
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\inetsrv\inetinfo.exe
c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Windows\system32\svchost.exe -k bthaudiosvc
C:\Windows\system32\msiexec.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Users\jeshleman.IO-INFORMATICS\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe
C:\Program Files\Workrave\lib\Workrave.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\880\g2mlauncher.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=64bd786b&toolbarid=blekkotb_soc&u=34369BE6554FA493DFFDF24FE7BD8727&tbp=homepage&v=2_0
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.0 runtime\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\jeshleman.io-informatics\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\880\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [Workrave] c:\program files\workrave\lib\workrave.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
uRun: [SPMTray] "c:\program files\pc speed maximizer\SPMTray.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SBAMTray] "c:\program files\sunbelt software\sbeagent\SBAMTray.exe"
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_02-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://akamaicdn.webex.com/client/WBXclient-T27L10NSP32EP1-13926/webex/ieatgpc1.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{3762253D-3681-4F2D-B6EC-1DC71430AC21} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{3762253D-3681-4F2D-B6EC-1DC71430AC21}\94F475946494 : DhcpNameServer = 10.200.2.4 10.200.2.5
TCP: Interfaces\{5EF3F548-D06A-44DD-B66B-C403C1F9925E} : DhcpNameServer = 10.200.2.4 10.200.2.5
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 66.117.143.163 heron
Hosts: 66.117.143.163 heron.io-informatics.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\jeshleman.io-informatics\appdata\roaming\mozilla\firefox\profiles\hmmrubyk.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\oracle\javafx 2.0 runtime\bin\new_plugin\npjp2.dll
FF - plugin: c:\users\jeshleman.io-informatics\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\jeshleman.io-informatics\appdata\roaming\mozilla\plugins\npatgpc.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-4-29 101720]
R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2012-5-17 78936]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
R2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe -k bthaudiosvc [2009-7-13 20992]
R2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\sunbelt software\sbeagent\SBAMSvc.exe [2011-6-23 2804280]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-6-10 74200]
R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\sbeagent\SBPIMSvc.exe [2011-6-23 181584]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 kdsiirbzvjzb;kdsiirbzvjzb;"c:\users\jeshle~1.io-\appdata\local\temp\datd5a4.tmp.exe" --service --> c:\users\jeshle~1.io-\appdata\local\temp\DATD5A4.tmp.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-15 158856]
S2 Virtuoso_VirtuosoInstance;OpenLink Virtuoso Server [VirtuosoInstance];c:\virtuoso-opensource\bin\virtuoso-t.exe -i "virtuoso_virtuosoinstance" -c "c:\virtuoso-opensource\database\virtuoso.ini" --> c:\virtuoso-opensource\bin\virtuoso-t.exe -I Virtuoso_VirtuosoInstance [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-29 253600]
S3 BthAudioHF;BthAudioHF Service;c:\windows\system32\drivers\BthAudioHF.sys [2009-12-21 43008]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2009-8-13 22528]
S3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [2009-12-21 61952]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-24 113120]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-4-16 15872]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-4-16 52224]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-1-4 1343400]
S3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\WMSvc.exe [2009-7-13 9728]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 RsFx0150;RsFx0150 Driver;c:\windows\system32\drivers\RsFx0150.sys [2010-4-3 240608]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2011-4-24 367456]
.
=============== Created Last 30 ================
.
2012-07-14 17:57:11 -------- d-----w- C:\FRST
2012-07-14 17:27:52 -------- d-----w- c:\programdata\RegRun
2012-07-14 17:27:31 2 --shatr- c:\windows\winstart.bat
2012-07-14 17:27:23 -------- d-----w- c:\program files\UnHackMe
2012-07-13 17:05:43 62736 ----a-r- c:\users\jeshleman.io-informatics\appdata\roaming\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\PullClientStartSho_CD6A27034E724245941D2EB3A8CF0DD5.exe
2012-07-13 17:05:43 62736 ----a-r- c:\users\jeshleman.io-informatics\appdata\roaming\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\ParticipantStartSh_DF0BA5751BF84E0AABDD4B6DA83B3B0C.exe
2012-07-13 17:05:43 62736 ----a-r- c:\users\jeshleman.io-informatics\appdata\roaming\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\NewShortcut11_0A40599CA5B444D89111273D573729A6.exe
2012-07-13 17:05:43 62736 ----a-r- c:\users\jeshleman.io-informatics\appdata\roaming\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\MyATTStartShortcut_37B266125E564D7BBC298658403757C7.exe
2012-07-13 17:05:43 62736 ----a-r- c:\users\jeshleman.io-informatics\appdata\roaming\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\LSUStartShortcut1_0C445A24F06A4871AC024995E6B63EA6.exe
2012-07-13 17:05:43 62736 ----a-r- c:\users\jeshleman.io-informatics\appdata\roaming\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\LSUDesktopShortcut_5E8B335F6B1645798E61AE17118989A8.exe
2012-07-13 17:05:43 62736 ----a-r- c:\users\jeshleman.io-informatics\appdata\roaming\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\ARPPRODUCTICON.exe
2012-07-13 17:05:43 58640 ----a-r- c:\users\jeshleman.io-informatics\appdata\roaming\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\MyATTDesktopShortc_F98F597BB2C24BCA8A2E00E99FF50C40.exe
2012-07-13 17:05:43 46352 ----a-r- c:\users\jeshleman.io-informatics\appdata\roaming\microsoft\installer\{cdd4495b-0424-42f0-8d89-70d47e21bd69}\ParticipantHelpSta_AFE5E24C07B1432883124EEC348980E5.exe
2012-07-13 17:05:42 -------- d-----w- c:\users\jeshleman.io-informatics\appdata\roaming\ATT Connect
2012-07-13 17:05:42 -------- d-----w- c:\users\jeshleman.io-informatics\appdata\local\ATT Connect
2012-07-13 17:04:57 -------- d-----w- c:\users\jeshleman.io-informatics\appdata\local\Downloaded Installations
2012-07-13 15:32:27 97961 ----a-w- c:\windows\system32\drivers\klick.dat
2012-07-13 15:32:27 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2012-07-13 15:21:38 -------- d-----w- c:\programdata\PLAV
2012-07-13 15:21:01 -------- d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2012-07-10 21:38:30 -------- d-----w- c:\program files\TDSSKiller
2012-06-27 17:28:52 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-27 17:25:21 140832 ----a-w- c:\windows\system32\drivers\str.sys
2012-06-26 16:31:26 -------- d-----w- c:\users\jeshleman.io-informatics\appdata\local\AOL
2012-06-25 01:53:25 -------- d-----w- c:\users\jeshleman.io-informatics\appdata\roaming\MiKTeX
2012-06-25 01:52:08 -------- d-----w- c:\users\jeshleman.io-informatics\appdata\local\MiKTeX
2012-06-25 01:47:24 -------- d-----w- c:\programdata\MiKTeX
2012-06-25 01:44:05 -------- d-----w- c:\program files\MiKTeX 2.9
2012-06-25 01:24:27 -------- d-----w- c:\program files\PC Speed Maximizer
2012-06-25 01:23:50 -------- d-----w- c:\program files\Free Download Manager
2012-06-25 01:23:47 -------- d-----w- c:\programdata\blekko toolbars
2012-06-25 00:45:55 -------- d-----w- c:\program files\MSXML 4.0
2012-06-25 00:38:11 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-06-25 00:38:11 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-25 00:38:09 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-06-25 00:38:08 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-06-25 00:38:06 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-06-25 00:38:05 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-06-25 00:38:04 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-06-25 00:38:02 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-06-25 00:38:02 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-06-25 00:38:02 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-06-25 00:38:02 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-06-25 00:37:29 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-06-25 00:30:17 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-25 00:30:03 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-25 00:29:48 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-25 00:29:48 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 15:36:09 -------- d-----w- c:\users\jeshleman.io-informatics\appdata\roaming\cYo
2012-06-21 15:36:09 -------- d-----w- c:\users\jeshleman.io-informatics\appdata\local\cYo
2012-06-21 15:34:46 -------- d-----w- c:\program files\ComicRack
.
==================== Find3M ====================
.
2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-04-16 21:42:42 152576 ----a-w- c:\windows\system32\msclmd.dll
.
============= FINISH: 18:32:41.79 ===============

Here is the FRST.txt output:

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 14-07-2012
Ran by SYSTEM at 14-07-2012 11:04:15
Running from G:\
Windows 7 Ultimate (X86) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [31072 2008-10-25] (Microsoft Corporation)
HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [843712 2012-01-02] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [252296 2011-09-30] (Sun Microsystems, Inc.)
HKLM\...\Run: [SBAMTray] "C:\Program Files\Sunbelt Software\SBEAgent\SBAMTray.exe" [1336656 2011-06-23] (Sunbelt Software)
HKU\jeshleman.IO-INFORMATICS\...\Run: [Google Update] "C:\Users\jeshleman.IO-INFORMATICS\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2012-01-03] (Google Inc.)
HKU\jeshleman.IO-INFORMATICS\...\Run: [GoToMeeting] "C:\Program Files\Citrix\GoToMeeting\880\g2mstart.exe" "/Trigger RunAtLogon" [39816 2012-01-25] (Citrix Online, a division of Citrix Systems, Inc.)
HKU\jeshleman.IO-INFORMATICS\...\Run: [Workrave] C:\Program Files\Workrave\lib\workrave.exe [3871246 2011-03-24] (The Workrave development team)
HKU\jeshleman.IO-INFORMATICS\...\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun [17148552 2012-02-29] (Skype Technologies S.A.)
HKU\jeshleman.IO-INFORMATICS\...\Run: [SPMTray] "C:\Program Files\PC Speed Maximizer\SPMTray.exe" [x]
HKLM\...\runonceex: [Flags] 128 [x]
HKLM\...\runonceex: [Title] UnHackMe Rootkit Check [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254

================================ Services (Whitelisted) ==================

2 eventlog; C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted [20992 2009-07-13] (Microsoft Corporation)
2 HFGService; C:\Windows\System32\HFGService.dll [413696 2009-12-21] (CSR, plc)
2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [13824 2009-07-13] (Microsoft Corporation)
2 SBAMSvc; "C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe" [2804280 2011-06-23] (Sunbelt Software)
2 SBPIMSvc; "C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe" [181584 2011-06-23] (Sunbelt Software)
2 SkypeUpdate; "C:\Program Files\Skype\Updater\Updater.exe" [158856 2012-02-15] (Skype Technologies)
2 Virtuoso_VirtuosoInstance; c:\virtuoso-opensource\bin\virtuoso-t.exe -I "Virtuoso_VirtuosoInstance" -c "C:\virtuoso-opensource\database\virtuoso.ini" [6649 2012-05-18] ()
3 WMSVC; C:\Windows\system32\inetsrv\wmsvc.exe [9728 2009-07-13] (Microsoft Corporation)
2 kdsiirbzvjzb; "C:\Users\JESHLE~1.IO-\AppData\Local\Temp\DATD5A4.tmp.exe" --SERVICE [x]
2 MSSQL$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS [x]
4 MSSQLServerADHelper100; "c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE" [x]
4 SQLAgent$SQLEXPRESS; "c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS [x]
3 SQLBrowser; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" [x]
2 SQLWriter; "c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [x]

========================== Drivers (Whitelisted) =============

3 BthAudioHF; C:\Windows\System32\DRIVERS\BthAudioHF.sys [43008 2009-12-21] (CSR, plc)
3 BthAvrcp; C:\Windows\System32\DRIVERS\BthAvrcp.sys [22528 2009-08-13] (CSR, plc)
3 csr_a2dp; C:\Windows\System32\drivers\bthav.sys [61952 2009-12-21] (CSR, plc)
4 RsFx0150; C:\Windows\System32\DRIVERS\RsFx0150.sys [240608 2010-04-03] (Microsoft Corporation)
2 sbapifs; C:\Windows\System32\DRIVERS\sbapifs.sys [74200 2011-06-10] (Sunbelt Software)
1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [101720 2011-04-29] (Sunbelt Software)
1 SbTis; C:\Windows\System32\drivers\sbtis.sys [78936 2011-04-05] (Sunbelt Software, Inc.)
0 Partizan; C:\Windows\System32\drivers\Partizan.sys [x]
3 Synth3dVsc; C:\Windows\System32\drivers\synth3dvsc.sys [x]
3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [x]
3 VGPU; C:\Windows\System32\drivers\rdvgkmd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-14 09:30 - 2012-07-14 09:30 - 00023522 ____A C:\Windows\Partizan.log
2012-07-14 09:29 - 2012-07-14 09:29 - 00000262 ____A C:\Windows\System32\PARTIZAN.TXT
2012-07-14 09:27 - 2012-07-14 09:37 - 00000000 ____D C:\Program Files\UnHackMe
2012-07-14 09:27 - 2012-07-14 09:35 - 00000000 ____D C:\Users\All Users\RegRun
2012-07-14 09:27 - 2012-07-14 09:32 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\Documents\RegRun2
2012-07-14 09:27 - 2012-07-14 09:27 - 00000406 ____A C:\Windows\Tasks\UnHackMe Task Scheduler.job
2012-07-14 09:27 - 2012-07-14 09:27 - 00000002 RASHOT C:\Windows\winstart.bat
2012-07-14 09:24 - 2012-07-14 09:25 - 12101490 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\unhackme.zip
2012-07-13 09:34 - 2012-07-13 11:30 - 00000380 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\convertPrefUnitsForStrings.txt
2012-07-13 09:05 - 2012-07-13 09:05 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\Documents\att connect
2012-07-13 09:05 - 2012-07-13 09:05 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\AppData\Roaming\ATT Connect
2012-07-13 09:05 - 2012-07-13 09:05 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\AppData\Local\ATT Connect
2012-07-13 09:04 - 2012-07-13 09:04 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\AppData\Local\Downloaded Installations
2012-07-13 09:02 - 2012-07-13 09:02 - 11252848 ____A (Acresso Software Inc. ) C:\Users\jeshleman.IO-INFORMATICS\Downloads\ATT_Connect_Setup.exe
2012-07-13 07:32 - 2012-07-13 07:32 - 00115369 ____A C:\Windows\System32\Drivers\klin.dat
2012-07-13 07:32 - 2012-07-13 07:32 - 00097961 ____A C:\Windows\System32\Drivers\klick.dat
2012-07-13 07:21 - 2012-07-13 08:29 - 00000000 ____D C:\Users\All Users\PLAV
2012-07-13 07:21 - 2012-07-13 07:21 - 00000000 ____D C:\Users\All Users\ParetoLogic Anti-Virus PLUS
2012-07-13 07:19 - 2012-07-13 07:19 - 08871304 ____A (ParetoLogic Inc.) C:\Users\jeshleman.IO-INFORMATICS\Downloads\Pareto_AV_Setup_RW.exe
2012-07-13 06:49 - 2012-07-13 06:49 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1897051121-725345543-1710Core1cd6106ad9570e1.job
2012-07-12 11:45 - 2012-07-12 11:45 - 00063774 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\Easy, rainy day. 03_24_2012 Berkeley, CA.gpx
2012-07-12 11:13 - 2012-07-12 11:13 - 00183494 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_197147194.tcx
2012-07-12 11:04 - 2012-07-12 11:04 - 00033106 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\Warmup 07_08_2012 Berkeley, CA.gpx
2012-07-12 10:52 - 2012-07-12 10:52 - 00002635 ____A C:\Users\Public\Desktop\Sentient Knowledge Explorer.lnk
2012-07-12 09:38 - 2012-07-12 09:38 - 00144275 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_197147183.tcx
2012-07-12 09:37 - 2012-07-12 09:37 - 00064496 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_197147183.gpx
2012-07-12 08:58 - 2012-07-12 08:58 - 00103749 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_168085660.gpx
2012-07-12 08:37 - 2012-07-12 08:37 - 00387020 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_198287841.tcx
2012-07-12 08:36 - 2012-07-12 08:36 - 00174748 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_198287841.gpx
2012-07-10 16:37 - 2012-07-10 16:46 - 00019045 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\QuestQuestionsWithSuggestedModulesAndVariables.xlsx
2012-07-10 14:08 - 2012-07-10 14:08 - 00138120 ____A (ESET) C:\Users\jeshleman.IO-INFORMATICS\Downloads\ESETSirefefRemover.exe
2012-07-10 13:38 - 2012-07-10 13:38 - 00000000 ____D C:\Program Files\TDSSKiller
2012-07-10 13:20 - 2012-07-10 13:20 - 01558016 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\RogueKiller.exe
2012-07-05 07:48 - 2012-07-05 07:48 - 00001190 ____A C:\Windows\System32\ServiceConfig.xml
2012-07-03 13:41 - 2012-07-03 13:41 - 00274550 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\2012-players.xlsx
2012-07-03 08:07 - 2012-07-10 15:27 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\Desktop\SieveQueryImages
2012-06-27 11:39 - 2012-06-27 11:39 - 00000753 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\ChatLog Web Query design review_ LODD _ Pathogen dataset introduction _tentative_ 2012_06_27 12_39.rtf
2012-06-27 09:28 - 2012-06-27 09:28 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-06-27 09:25 - 2012-06-27 09:25 - 00140832 ____A C:\Windows\System32\Drivers\str.sys
2012-06-26 08:31 - 2012-06-26 08:31 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\AppData\Local\AOL
2012-06-26 08:30 - 2012-06-26 08:30 - 14723352 ____A (AOL Inc.) C:\Users\jeshleman.IO-INFORMATICS\Downloads\AIM_Install.exe
2012-06-24 17:53 - 2012-06-24 17:53 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\AppData\Roaming\MiKTeX
2012-06-24 17:52 - 2012-06-24 17:52 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\AppData\Local\MiKTeX
2012-06-24 17:47 - 2012-06-24 17:47 - 00000000 ____D C:\Users\All Users\MiKTeX
2012-06-24 17:44 - 2012-06-24 17:46 - 00000000 ____D C:\Program Files\MiKTeX 2.9
2012-06-24 17:26 - 2012-06-24 17:37 - 160878344 ____A (MiKTeX.org) C:\Users\jeshleman.IO-INFORMATICS\Downloads\basic-miktex-2.9.4521.exe
2012-06-24 17:24 - 2012-06-24 17:49 - 00000000 ____D C:\Program Files\PC Speed Maximizer
2012-06-24 17:23 - 2012-06-24 17:48 - 00000000 ____D C:\Users\All Users\blekko toolbars
2012-06-24 17:23 - 2012-06-24 17:47 - 00000000 ____D C:\Program Files\Free Download Manager
2012-06-24 17:23 - 2012-06-24 17:23 - 00000000 ____D C:\Users\-INFORMATICS\jeshleman
2012-06-24 17:23 - 2012-06-24 17:23 - 00000000 ____D C:\users\-INFORMATICS
2012-06-24 17:21 - 2012-06-24 17:21 - 00809328 ____A (AirInstaller Inc.) C:\Users\jeshleman.IO-INFORMATICS\Downloads\setup.exe
2012-06-24 16:54 - 2012-05-17 15:11 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-24 16:54 - 2012-05-17 14:48 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-24 16:54 - 2012-05-17 14:45 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-24 16:54 - 2012-05-17 14:36 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-24 16:54 - 2012-05-17 14:35 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-24 16:54 - 2012-05-17 14:35 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-24 16:54 - 2012-05-17 14:33 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-24 16:54 - 2012-05-17 14:31 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-24 16:54 - 2012-05-17 14:29 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-24 16:54 - 2012-05-17 14:29 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-24 16:54 - 2012-05-17 14:27 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-24 16:54 - 2012-05-17 14:25 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-24 16:54 - 2012-05-17 14:24 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-24 16:54 - 2012-05-17 14:20 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-24 16:46 - 2012-06-24 16:47 - 00285324 ____A C:\Windows\msxml4-KB954430-enu.LOG
2012-06-24 16:45 - 2012-06-24 16:46 - 00291478 ____A C:\Windows\msxml4-KB973688-enu.LOG
2012-06-24 16:45 - 2012-06-24 16:45 - 00000000 ____D C:\Program Files\MSXML 4.0
2012-06-24 16:38 - 2012-05-14 17:05 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-24 16:38 - 2012-04-27 20:41 - 00919040 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-06-24 16:38 - 2012-04-27 19:17 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-06-24 16:38 - 2012-03-30 20:39 - 03968368 ____A (Microsoft Corporation) C:\Windows\System32\ntkrnlpa.exe
2012-06-24 16:38 - 2012-03-30 20:39 - 03913072 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-06-24 16:38 - 2012-03-30 02:23 - 01291632 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\tcpip.sys
2012-06-24 16:38 - 2012-03-02 21:31 - 01077248 ____A (Microsoft Corporation) C:\Windows\System32\DWrite.dll
2012-06-24 16:37 - 2012-03-16 23:27 - 00056176 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\partmgr.sys
2012-06-24 16:30 - 2012-06-02 14:19 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-24 16:30 - 2012-06-02 14:19 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-24 16:30 - 2012-06-02 14:19 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-24 16:30 - 2012-06-02 14:19 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-24 16:30 - 2012-06-02 14:19 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-24 16:30 - 2012-06-02 14:12 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-24 16:30 - 2012-06-02 14:12 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-24 16:29 - 2012-06-02 14:19 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-24 16:29 - 2012-06-02 14:12 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-21 15:14 - 2012-06-21 15:14 - 00000165 ___AH C:\Users\jeshleman.IO-INFORMATICS\Desktop\~$ProposedGraphMembershipsByPredicateAndStudyTable.xlsx
2012-06-21 07:36 - 2012-06-21 07:36 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\AppData\Roaming\cYo
2012-06-21 07:36 - 2012-06-21 07:36 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\AppData\Local\cYo
2012-06-21 07:34 - 2012-06-21 07:35 - 00000000 ____D C:\Program Files\ComicRack
2012-06-21 07:32 - 2012-06-21 07:34 - 11581039 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\ComicRackSetup09155.exe
2012-06-19 09:28 - 2012-06-20 09:11 - 00000583 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\statisticsQueries.txt
2012-06-15 11:54 - 2012-07-09 22:33 - 00000000 ____D C:\Users\jeshleman.IO-INFORMATICS\Desktop\Semantic_Paleo
2012-06-14 08:29 - 2012-06-14 08:29 - 00227935 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\setuptools-0.6c11.win32-py2.6.exe


============ 3 Months Modified Files ========================

2012-07-14 09:59 - 2012-01-02 11:18 - 00946946 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-14 09:56 - 2009-07-13 20:39 - 00103874 ____A C:\Windows\setupact.log
2012-07-14 09:53 - 2012-03-29 10:08 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-14 09:46 - 2009-07-13 20:34 - 00014816 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-14 09:46 - 2009-07-13 20:34 - 00014816 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-14 09:38 - 2009-07-13 20:53 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-14 09:30 - 2012-07-14 09:30 - 00023522 ____A C:\Windows\Partizan.log
2012-07-14 09:29 - 2012-07-14 09:29 - 00000262 ____A C:\Windows\System32\PARTIZAN.TXT
2012-07-14 09:27 - 2012-07-14 09:27 - 00000406 ____A C:\Windows\Tasks\UnHackMe Task Scheduler.job
2012-07-14 09:27 - 2012-07-14 09:27 - 00000002 RASHOT C:\Windows\winstart.bat
2012-07-14 09:27 - 2009-07-13 18:04 - 00002577 ____A C:\Windows\System32\config.nt
2012-07-14 09:27 - 2009-07-13 18:04 - 00001688 ____A C:\Windows\System32\autoexec.nt
2012-07-14 09:25 - 2012-07-14 09:24 - 12101490 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\unhackme.zip
2012-07-13 12:20 - 2012-01-03 12:37 - 00000954 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1897051121-725345543-1710UA.job
2012-07-13 11:34 - 2012-01-03 08:13 - 00000280 ____A C:\Windows\System32\config\netlogon.ftl
2012-07-13 11:33 - 2012-01-03 07:54 - 00231780 ____A C:\Windows\PFRO.log
2012-07-13 11:30 - 2012-07-13 09:34 - 00000380 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\convertPrefUnitsForStrings.txt
2012-07-13 11:29 - 2012-01-03 11:30 - 00001992 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\Default.rdp
2012-07-13 09:02 - 2012-07-13 09:02 - 11252848 ____A (Acresso Software Inc. ) C:\Users\jeshleman.IO-INFORMATICS\Downloads\ATT_Connect_Setup.exe
2012-07-13 07:32 - 2012-07-13 07:32 - 00115369 ____A C:\Windows\System32\Drivers\klin.dat
2012-07-13 07:32 - 2012-07-13 07:32 - 00097961 ____A C:\Windows\System32\Drivers\klick.dat
2012-07-13 07:19 - 2012-07-13 07:19 - 08871304 ____A (ParetoLogic Inc.) C:\Users\jeshleman.IO-INFORMATICS\Downloads\Pareto_AV_Setup_RW.exe
2012-07-13 06:49 - 2012-07-13 06:49 - 00000902 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1897051121-725345543-1710Core1cd6106ad9570e1.job
2012-07-12 11:45 - 2012-07-12 11:45 - 00063774 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\Easy, rainy day. 03_24_2012 Berkeley, CA.gpx
2012-07-12 11:13 - 2012-07-12 11:13 - 00183494 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_197147194.tcx
2012-07-12 11:04 - 2012-07-12 11:04 - 00033106 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\Warmup 07_08_2012 Berkeley, CA.gpx
2012-07-12 10:52 - 2012-07-12 10:52 - 00002635 ____A C:\Users\Public\Desktop\Sentient Knowledge Explorer.lnk
2012-07-12 09:38 - 2012-07-12 09:38 - 00144275 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_197147183.tcx
2012-07-12 09:37 - 2012-07-12 09:37 - 00064496 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_197147183.gpx
2012-07-12 08:58 - 2012-07-12 08:58 - 00103749 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_168085660.gpx
2012-07-12 08:37 - 2012-07-12 08:37 - 00387020 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_198287841.tcx
2012-07-12 08:36 - 2012-07-12 08:36 - 00174748 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\activity_198287841.gpx
2012-07-10 16:46 - 2012-07-10 16:37 - 00019045 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\QuestQuestionsWithSuggestedModulesAndVariables.xlsx
2012-07-10 14:08 - 2012-07-10 14:08 - 00138120 ____A (ESET) C:\Users\jeshleman.IO-INFORMATICS\Downloads\ESETSirefefRemover.exe
2012-07-10 13:20 - 2012-07-10 13:20 - 01558016 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\RogueKiller.exe
2012-07-05 07:48 - 2012-07-05 07:48 - 00001190 ____A C:\Windows\System32\ServiceConfig.xml
2012-07-03 13:41 - 2012-07-03 13:41 - 00274550 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\2012-players.xlsx
2012-07-02 07:13 - 2012-01-02 10:50 - 01717072 ____A C:\Windows\WindowsUpdate.log
2012-06-27 11:39 - 2012-06-27 11:39 - 00000753 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\ChatLog Web Query design review_ LODD _ Pathogen dataset introduction _tentative_ 2012_06_27 12_39.rtf
2012-06-27 09:25 - 2012-06-27 09:25 - 00140832 ____A C:\Windows\System32\Drivers\str.sys
2012-06-26 08:30 - 2012-06-26 08:30 - 14723352 ____A (AOL Inc.) C:\Users\jeshleman.IO-INFORMATICS\Downloads\AIM_Install.exe
2012-06-24 17:37 - 2012-06-24 17:26 - 160878344 ____A (MiKTeX.org) C:\Users\jeshleman.IO-INFORMATICS\Downloads\basic-miktex-2.9.4521.exe
2012-06-24 17:21 - 2012-06-24 17:21 - 00809328 ____A (AirInstaller Inc.) C:\Users\jeshleman.IO-INFORMATICS\Downloads\setup.exe
2012-06-24 17:15 - 2009-07-13 20:33 - 00409752 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-24 16:47 - 2012-06-24 16:46 - 00285324 ____A C:\Windows\msxml4-KB954430-enu.LOG
2012-06-24 16:46 - 2012-06-24 16:45 - 00291478 ____A C:\Windows\msxml4-KB973688-enu.LOG
2012-06-21 15:14 - 2012-06-21 15:14 - 00000165 ___AH C:\Users\jeshleman.IO-INFORMATICS\Desktop\~$ProposedGraphMembershipsByPredicateAndStudyTable.xlsx
2012-06-21 07:34 - 2012-06-21 07:32 - 11581039 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\ComicRackSetup09155.exe
2012-06-20 09:11 - 2012-06-19 09:28 - 00000583 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\statisticsQueries.txt
2012-06-14 08:29 - 2012-06-14 08:29 - 00227935 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\setuptools-0.6c11.win32-py2.6.exe
2012-06-13 14:11 - 2012-06-13 14:11 - 00006924 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\RUN TO MOVE_CURATE string lab values
2012-06-12 15:11 - 2012-06-12 15:11 - 00000165 ___AH C:\Users\jeshleman.IO-INFORMATICS\Desktop\~$PREDICATE QUERY CREATOR.xlsx
2012-06-11 09:37 - 2012-06-11 09:37 - 00131620 ____A C:\MapWithHeaders
2012-06-08 13:25 - 2012-06-08 13:25 - 00048854 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\cc_20120608_142459.reg
2012-06-03 22:35 - 2012-01-03 16:27 - 56731752 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-06-02 14:19 - 2012-06-24 16:30 - 01933848 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-24 16:30 - 00577048 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-24 16:30 - 00053784 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-24 16:30 - 00045080 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-24 16:30 - 00035864 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-24 16:29 - 00171904 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:12 - 2012-06-24 16:30 - 02422272 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:12 - 2012-06-24 16:30 - 00088576 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-24 16:29 - 00033792 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-30 11:01 - 2012-05-30 10:47 - 00000584 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\moduleContenstParse.py
2012-05-22 08:27 - 2009-07-13 20:53 - 00019838 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-05-22 06:57 - 2012-05-22 06:57 - 08042822 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\AllData20120510040.zip
2012-05-18 15:05 - 2012-05-18 15:05 - 00000438 ____A C:\Windows\System32\WSCConfig.xml
2012-05-17 15:11 - 2012-06-24 16:54 - 12314624 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-05-17 14:48 - 2012-06-24 16:54 - 09737728 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-05-17 14:45 - 2012-06-24 16:54 - 01800192 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-05-17 14:36 - 2012-06-24 16:54 - 01103872 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-05-17 14:35 - 2012-06-24 16:54 - 01427968 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-05-17 14:35 - 2012-06-24 16:54 - 01129472 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-17 14:33 - 2012-06-24 16:54 - 00231936 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-05-17 14:31 - 2012-06-24 16:54 - 00065024 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-17 14:29 - 2012-06-24 16:54 - 00716800 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-05-17 14:29 - 2012-06-24 16:54 - 00142848 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-05-17 14:27 - 2012-06-24 16:54 - 01793024 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-05-17 14:25 - 2012-06-24 16:54 - 00073216 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-05-17 14:24 - 2012-06-24 16:54 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-05-17 14:20 - 2012-06-24 16:54 - 00176640 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-05-17 13:17 - 2012-05-17 13:17 - 00005770 ____A C:\Windows\System32\PackageRuntimeMsiInstall.log
2012-05-17 12:57 - 2012-05-17 12:57 - 00000020 __ASH C:\Users\2adminio\ntuser.ini
2012-05-14 17:05 - 2012-06-24 16:38 - 02343936 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-05-08 21:27 - 2012-05-08 21:27 - 00002472 ____A C:\{7A3A1DB0-EA03-4200-987B-04AAF2DB0208}
2012-05-08 21:26 - 2012-05-08 21:26 - 00002920 ____A C:\{ECD3108B-A657-4233-9E3A-220BFCBF2BBA}
2012-05-08 21:24 - 2012-05-08 21:24 - 00002472 ____A C:\{5EF295F3-F061-4124-AC89-643D9837625E}
2012-05-08 21:22 - 2012-05-08 21:22 - 00002920 ____A C:\{73FBC958-564E-4F51-8EB2-9B1765BC6A45}
2012-05-08 08:13 - 2012-05-08 07:59 - 05817762 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\ImportingImagesInKE_example.zip
2012-05-03 06:42 - 2012-01-04 15:17 - 00003475 ____A C:\Users\jeshleman.IO-INFORMATICS\Desktop\Scrap Paper.txt
2012-05-02 14:51 - 2012-05-02 14:51 - 00889416 ____A (Microsoft Corporation) C:\Users\jeshleman.IO-INFORMATICS\Downloads\dotNetFx40_Full_setup.exe
2012-05-02 14:26 - 2012-05-02 14:26 - 00887896 ____A (Microsoft Corporation) C:\Users\jeshleman.IO-INFORMATICS\Downloads\dotNetFx40_Client_setup.exe
2012-05-02 10:25 - 2012-05-02 10:18 - 01933200 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\JAE_SIEVE RDF DB and SQ UI Overview_AstraZeneca 20120501.pptx
2012-05-02 09:54 - 2012-05-02 09:54 - 00000892 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\ChatLog PRACTICE WEBINAR Semantic Integration_ Evaluation_ Visualization _ Exploration _SIEVE_ 2012_05_02 10_54.rtf
2012-05-02 08:54 - 2012-05-02 08:54 - 00000440 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\ChatLog Software Engineering Check_in Meeting 2012_05_02 09_54.rtf
2012-05-02 07:47 - 2012-05-02 07:47 - 00001667 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\ChatLog PRACTICE WEBINAR Semantic Integration_ Evaluation_ Visualization _ Exploration _SIEVE_ 2012_05_02 08_47.rtf
2012-04-30 10:20 - 2012-04-26 11:34 - 00231030 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\HeadersInSieve_andFilesFoundIn_JAE20120426.xlsx
2012-04-27 20:41 - 2012-06-24 16:38 - 00919040 ____A (Microsoft Corporation) C:\Windows\System32\rdpcorets.dll
2012-04-27 19:17 - 2012-06-24 16:38 - 00183808 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys
2012-04-25 10:15 - 2012-04-25 09:27 - 198673132 ____A C:\Users\jeshleman.IO-INFORMATICS\Downloads\Miracleman.zip
2012-04-24 08:24 - 2012-04-24 08:24 - 00000632 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\ChatLog Software Engineering Check_in Meeting 2012_04_24 09_24.rtf
2012-04-23 09:23 - 2012-04-23 09:23 - 00000020 ___SH C:\Users\DefaultAppPool\ntuser.ini
2012-04-20 08:36 - 2012-04-18 10:20 - 00009317 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\Sieve_graphGroups20120418.xlsx
2012-04-16 13:56 - 2012-01-04 11:26 - 00102182 ____A C:\Windows\iis7.log
2012-04-16 13:42 - 2009-07-13 18:05 - 00152576 ____A (Microsoft Corporation) C:\Windows\System32\msclmd.dll
2012-04-16 06:53 - 2012-04-16 06:53 - 01270357 ____A C:\Users\jeshleman.IO-INFORMATICS\Documents\HeadersInSieve_andFilesFoundIn_update.xlsx


========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe A302BBFF2A7278C0E239EE5D471D86A9 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3027.17 MB
Available physical RAM: 2545.65 MB
Total Pagefile: 3025.45 MB
Available Pagefile: 2551.41 MB
Total Virtual: 2047.88 MB
Available Virtual: 1979.2 MB

======================= Partitions =========================

1 Drive c: (Win7) (Fixed) (Total:183.24 GB) (Free:94.43 GB) NTFS
2 Drive d: (Vista) (Fixed) (Total:48.83 GB) (Free:20.91 GB) NTFS
4 Drive g: () (Removable) (Total:1.88 GB) (Free:1.63 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
6 Drive y: (RECOVERY) (Fixed) (Total:0.73 GB) (Free:0.53 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 232 GB 1024 KB
Disk 1 Online 1930 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 86 MB 31 KB
Partition 2 Primary 750 MB 87 MB
Partition 3 Primary 183 GB 837 MB
Partition 0 Extended 48 GB 184 GB
Partition 4 Logical 48 GB 184 GB

==================================================================================

Disk: 0
Partition 1
Type : DE
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 FAT Partition 86 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RECOVERY NTFS Partition 750 MB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C Win7 NTFS Partition 183 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Vista NTFS Partition 48 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1929 MB 252 KB

==================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT Removable 1929 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-09 18:29

======================= End Of Log ==========================

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 16 July 2012 - 12:24 AM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




Ok lets see if we can find a replacement for the infected file

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box after "Search:".

services.exe

It then should look like:

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply.


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jason1213

jason1213
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 16 July 2012 - 01:35 PM

Thanks a bunch for helping with this!

Here's the Search.txt log:


Farbar Recovery Scan Tool Version: 14-07-2012
Ran by SYSTEM at 2012-07-16 10:52:12
Running from G:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) 5F1B6A9C35D3D5CA72D6D6FDEF9747D6

C:\Windows\System32\services.exe
[2009-07-13 15:11] - [2009-07-13 17:14] - 0259072 ____A (Microsoft Corporation) A302BBFF2A7278C0E239EE5D471D86A9

=== End Of Search ===

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 16 July 2012 - 08:39 PM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt


Replace: C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe C:\Windows\System32\services.exe


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jason1213

jason1213
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 17 July 2012 - 10:48 AM

Thanks again. (My virus scanner no longer detects the sirefef.r)



results of the fixlog:


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 14-07-2012
Ran by SYSTEM at 2012-07-17 08:24:06 Run:1
Running from G:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_cf36168b2e9c967b\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 17 July 2012 - 05:53 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 20 July 2012 - 11:20 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 jason1213

jason1213
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 21 July 2012 - 01:01 AM

Sorry. Got called out of town on a business trip and haven't been near my computer to check it out for the last few days. I'll take next steps on MOnday. Thanks again for the help.

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 21 July 2012 - 09:01 AM

thank you for letting me know and I will check on you then



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 25 July 2012 - 12:03 AM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 jason1213

jason1213
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 26 July 2012 - 02:46 PM

Finally back and able to run combofix.

The computer is working fine. I have had no difficulties with it at all.
The only issue I had with combo fix was difficulty disabling my Vipre antivirus. Though I stopped the service and the service did not appear to be running in the services window, combofix reported that it was.

Here is the log:
ComboFix 12-07-27.02 - jeshleman 07/26/2012 12:25:54.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3027.1571 [GMT -7:00]
Running from: c:\users\jeshleman.IO-INFORMATICS\Desktop\ComboFix.exe
AV: Sunbelt VIPRE *Enabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Sunbelt VIPRE *Enabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Microsoft
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\1.1
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\ABA Adult Mouse Brain.OWL
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\acuteBioMarkerTEST.xml
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Adverse Event Reporting ontology.OWL
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\African Traditional Medicine.OBO
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bioinformatics operations, types of data, data formats and topics.OBO
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\biopax-level2.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\cf-att.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\ECMWF_ERA-40_subset.nc.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\EmpToTerr.xml
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Experimental Conditions Ontology.OBO
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\external-by-hand.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\external.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\externalByHand.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\externalDerived.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Genes_xiPool.txt
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Genes_xiPool7
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\iao-main.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\iao.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\ipool-identity-03
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\iricrosswalk.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\ismemberof.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\ke-mapping
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\MGED Ontology.OWL-FULL
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\netcdf-3.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\obsolete.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\ontology-metadata.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ontology for MicroRNA Target Prediction.OWL
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ontology of Clinical Research (OCRe).OWL-DL
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ontology of Experimental Variables and Values.OWL
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\protege-dc.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\rdfcache.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\ro
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\ro.owl
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\RxNORM.UMLS-RELA
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\Zebrafish anatomy and development.OBO
c:\users\jeshleman.IO-INFORMATICS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\jeshleman.IO-INFORMATICS\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
c:\users\jeshleman.IO-INFORMATICS\g2mdlhlpx.exe
V:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-26 to 2012-07-26 )))))))))))))))))))))))))))))))
.
.
2012-07-26 19:33 . 2012-07-26 19:33 -------- d-----w- c:\users\jeshleman\AppData\Local\temp
2012-07-26 19:33 . 2012-07-26 19:33 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2012-07-26 19:33 . 2012-07-26 19:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-14 17:57 . 2012-07-14 17:57 -------- d-----w- C:\FRST
2012-07-14 17:27 . 2012-07-14 17:35 -------- d-----w- c:\programdata\RegRun
2012-07-14 17:27 . 2012-07-16 15:53 -------- d-----w- c:\program files\UnHackMe
2012-07-13 17:05 . 2012-07-16 15:53 -------- d-----w- c:\users\jeshleman.IO-INFORMATICS\AppData\Local\ATT Connect
2012-07-13 17:05 . 2012-07-13 17:05 -------- d-----w- c:\users\jeshleman.IO-INFORMATICS\AppData\Roaming\ATT Connect
2012-07-13 17:04 . 2012-07-13 17:04 -------- d-----w- c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Downloaded Installations
2012-07-13 15:32 . 2012-07-13 15:32 97961 ----a-w- c:\windows\system32\drivers\klick.dat
2012-07-13 15:32 . 2012-07-13 15:32 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2012-07-13 15:21 . 2012-07-13 16:29 -------- d-----w- c:\programdata\PLAV
2012-07-13 15:21 . 2012-07-13 15:21 -------- d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2012-07-10 21:38 . 2012-07-10 21:38 -------- d-----w- c:\program files\TDSSKiller
2012-06-27 17:28 . 2012-06-27 17:28 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-06-27 17:25 . 2012-06-27 17:25 140832 ----a-w- c:\windows\system32\drivers\str.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-02 22:19 . 2012-06-25 00:29 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-25 00:30 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-25 00:30 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-25 00:30 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-25 00:30 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-25 00:30 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-25 00:30 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-25 00:29 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-06-25 00:30 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-05-17 22:45 . 2012-06-25 00:54 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35 . 2012-06-25 00:54 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35 . 2012-06-25 00:54 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29 . 2012-06-25 00:54 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24 . 2012-06-25 00:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-15 01:05 . 2012-06-25 00:38 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-04-28 04:41 . 2012-06-25 00:38 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-28 03:17 . 2012-06-25 00:38 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-19 14:42 . 2012-01-03 16:44 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\880\g2mstart.exe" [2012-01-25 39816]
"Workrave"="c:\program files\Workrave\lib\workrave.exe" [2011-03-25 3871246]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-29 17148552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2011-06-23 1336656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1897051121-725345543-1710\Scripts\Logon\0\0]
"Script"=logon.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware]
2012-04-04 22:56 462408 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R2 Virtuoso_VirtuosoInstance;OpenLink Virtuoso Server [VirtuosoInstance];c:\virtuoso-opensource\bin\virtuoso-t.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 CFcatchme;CFcatchme;c:\users\JESHLE~1.IO-\AppData\Local\Temp\CFcatchme.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe [x]
S2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [x]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
S2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\SBEAgent\SBPIMSvc.exe [x]
S3 BthAudioHF;BthAudioHF Service;c:\windows\system32\DRIVERS\BthAudioHF.sys [x]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [x]
S3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthaudiosvc REG_MULTI_SZ HFGService
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 18:08]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1897051121-725345543-1710Core1cd6106ad9570e1.job
- c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-03 20:37]
.
2012-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1897051121-725345543-1710UA.job
- c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-03 20:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=64bd786b&toolbarid=blekkotb_soc&u=34369BE6554FA493DFFDF24FE7BD8727&tbp=homepage&v=2_0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.200.2.4 10.200.2.5
FF - ProfilePath - c:\users\jeshleman.IO-INFORMATICS\AppData\Roaming\Mozilla\Firefox\Profiles\hmmrubyk.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-SPMTray - c:\program files\PC Speed Maximizer\SPMTray.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2012-07-26 12:42:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-26 19:42
.
Pre-Run: 66,215,432,192 bytes free
Post-Run: 66,478,235,648 bytes free
.
- - End Of File - - F4C30E54D62AFF1CA745483DE2B8F4D5

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 26 July 2012 - 02:48 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 jason1213

jason1213
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 26 July 2012 - 05:05 PM

TDSK scan results and aswMBR results

14:00:34.0243 3052 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
14:00:34.0699 3052 ============================================================
14:00:34.0699 3052 Current date / time: 2012/07/26 14:00:34.0699
14:00:34.0699 3052 SystemInfo:
14:00:34.0699 3052
14:00:34.0699 3052 OS Version: 6.1.7601 ServicePack: 1.0
14:00:34.0699 3052 Product type: Workstation
14:00:34.0700 3052 ComputerName: CROW
14:00:34.0700 3052 UserName: jeshleman
14:00:34.0700 3052 Windows directory: C:\Windows
14:00:34.0700 3052 System windows directory: C:\Windows
14:00:34.0700 3052 Processor architecture: Intel x86
14:00:34.0700 3052 Number of processors: 2
14:00:34.0700 3052 Page size: 0x1000
14:00:34.0700 3052 Boot type: Normal boot
14:00:34.0700 3052 ============================================================
14:00:36.0959 3052 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
14:00:36.0961 3052 ============================================================
14:00:36.0961 3052 \Device\Harddisk0\DR0:
14:00:36.0962 3052 MBR partitions:
14:00:36.0962 3052 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2B800, BlocksNum 0x177000
14:00:36.0962 3052 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1A2800, BlocksNum 0x16E7A800
14:00:37.0462 3052 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1701D800, BlocksNum 0x61A7800
14:00:37.0462 3052 ============================================================
14:00:37.0618 3052 C: <-> \Device\Harddisk0\DR0\Partition1
14:00:37.0841 3052 V: <-> \Device\Harddisk0\DR0\Partition2
14:00:37.0885 3052 F: <-> \Device\Harddisk0\DR0\Partition0
14:00:37.0885 3052 ============================================================
14:00:37.0885 3052 Initialize success
14:00:37.0885 3052 ============================================================
14:00:43.0702 1136 ============================================================
14:00:43.0702 1136 Scan started
14:00:43.0702 1136 Mode: Manual;
14:00:43.0702 1136 ============================================================
14:00:45.0494 1136 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
14:00:45.0496 1136 1394ohci - ok
14:00:45.0562 1136 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
14:00:45.0566 1136 ACPI - ok
14:00:45.0610 1136 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
14:00:45.0612 1136 AcpiPmi - ok
14:00:45.0749 1136 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
14:00:45.0752 1136 AdobeARMservice - ok
14:00:45.0903 1136 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
14:00:45.0917 1136 AdobeFlashPlayerUpdateSvc - ok
14:00:46.0006 1136 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
14:00:46.0023 1136 adp94xx - ok
14:00:46.0062 1136 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
14:00:46.0080 1136 adpahci - ok
14:00:46.0103 1136 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
14:00:46.0118 1136 adpu320 - ok
14:00:46.0163 1136 AeLookupSvc (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
14:00:46.0165 1136 AeLookupSvc - ok
14:00:46.0313 1136 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
14:00:46.0338 1136 AFD - ok
14:00:46.0447 1136 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
14:00:46.0450 1136 agp440 - ok
14:00:46.0512 1136 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
14:00:46.0517 1136 aic78xx - ok
14:00:46.0593 1136 ALG (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
14:00:46.0596 1136 ALG - ok
14:00:46.0639 1136 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
14:00:46.0642 1136 aliide - ok
14:00:46.0689 1136 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
14:00:46.0692 1136 amdagp - ok
14:00:46.0715 1136 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
14:00:46.0717 1136 amdide - ok
14:00:46.0777 1136 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
14:00:46.0780 1136 AmdK8 - ok
14:00:46.0800 1136 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
14:00:46.0802 1136 AmdPPM - ok
14:00:46.0858 1136 amdsata (e7f4d42d8076ec60e21715cd11743a0d) C:\Windows\system32\drivers\amdsata.sys
14:00:46.0861 1136 amdsata - ok
14:00:46.0896 1136 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
14:00:46.0900 1136 amdsbs - ok
14:00:46.0917 1136 amdxata (146459d2b08bfdcbfa856d9947043c81) C:\Windows\system32\drivers\amdxata.sys
14:00:46.0918 1136 amdxata - ok
14:00:47.0052 1136 AppHostSvc (d1af38fbac0dc7e6d796b0ed01707ee0) C:\Windows\system32\inetsrv\apphostsvc.dll
14:00:47.0055 1136 AppHostSvc - ok
14:00:47.0102 1136 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
14:00:47.0105 1136 AppID - ok
14:00:47.0144 1136 AppIDSvc (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
14:00:47.0146 1136 AppIDSvc - ok
14:00:47.0201 1136 Appinfo (fb1959012294d6ad43e5304df65e3c26) C:\Windows\System32\appinfo.dll
14:00:47.0204 1136 Appinfo - ok
14:00:47.0255 1136 AppMgmt (a45d184df6a8803da13a0b329517a64a) C:\Windows\System32\appmgmts.dll
14:00:47.0270 1136 AppMgmt - ok
14:00:47.0324 1136 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
14:00:47.0326 1136 arc - ok
14:00:47.0373 1136 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
14:00:47.0376 1136 arcsas - ok
14:00:47.0610 1136 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
14:00:47.0673 1136 aspnet_state - ok
14:00:47.0729 1136 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
14:00:47.0731 1136 AsyncMac - ok
14:00:47.0775 1136 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
14:00:47.0777 1136 atapi - ok
14:00:47.0868 1136 AudioEndpointBuilder (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
14:00:47.0889 1136 AudioEndpointBuilder - ok
14:00:47.0901 1136 Audiosrv (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
14:00:47.0907 1136 Audiosrv - ok
14:00:47.0964 1136 AxInstSV (6e30d02aac9cac84f421622e3a2f6178) C:\Windows\System32\AxInstSV.dll
14:00:47.0966 1136 AxInstSV - ok
14:00:48.0045 1136 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
14:00:48.0056 1136 b06bdrv - ok
14:00:48.0117 1136 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
14:00:48.0128 1136 b57nd60x - ok
14:00:48.0277 1136 BCM43XX (eb7c2dadf52f50f69f198c14c3556dc1) C:\Windows\system32\DRIVERS\bcmwl6.sys
14:00:48.0292 1136 BCM43XX - ok
14:00:48.0335 1136 BDESVC (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
14:00:48.0337 1136 BDESVC - ok
14:00:48.0382 1136 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
14:00:48.0384 1136 Beep - ok
14:00:48.0542 1136 BFE (1e2bac209d184bb851e1a187d8a29136) C:\Windows\System32\bfe.dll
14:00:48.0591 1136 BFE - ok
14:00:48.0630 1136 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
14:00:48.0631 1136 blbdrive - ok
14:00:48.0722 1136 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
14:00:48.0725 1136 bowser - ok
14:00:48.0769 1136 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
14:00:48.0771 1136 BrFiltLo - ok
14:00:48.0789 1136 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
14:00:48.0791 1136 BrFiltUp - ok
14:00:48.0808 1136 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
14:00:48.0810 1136 BridgeMP - ok
14:00:48.0864 1136 Browser (6e11f33d14d020f58d5e02e4d67dfa19) C:\Windows\System32\browser.dll
14:00:48.0867 1136 Browser - ok
14:00:48.0907 1136 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
14:00:48.0936 1136 Brserid - ok
14:00:48.0955 1136 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
14:00:48.0958 1136 BrSerWdm - ok
14:00:48.0974 1136 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
14:00:48.0976 1136 BrUsbMdm - ok
14:00:49.0001 1136 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
14:00:49.0002 1136 BrUsbSer - ok
14:00:49.0060 1136 BthAudioHF (e7e57ffb1dcc91af000e28aaec98ad61) C:\Windows\system32\DRIVERS\BthAudioHF.sys
14:00:49.0061 1136 BthAudioHF - ok
14:00:49.0112 1136 BthAvrcp (db99076533ffb38cbec8ac88e4535850) C:\Windows\system32\DRIVERS\BthAvrcp.sys
14:00:49.0113 1136 BthAvrcp - ok
14:00:49.0164 1136 BthEnum (2865a5c8e98c70c605f417908cebb3a4) C:\Windows\system32\DRIVERS\BthEnum.sys
14:00:49.0166 1136 BthEnum - ok
14:00:49.0186 1136 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
14:00:49.0187 1136 BTHMODEM - ok
14:00:49.0234 1136 BthPan (ad1872e5829e8a2c3b5b4b641c3eab0e) C:\Windows\system32\DRIVERS\bthpan.sys
14:00:49.0236 1136 BthPan - ok
14:00:49.0368 1136 BTHPORT (c2fbf6d271d9a94d839c416bf186ead9) C:\Windows\system32\Drivers\BTHport.sys
14:00:49.0381 1136 BTHPORT - ok
14:00:49.0433 1136 bthserv (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
14:00:49.0435 1136 bthserv - ok
14:00:49.0484 1136 BTHUSB (c81e9413a25a439f436b1d4b6a0cf9e9) C:\Windows\system32\Drivers\BTHUSB.sys
14:00:49.0487 1136 BTHUSB - ok
14:00:49.0626 1136 catchme - ok
14:00:49.0662 1136 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
14:00:49.0668 1136 cdfs - ok
14:00:49.0734 1136 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
14:00:49.0750 1136 cdrom - ok
14:00:49.0810 1136 CertPropSvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
14:00:49.0813 1136 CertPropSvc - ok
14:00:49.0829 1136 CFcatchme - ok
14:00:49.0891 1136 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
14:00:49.0896 1136 circlass - ok
14:00:49.0954 1136 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
14:00:49.0962 1136 CLFS - ok
14:00:50.0051 1136 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
14:00:50.0069 1136 clr_optimization_v2.0.50727_32 - ok
14:00:50.0334 1136 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
14:00:50.0505 1136 clr_optimization_v4.0.30319_32 - ok
14:00:50.0532 1136 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
14:00:50.0534 1136 CmBatt - ok
14:00:50.0762 1136 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
14:00:50.0765 1136 cmdide - ok
14:00:51.0011 1136 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
14:00:51.0020 1136 CNG - ok
14:00:51.0100 1136 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
14:00:51.0102 1136 Compbatt - ok
14:00:51.0216 1136 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
14:00:51.0218 1136 CompositeBus - ok
14:00:51.0283 1136 COMSysApp - ok
14:00:51.0385 1136 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
14:00:51.0386 1136 crcdisk - ok
14:00:51.0614 1136 CryptSvc (a585bebf7d054bd9618eda0922d5484a) C:\Windows\system32\cryptsvc.dll
14:00:51.0653 1136 CryptSvc - ok
14:00:51.0925 1136 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
14:00:51.0946 1136 CSC - ok
14:00:52.0236 1136 CscService (15f93b37f6801943360d9eb42485d5d3) C:\Windows\System32\cscsvc.dll
14:00:52.0262 1136 CscService - ok
14:00:52.0338 1136 csr_a2dp (5c4c3c1d3b626cff74316dd07c8b6a1f) C:\Windows\system32\drivers\bthav.sys
14:00:52.0341 1136 csr_a2dp - ok
14:00:52.0403 1136 DcomLaunch (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
14:00:52.0431 1136 DcomLaunch - ok
14:00:52.0481 1136 defragsvc (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
14:00:52.0486 1136 defragsvc - ok
14:00:52.0550 1136 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
14:00:52.0553 1136 DfsC - ok
14:00:52.0612 1136 Dhcp (e9e01eb683c132f7fa27cd607b8a2b63) C:\Windows\system32\dhcpcore.dll
14:00:52.0620 1136 Dhcp - ok
14:00:52.0672 1136 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
14:00:52.0674 1136 discache - ok
14:00:52.0718 1136 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
14:00:52.0720 1136 Disk - ok
14:00:52.0768 1136 Dnscache (33ef4861f19a0736b11314aad9ae28d0) C:\Windows\System32\dnsrslvr.dll
14:00:52.0783 1136 Dnscache - ok
14:00:52.0838 1136 dot3svc (366ba8fb4b7bb7435e3b9eacb3843f67) C:\Windows\System32\dot3svc.dll
14:00:52.0849 1136 dot3svc - ok
14:00:52.0899 1136 DPS (8ec04ca86f1d68da9e11952eb85973d6) C:\Windows\system32\dps.dll
14:00:52.0913 1136 DPS - ok
14:00:52.0961 1136 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
14:00:52.0962 1136 drmkaud - ok
14:00:53.0059 1136 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
14:00:53.0066 1136 DXGKrnl - ok
14:00:53.0103 1136 EapHost (8600142fa91c1b96367d3300ad0f3f3a) C:\Windows\System32\eapsvc.dll
14:00:53.0106 1136 EapHost - ok
14:00:53.0377 1136 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
14:00:53.0462 1136 ebdrv - ok
14:00:53.0663 1136 EFS (81951f51e318aecc2d68559e47485cc4) C:\Windows\System32\lsass.exe
14:00:53.0666 1136 EFS - ok
14:00:53.0806 1136 ehRecvr (a8c362018efc87beb013ee28f29c0863) C:\Windows\ehome\ehRecvr.exe
14:00:53.0853 1136 ehRecvr - ok
14:00:53.0922 1136 ehSched (d389bff34f80caede417bf9d1507996a) C:\Windows\ehome\ehsched.exe
14:00:53.0925 1136 ehSched - ok
14:00:54.0062 1136 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
14:00:54.0105 1136 elxstor - ok
14:00:54.0151 1136 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
14:00:54.0153 1136 ErrDev - ok
14:00:54.0228 1136 EventSystem (f6916efc29d9953d5d0df06882ae8e16) C:\Windows\system32\es.dll
14:00:54.0245 1136 EventSystem - ok
14:00:54.0270 1136 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
14:00:54.0285 1136 exfat - ok
14:00:54.0313 1136 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
14:00:54.0328 1136 fastfat - ok
14:00:54.0408 1136 Fax (967ea5b213e9984cbe270205df37755b) C:\Windows\system32\fxssvc.exe
14:00:54.0445 1136 Fax - ok
14:00:54.0479 1136 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
14:00:54.0481 1136 fdc - ok
14:00:54.0502 1136 fdPHost (f3222c893bd2f5821a0179e5c71e88fb) C:\Windows\system32\fdPHost.dll
14:00:54.0504 1136 fdPHost - ok
14:00:54.0516 1136 FDResPub (7dbe8cbfe79efbdeb98c9fb08d3a9a5b) C:\Windows\system32\fdrespub.dll
14:00:54.0518 1136 FDResPub - ok
14:00:54.0537 1136 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
14:00:54.0538 1136 FileInfo - ok
14:00:54.0557 1136 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
14:00:54.0559 1136 Filetrace - ok
14:00:54.0575 1136 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
14:00:54.0577 1136 flpydisk - ok
14:00:54.0609 1136 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
14:00:54.0612 1136 FltMgr - ok
14:00:54.0731 1136 FontCache (fa6c66e4364d7da57aade5dcc03bb999) C:\Windows\system32\FntCache.dll
14:00:54.0746 1136 FontCache - ok
14:00:54.0899 1136 FontCache3.0.0.0 (e56f39f6b7fda0ac77a79b0fd3de1a2f) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
14:00:54.0902 1136 FontCache3.0.0.0 - ok
14:00:54.0918 1136 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
14:00:54.0920 1136 FsDepends - ok
14:00:54.0956 1136 Fs_Rec (7dae5ebcc80e45d3253f4923dc424d05) C:\Windows\system32\drivers\Fs_Rec.sys
14:00:54.0957 1136 Fs_Rec - ok
14:00:55.0011 1136 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
14:00:55.0014 1136 fvevol - ok
14:00:55.0066 1136 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
14:00:55.0068 1136 gagp30kx - ok
14:00:55.0144 1136 gpsvc (e897eaf5ed6ba41e081060c9b447a673) C:\Windows\System32\gpsvc.dll
14:00:55.0158 1136 gpsvc - ok
14:00:55.0173 1136 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
14:00:55.0176 1136 hcw85cir - ok
14:00:55.0242 1136 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
14:00:55.0261 1136 HdAudAddService - ok
14:00:55.0291 1136 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
14:00:55.0294 1136 HDAudBus - ok
14:00:55.0394 1136 HFGService (b588ec54049ddc4b810fa83852232a44) C:\Windows\System32\HFGService.dll
14:00:55.0411 1136 HFGService - ok
14:00:55.0429 1136 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
14:00:55.0431 1136 HidBatt - ok
14:00:55.0452 1136 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
14:00:55.0455 1136 HidBth - ok
14:00:55.0496 1136 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
14:00:55.0499 1136 HidIr - ok
14:00:55.0546 1136 hidserv (2bc6f6a1992b3a77f5f41432ca6b3b6b) C:\Windows\System32\hidserv.dll
14:00:55.0548 1136 hidserv - ok
14:00:55.0606 1136 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys
14:00:55.0608 1136 HidUsb - ok
14:00:55.0656 1136 hkmsvc (196b4e3f4cccc24af836ce58facbb699) C:\Windows\system32\kmsvc.dll
14:00:55.0659 1136 hkmsvc - ok
14:00:55.0722 1136 HomeGroupListener (6658f4404de03d75fe3ba09f7aba6a30) C:\Windows\system32\ListSvc.dll
14:00:55.0736 1136 HomeGroupListener - ok
14:00:55.0788 1136 HomeGroupProvider (dbc02d918fff1cad628acbe0c0eaa8e8) C:\Windows\system32\provsvc.dll
14:00:55.0801 1136 HomeGroupProvider - ok
14:00:55.0857 1136 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
14:00:55.0859 1136 HpSAMD - ok
14:00:55.0936 1136 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
14:00:55.0954 1136 HTTP - ok
14:00:56.0004 1136 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
14:00:56.0005 1136 hwpolicy - ok
14:00:56.0075 1136 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
14:00:56.0077 1136 i8042prt - ok
14:00:56.0131 1136 iaStorV (a3cae5d281db4cff7cff8233507ee5ad) C:\Windows\system32\drivers\iaStorV.sys
14:00:56.0147 1136 iaStorV - ok
14:00:56.0323 1136 idsvc (c521d7eb6497bb1af6afa89e322fb43c) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
14:00:56.0338 1136 idsvc - ok
14:00:56.0901 1136 igfx (ad626f6964f4d364d226c39e06872dd3) C:\Windows\system32\DRIVERS\igdkmd32.sys
14:00:57.0021 1136 igfx - ok
14:00:57.0232 1136 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
14:00:57.0235 1136 iirsp - ok
14:00:57.0323 1136 IISADMIN (fc9735b66850cf8aebbc1e207ecb2ad8) C:\Windows\system32\inetsrv\inetinfo.exe
14:00:57.0325 1136 IISADMIN - ok
14:00:57.0506 1136 IKEEXT (f95622f161474511b8d80d6b093aa610) C:\Windows\System32\ikeext.dll
14:00:57.0528 1136 IKEEXT - ok
14:00:57.0578 1136 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
14:00:57.0580 1136 intelide - ok
14:00:57.0613 1136 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
14:00:57.0614 1136 intelppm - ok
14:00:57.0663 1136 IPBusEnum (acb364b9075a45c0736e5c47be5cae19) C:\Windows\system32\ipbusenum.dll
14:00:57.0666 1136 IPBusEnum - ok
14:00:57.0692 1136 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
14:00:57.0694 1136 IpFilterDriver - ok
14:00:57.0804 1136 iphlpsvc (4d65a07b795d6674312f879d09aa7663) C:\Windows\System32\iphlpsvc.dll
14:00:57.0816 1136 iphlpsvc - ok
14:00:57.0860 1136 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
14:00:57.0863 1136 IPMIDRV - ok
14:00:57.0895 1136 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
14:00:57.0900 1136 IPNAT - ok
14:00:57.0939 1136 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
14:00:57.0940 1136 IRENUM - ok
14:00:57.0965 1136 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
14:00:57.0968 1136 isapnp - ok
14:00:58.0023 1136 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
14:00:58.0035 1136 iScsiPrt - ok
14:00:58.0089 1136 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
14:00:58.0091 1136 kbdclass - ok
14:00:58.0207 1136 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
14:00:58.0208 1136 kbdhid - ok
14:00:58.0256 1136 KeyIso (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
14:00:58.0258 1136 KeyIso - ok
14:00:58.0271 1136 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
14:00:58.0273 1136 KSecDD - ok
14:00:58.0293 1136 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
14:00:58.0296 1136 KSecPkg - ok
14:00:58.0348 1136 KtmRm (89a7b9cc98d0d80c6f31b91c0a310fcd) C:\Windows\system32\msdtckrm.dll
14:00:58.0366 1136 KtmRm - ok
14:00:58.0454 1136 LanmanServer (d64af876d53eca3668bb97b51b4e70ab) C:\Windows\System32\srvsvc.dll
14:00:58.0474 1136 LanmanServer - ok
14:00:58.0533 1136 LanmanWorkstation (58405e4f68ba8e4057c6e914f326aba2) C:\Windows\System32\wkssvc.dll
14:00:58.0551 1136 LanmanWorkstation - ok
14:00:58.0642 1136 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
14:00:58.0645 1136 lltdio - ok
14:00:58.0699 1136 lltdsvc (5700673e13a2117fa3b9020c852c01e2) C:\Windows\System32\lltdsvc.dll
14:00:58.0709 1136 lltdsvc - ok
14:00:58.0733 1136 lmhosts (55ca01ba19d0006c8f2639b6c045e08b) C:\Windows\System32\lmhsvc.dll
14:00:58.0735 1136 lmhosts - ok
14:00:58.0778 1136 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
14:00:58.0784 1136 LSI_FC - ok
14:00:58.0814 1136 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
14:00:58.0817 1136 LSI_SAS - ok
14:00:58.0836 1136 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
14:00:58.0838 1136 LSI_SAS2 - ok
14:00:58.0866 1136 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
14:00:58.0873 1136 LSI_SCSI - ok
14:00:58.0898 1136 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
14:00:58.0900 1136 luafv - ok
14:00:58.0938 1136 Mcx2Svc (bfb9ee8ee977efe85d1a3105abef6dd1) C:\Windows\system32\Mcx2Svc.dll
14:00:58.0942 1136 Mcx2Svc - ok
14:00:58.0961 1136 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
14:00:58.0963 1136 megasas - ok
14:00:58.0994 1136 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
14:00:58.0998 1136 MegaSR - ok
14:00:59.0135 1136 Microsoft Office Groove Audit Service (7c4c76b39d5525c4a465e0be32528e19) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
14:00:59.0153 1136 Microsoft Office Groove Audit Service - ok
14:00:59.0191 1136 MMCSS (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
14:00:59.0194 1136 MMCSS - ok
14:00:59.0209 1136 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
14:00:59.0211 1136 Modem - ok
14:00:59.0250 1136 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
14:00:59.0252 1136 monitor - ok
14:00:59.0303 1136 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys
14:00:59.0304 1136 mouclass - ok
14:00:59.0326 1136 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
14:00:59.0328 1136 mouhid - ok
14:00:59.0366 1136 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
14:00:59.0368 1136 mountmgr - ok
14:00:59.0473 1136 MozillaMaintenance (46297fa8e30a6007f14118fc2b942fbc) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
14:00:59.0489 1136 MozillaMaintenance - ok
14:00:59.0601 1136 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
14:00:59.0605 1136 mpio - ok
14:00:59.0637 1136 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
14:00:59.0639 1136 mpsdrv - ok
14:00:59.0736 1136 MpsSvc (9835584e999d25004e1ee8e5f3e3b881) C:\Windows\system32\mpssvc.dll
14:00:59.0754 1136 MpsSvc - ok
14:00:59.0799 1136 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
14:00:59.0802 1136 MRxDAV - ok
14:00:59.0848 1136 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
14:00:59.0854 1136 mrxsmb - ok
14:00:59.0885 1136 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
14:00:59.0929 1136 mrxsmb10 - ok
14:01:00.0026 1136 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
14:01:00.0052 1136 mrxsmb20 - ok
14:01:00.0155 1136 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
14:01:00.0157 1136 msahci - ok
14:01:00.0284 1136 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
14:01:00.0288 1136 msdsm - ok
14:01:00.0328 1136 MSDTC (e1bce74a3bd9902b72599c0192a07e27) C:\Windows\System32\msdtc.exe
14:01:00.0342 1136 MSDTC - ok
14:01:00.0403 1136 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
14:01:00.0405 1136 Msfs - ok
14:01:00.0419 1136 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
14:01:00.0421 1136 mshidkmdf - ok
14:01:00.0460 1136 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
14:01:00.0461 1136 msisadrv - ok
14:01:00.0525 1136 MSiSCSI (90f7d9e6b6f27e1a707d4a297f077828) C:\Windows\system32\iscsiexe.dll
14:01:00.0529 1136 MSiSCSI - ok
14:01:00.0534 1136 msiserver - ok
14:01:00.0581 1136 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
14:01:00.0583 1136 MSKSSRV - ok
14:01:00.0603 1136 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
14:01:00.0605 1136 MSPCLOCK - ok
14:01:00.0626 1136 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
14:01:00.0627 1136 MSPQM - ok
14:01:00.0656 1136 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
14:01:00.0661 1136 MsRPC - ok
14:01:01.0006 1136 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
14:01:01.0008 1136 mssmbios - ok
14:01:01.0351 1136 MSSQL$SQLEXPRESS - ok
14:01:01.0493 1136 MSSQLServerADHelper100 (8e8e74c953eb0c4f8828d99d6f27fd6f) c:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE
14:01:01.0496 1136 MSSQLServerADHelper100 - ok
14:01:01.0612 1136 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
14:01:01.0614 1136 MSTEE - ok
14:01:01.0631 1136 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
14:01:01.0633 1136 MTConfig - ok
14:01:01.0674 1136 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
14:01:01.0676 1136 Mup - ok
14:01:01.0817 1136 napagent (61d57a5d7c6d9afe10e77dae6e1b445e) C:\Windows\system32\qagentRT.dll
14:01:01.0849 1136 napagent - ok
14:01:01.0939 1136 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
14:01:01.0966 1136 NativeWifiP - ok
14:01:02.0120 1136 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
14:01:02.0133 1136 NDIS - ok
14:01:02.0267 1136 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
14:01:02.0269 1136 NdisCap - ok
14:01:02.0380 1136 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
14:01:02.0382 1136 NdisTapi - ok
14:01:02.0466 1136 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
14:01:02.0468 1136 Ndisuio - ok
14:01:02.0582 1136 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
14:01:02.0607 1136 NdisWan - ok
14:01:02.0694 1136 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
14:01:02.0696 1136 NDProxy - ok
14:01:02.0809 1136 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
14:01:02.0812 1136 NetBIOS - ok
14:01:02.0888 1136 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
14:01:02.0909 1136 NetBT - ok
14:01:03.0015 1136 Netlogon (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
14:01:03.0018 1136 Netlogon - ok
14:01:03.0103 1136 Netman (7cccfca7510684768da22092d1fa4db2) C:\Windows\System32\netman.dll
14:01:03.0122 1136 Netman - ok
14:01:03.0443 1136 NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
14:01:03.0509 1136 NetMsmqActivator - ok
14:01:03.0513 1136 NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
14:01:03.0516 1136 NetPipeActivator - ok
14:01:03.0582 1136 netprofm (8c338238c16777a802d6a9211eb2ba50) C:\Windows\System32\netprofm.dll
14:01:03.0598 1136 netprofm - ok
14:01:03.0603 1136 NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
14:01:03.0608 1136 NetTcpActivator - ok
14:01:03.0615 1136 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
14:01:03.0618 1136 NetTcpPortSharing - ok
14:01:03.0708 1136 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
14:01:03.0712 1136 nfrd960 - ok
14:01:03.0833 1136 NlaSvc (912084381d30d8b89ec4e293053f4710) C:\Windows\System32\nlasvc.dll
14:01:03.0864 1136 NlaSvc - ok
14:01:03.0902 1136 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
14:01:03.0903 1136 Npfs - ok
14:01:03.0996 1136 nsi (ba387e955e890c8a88306d9b8d06bf17) C:\Windows\system32\nsisvc.dll
14:01:03.0999 1136 nsi - ok
14:01:04.0032 1136 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
14:01:04.0033 1136 nsiproxy - ok
14:01:04.0161 1136 Ntfs (33c3093d09017cfe2e219f2472bff6eb) C:\Windows\system32\drivers\Ntfs.sys
14:01:04.0186 1136 Ntfs - ok
14:01:04.0231 1136 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
14:01:04.0233 1136 Null - ok
14:01:04.0317 1136 nvraid (af2eec9580c1d32fb7eaf105d9784061) C:\Windows\system32\drivers\nvraid.sys
14:01:04.0320 1136 nvraid - ok
14:01:04.0352 1136 nvstor (9283c58ebaa2618f93482eb5dabcec82) C:\Windows\system32\drivers\nvstor.sys
14:01:04.0380 1136 nvstor - ok
14:01:04.0434 1136 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
14:01:04.0449 1136 nv_agp - ok
14:01:04.0762 1136 odserv (1f0e05dff4f5a833168e49be1256f002) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
14:01:04.0796 1136 odserv - ok
14:01:04.0837 1136 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
14:01:04.0840 1136 ohci1394 - ok
14:01:04.0912 1136 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
14:01:04.0922 1136 ose - ok
14:01:04.0981 1136 p2pimsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
14:01:05.0000 1136 p2pimsvc - ok
14:01:05.0049 1136 p2psvc (59c3ddd501e39e006dac31bf55150d91) C:\Windows\system32\p2psvc.dll
14:01:05.0065 1136 p2psvc - ok
14:01:05.0107 1136 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
14:01:05.0110 1136 Parport - ok
14:01:05.0155 1136 partmgr (3f34a1b4c5f6475f320c275e63afce9b) C:\Windows\system32\drivers\partmgr.sys
14:01:05.0156 1136 partmgr - ok
14:01:05.0171 1136 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
14:01:05.0173 1136 Parvdm - ok
14:01:05.0200 1136 PcaSvc (358ab7956d3160000726574083dfc8a6) C:\Windows\System32\pcasvc.dll
14:01:05.0214 1136 PcaSvc - ok
14:01:05.0269 1136 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
14:01:05.0272 1136 pci - ok
14:01:05.0319 1136 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
14:01:05.0321 1136 pciide - ok
14:01:05.0354 1136 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
14:01:05.0357 1136 pcmcia - ok
14:01:05.0373 1136 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
14:01:05.0374 1136 pcw - ok
14:01:05.0433 1136 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
14:01:05.0441 1136 PEAUTH - ok
14:01:05.0553 1136 PeerDistSvc (af4d64d2a57b9772cf3801950b8058a6) C:\Windows\system32\peerdistsvc.dll
14:01:05.0579 1136 PeerDistSvc - ok
14:01:05.0874 1136 pla (414bba67a3ded1d28437eb66aeb8a720) C:\Windows\system32\pla.dll
14:01:05.0920 1136 pla - ok
14:01:06.0149 1136 PlugPlay (ec7bc28d207da09e79b3e9faf8b232ca) C:\Windows\system32\umpnpmgr.dll
14:01:06.0162 1136 PlugPlay - ok
14:01:06.0199 1136 PNRPAutoReg (63ff8572611249931eb16bb8eed6afc8) C:\Windows\system32\pnrpauto.dll
14:01:06.0203 1136 PNRPAutoReg - ok
14:01:06.0238 1136 PNRPsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
14:01:06.0243 1136 PNRPsvc - ok
14:01:06.0299 1136 PolicyAgent (53946b69ba0836bd95b03759530c81ec) C:\Windows\System32\ipsecsvc.dll
14:01:06.0315 1136 PolicyAgent - ok
14:01:06.0372 1136 Power (f87d30e72e03d579a5199ccb3831d6ea) C:\Windows\system32\umpo.dll
14:01:06.0388 1136 Power - ok
14:01:06.0499 1136 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
14:01:06.0502 1136 PptpMiniport - ok
14:01:06.0547 1136 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
14:01:06.0550 1136 Processor - ok
14:01:06.0605 1136 ProfSvc (43ca4ccc22d52fb58e8988f0198851d0) C:\Windows\system32\profsvc.dll
14:01:06.0629 1136 ProfSvc - ok
14:01:06.0675 1136 ProtectedStorage (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
14:01:06.0678 1136 ProtectedStorage - ok
14:01:06.0739 1136 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
14:01:06.0755 1136 Psched - ok
14:01:06.0916 1136 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
14:01:06.0951 1136 ql2300 - ok
14:01:07.0151 1136 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
14:01:07.0166 1136 ql40xx - ok
14:01:07.0226 1136 QWAVE (31ac809e7707eb580b2bdb760390765a) C:\Windows\system32\qwave.dll
14:01:07.0246 1136 QWAVE - ok
14:01:07.0259 1136 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
14:01:07.0262 1136 QWAVEdrv - ok
14:01:07.0281 1136 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
14:01:07.0283 1136 RasAcd - ok
14:01:07.0332 1136 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
14:01:07.0334 1136 RasAgileVpn - ok
14:01:07.0354 1136 RasAuto (a60f1839849c0c00739787fd5ec03f13) C:\Windows\System32\rasauto.dll
14:01:07.0360 1136 RasAuto - ok
14:01:07.0385 1136 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
14:01:07.0387 1136 Rasl2tp - ok
14:01:07.0464 1136 RasMan (cb9e04dc05eacf5b9a36ca276d475006) C:\Windows\System32\rasmans.dll
14:01:07.0482 1136 RasMan - ok
14:01:07.0526 1136 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
14:01:07.0529 1136 RasPppoe - ok
14:01:07.0554 1136 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
14:01:07.0557 1136 RasSstp - ok
14:01:07.0619 1136 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
14:01:07.0628 1136 rdbss - ok
14:01:07.0640 1136 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
14:01:07.0642 1136 rdpbus - ok
14:01:07.0679 1136 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
14:01:07.0680 1136 RDPCDD - ok
14:01:07.0735 1136 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
14:01:07.0751 1136 RDPDR - ok
14:01:07.0769 1136 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
14:01:07.0771 1136 RDPENCDD - ok
14:01:07.0799 1136 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
14:01:07.0800 1136 RDPREFMP - ok
14:01:07.0884 1136 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
14:01:07.0887 1136 RdpVideoMiniport - ok
14:01:07.0952 1136 RDPWD (f031683e6d1fea157abb2ff260b51e61) C:\Windows\system32\drivers\RDPWD.sys
14:01:07.0962 1136 RDPWD - ok
14:01:08.0017 1136 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
14:01:08.0022 1136 rdyboost - ok
14:01:08.0069 1136 RemoteAccess (7b5e1419717fac363a31cc302895217a) C:\Windows\System32\mprdim.dll
14:01:08.0073 1136 RemoteAccess - ok
14:01:08.0130 1136 RemoteRegistry (cb9a8683f4ef2bf99e123d79950d7935) C:\Windows\system32\regsvc.dll
14:01:08.0147 1136 RemoteRegistry - ok
14:01:08.0197 1136 RFCOMM (cb928d9e6daf51879dd6ba8d02f01321) C:\Windows\system32\DRIVERS\rfcomm.sys
14:01:08.0213 1136 RFCOMM - ok
14:01:08.0226 1136 RpcEptMapper (78d072f35bc45d9e4e1b61895c152234) C:\Windows\System32\RpcEpMap.dll
14:01:08.0230 1136 RpcEptMapper - ok
14:01:08.0287 1136 RpcLocator (94d36c0e44677dd26981d2bfeef2a29d) C:\Windows\system32\locator.exe
14:01:08.0290 1136 RpcLocator - ok
14:01:08.0367 1136 RpcSs (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
14:01:08.0378 1136 RpcSs - ok
14:01:08.0475 1136 RsFx0150 (a95840a95a9ff74b0009e5d848cddb39) C:\Windows\system32\DRIVERS\RsFx0150.sys
14:01:08.0502 1136 RsFx0150 - ok
14:01:08.0572 1136 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
14:01:08.0575 1136 rspndr - ok
14:01:08.0611 1136 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
14:01:08.0613 1136 s3cap - ok
14:01:08.0667 1136 SamSs (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
14:01:08.0670 1136 SamSs - ok
14:01:09.0020 1136 SBAMSvc (d6a90ba549724823af1cf0505c0b7647) C:\Program Files\Sunbelt Software\SBEAgent\SBAMSvc.exe
14:01:09.0082 1136 SBAMSvc - ok
14:01:09.0328 1136 sbapifs (76dddc213e8259b74978733640703ec1) C:\Windows\system32\DRIVERS\sbapifs.sys
14:01:09.0329 1136 sbapifs - ok
14:01:09.0403 1136 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
14:01:09.0406 1136 sbp2port - ok
14:01:09.0590 1136 SBPIMSvc (533a3c0f65545a5541d66e6ada77bce7) C:\Program Files\Sunbelt Software\SBEAgent\SBPIMSvc.exe
14:01:09.0603 1136 SBPIMSvc - ok
14:01:09.0668 1136 SBRE (0505da5d357f18a5d42fc5dede6bc9a0) C:\Windows\system32\drivers\SBREdrv.sys
14:01:09.0670 1136 SBRE - ok
14:01:09.0737 1136 SbTis (6468e2973e04525decc105947ddd0d34) C:\Windows\system32\drivers\sbtis.sys
14:01:09.0738 1136 SbTis - ok
14:01:09.0812 1136 SCardSvr (8fc518ffe9519c2631d37515a68009c4) C:\Windows\System32\SCardSvr.dll
14:01:09.0829 1136 SCardSvr - ok
14:01:09.0875 1136 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
14:01:09.0877 1136 scfilter - ok
14:01:09.0967 1136 Schedule (a04bb13f8a72f8b6e8b4071723e4e336) C:\Windows\system32\schedsvc.dll
14:01:09.0991 1136 Schedule - ok
14:01:10.0039 1136 SCPolicySvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
14:01:10.0040 1136 SCPolicySvc - ok
14:01:10.0093 1136 sdbus (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\drivers\sdbus.sys
14:01:10.0096 1136 sdbus - ok
14:01:10.0152 1136 SDRSVC (08236c4bce5edd0a0318a438af28e0f7) C:\Windows\System32\SDRSVC.dll
14:01:10.0167 1136 SDRSVC - ok
14:01:10.0225 1136 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
14:01:10.0226 1136 secdrv - ok
14:01:10.0274 1136 seclogon (a59b3a4442c52060cc7a85293aa3546f) C:\Windows\system32\seclogon.dll
14:01:10.0277 1136 seclogon - ok
14:01:10.0309 1136 SENS (dcb7fcdcc97f87360f75d77425b81737) C:\Windows\system32\sens.dll
14:01:10.0312 1136 SENS - ok
14:01:10.0353 1136 SensrSvc (50087fe1ee447009c9cc2997b90de53f) C:\Windows\system32\sensrsvc.dll
14:01:10.0356 1136 SensrSvc - ok
14:01:10.0381 1136 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
14:01:10.0383 1136 Serenum - ok
14:01:10.0404 1136 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
14:01:10.0406 1136 Serial - ok
14:01:10.0439 1136 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
14:01:10.0441 1136 sermouse - ok
14:01:10.0509 1136 SessionEnv (4ae380f39a0032eab7dd953030b26d28) C:\Windows\system32\sessenv.dll
14:01:10.0526 1136 SessionEnv - ok
14:01:10.0564 1136 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
14:01:10.0566 1136 sffdisk - ok
14:01:10.0586 1136 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
14:01:10.0588 1136 sffp_mmc - ok
14:01:10.0625 1136 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
14:01:10.0627 1136 sffp_sd - ok
14:01:10.0642 1136 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
14:01:10.0644 1136 sfloppy - ok
14:01:10.0720 1136 SharedAccess (d1a079a0de2ea524513b6930c24527a2) C:\Windows\System32\ipnathlp.dll
14:01:10.0736 1136 SharedAccess - ok
14:01:10.0800 1136 ShellHWDetection (414da952a35bf5d50192e28263b40577) C:\Windows\System32\shsvcs.dll
14:01:10.0815 1136 ShellHWDetection - ok
14:01:10.0874 1136 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
14:01:10.0877 1136 sisagp - ok
14:01:10.0912 1136 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
14:01:10.0915 1136 SiSRaid2 - ok
14:01:10.0935 1136 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
14:01:10.0938 1136 SiSRaid4 - ok
14:01:11.0053 1136 SkypeUpdate (db0405d9aad62f0762e0876ac142b7e1) C:\Program Files\Skype\Updater\Updater.exe
14:01:11.0067 1136 SkypeUpdate - ok
14:01:11.0095 1136 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
14:01:11.0097 1136 Smb - ok
14:01:11.0187 1136 SNMPTRAP (6a984831644eca1a33ffeae4126f4f37) C:\Windows\System32\snmptrap.exe
14:01:11.0192 1136 SNMPTRAP - ok
14:01:11.0223 1136 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
14:01:11.0225 1136 spldr - ok
14:01:11.0293 1136 Spooler (866a43013535dc8587c258e43579c764) C:\Windows\System32\spoolsv.exe
14:01:11.0327 1136 Spooler - ok
14:01:11.0613 1136 sppsvc (cf87a1de791347e75b98885214ced2b8) C:\Windows\system32\sppsvc.exe
14:01:11.0639 1136 sppsvc - ok
14:01:11.0819 1136 sppuinotify (b0180b20b065d89232a78a40fe56eaa6) C:\Windows\system32\sppuinotify.dll
14:01:11.0825 1136 sppuinotify - ok
14:01:12.0027 1136 SQLAgent$SQLEXPRESS (d39b8dee1566c30858216521998f382f) c:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE
14:01:12.0046 1136 SQLAgent$SQLEXPRESS - ok
14:01:12.0127 1136 SQLBrowser (7d67c07c63796775cc5492bcfeaff125) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
14:01:12.0141 1136 SQLBrowser - ok
14:01:12.0194 1136 SQLWriter (8e6e5cfa06769a417b03fd6faa29e010) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
14:01:12.0210 1136 SQLWriter - ok
14:01:12.0314 1136 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
14:01:12.0325 1136 srv - ok
14:01:12.0371 1136 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
14:01:12.0385 1136 srv2 - ok
14:01:12.0444 1136 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
14:01:12.0459 1136 srvnet - ok
14:01:12.0528 1136 SSDPSRV (d887c9fd02ac9fa880f6e5027a43e118) C:\Windows\System32\ssdpsrv.dll
14:01:12.0550 1136 SSDPSRV - ok
14:01:12.0582 1136 SstpSvc (d318f23be45d5e3a107469eb64815b50) C:\Windows\system32\sstpsvc.dll
14:01:12.0599 1136 SstpSvc - ok
14:01:12.0662 1136 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
14:01:12.0665 1136 stexstor - ok
14:01:12.0746 1136 StiSvc (e1fb3706030fb4578a0d72c2fc3689e4) C:\Windows\System32\wiaservc.dll
14:01:12.0778 1136 StiSvc - ok
14:01:12.0837 1136 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
14:01:12.0839 1136 storflt - ok
14:01:12.0861 1136 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
14:01:12.0864 1136 storvsc - ok
14:01:12.0903 1136 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
14:01:12.0905 1136 swenum - ok
14:01:12.0947 1136 swprv (a28bd92df340e57b024ba433165d34d7) C:\Windows\System32\swprv.dll
14:01:12.0968 1136 swprv - ok
14:01:13.0022 1136 Synth3dVsc - ok
14:01:13.0191 1136 SysMain (36650d618ca34c9d357dfd3d89b2c56f) C:\Windows\system32\sysmain.dll
14:01:13.0222 1136 SysMain - ok
14:01:13.0277 1136 TabletInputService (763fecdc3d30c815fe72dd57936c6cd1) C:\Windows\System32\TabSvc.dll
14:01:13.0295 1136 TabletInputService - ok
14:01:13.0358 1136 TapiSrv (613bf4820361543956909043a265c6ac) C:\Windows\System32\tapisrv.dll
14:01:13.0375 1136 TapiSrv - ok
14:01:13.0427 1136 TBS (b799d9fdb26111737f58288d8dc172d9) C:\Windows\System32\tbssvc.dll
14:01:13.0435 1136 TBS - ok
14:01:13.0642 1136 Tcpip (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\drivers\tcpip.sys
14:01:13.0671 1136 Tcpip - ok
14:01:13.0703 1136 TCPIP6 (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\DRIVERS\tcpip.sys
14:01:13.0712 1136 TCPIP6 - ok
14:01:13.0762 1136 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
14:01:13.0764 1136 tcpipreg - ok
14:01:13.0805 1136 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
14:01:13.0807 1136 TDPIPE - ok
14:01:13.0821 1136 TDTCP (2c2c5afe7ee4f620d69c23c0617651a8) C:\Windows\system32\drivers\tdtcp.sys
14:01:13.0823 1136 TDTCP - ok
14:01:13.0870 1136 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
14:01:13.0872 1136 tdx - ok
14:01:13.0911 1136 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
14:01:13.0912 1136 TermDD - ok
14:01:14.0004 1136 TermService (382c804c92811be57829d8e550a900e2) C:\Windows\System32\termsrv.dll
14:01:14.0122 1136 TermService - ok
14:01:14.0281 1136 Themes (42fb6afd6b79d9fe07381609172e7ca4) C:\Windows\system32\themeservice.dll
14:01:14.0286 1136 Themes - ok
14:01:14.0388 1136 THREADORDER (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
14:01:14.0391 1136 THREADORDER - ok
14:01:14.0414 1136 TrkWks (4792c0378db99a9bc2ae2de6cfff0c3a) C:\Windows\System32\trkwks.dll
14:01:14.0418 1136 TrkWks - ok
14:01:14.0583 1136 TrustedInstaller (2c49b175aee1d4364b91b531417fe583) C:\Windows\servicing\TrustedInstaller.exe
14:01:14.0605 1136 TrustedInstaller - ok
14:01:14.0799 1136 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
14:01:14.0802 1136 tssecsrv - ok
14:01:15.0044 1136 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
14:01:15.0047 1136 TsUsbFlt - ok
14:01:15.0085 1136 tsusbhub - ok
14:01:15.0141 1136 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
14:01:15.0144 1136 tunnel - ok
14:01:15.0245 1136 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
14:01:15.0248 1136 uagp35 - ok
14:01:15.0302 1136 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
14:01:15.0334 1136 udfs - ok
14:01:15.0443 1136 UI0Detect (8344fd4fce927880aa1aa7681d4927e5) C:\Windows\system32\UI0Detect.exe
14:01:15.0452 1136 UI0Detect - ok
14:01:15.0592 1136 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
14:01:15.0594 1136 uliagpkx - ok
14:01:15.0678 1136 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
14:01:15.0680 1136 umbus - ok
14:01:15.0777 1136 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
14:01:15.0780 1136 UmPass - ok
14:01:15.0841 1136 UmRdpService (409994a8eaceee4e328749c0353527a0) C:\Windows\System32\umrdp.dll
14:01:15.0864 1136 UmRdpService - ok
14:01:15.0933 1136 upnphost (833fbb672460efce8011d262175fad33) C:\Windows\System32\upnphost.dll
14:01:15.0976 1136 upnphost - ok
14:01:16.0013 1136 usbccgp (7e72e7d7e0757d59481d530fd2b0bfae) C:\Windows\system32\drivers\usbccgp.sys
14:01:16.0016 1136 usbccgp - ok
14:01:16.0060 1136 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
14:01:16.0063 1136 usbcir - ok
14:01:16.0088 1136 usbehci (cfbce999c057d78979a181c9c60f208e) C:\Windows\system32\drivers\usbehci.sys
14:01:16.0090 1136 usbehci - ok
14:01:16.0183 1136 usbhub (9d22aad9ac6a07c691a1113e5f860868) C:\Windows\system32\drivers\usbhub.sys
14:01:16.0204 1136 usbhub - ok
14:01:16.0229 1136 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\drivers\usbohci.sys
14:01:16.0232 1136 usbohci - ok
14:01:16.0273 1136 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
14:01:16.0275 1136 usbprint - ok
14:01:16.0315 1136 USBSTOR (bf63ebfc6979fefb2bc03df7989a0c1a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:01:16.0318 1136 USBSTOR - ok
14:01:16.0335 1136 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\drivers\usbuhci.sys
14:01:16.0337 1136 usbuhci - ok
14:01:16.0391 1136 UxSms (081e6e1c91aec36758902a9f727cd23c) C:\Windows\System32\uxsms.dll
14:01:16.0395 1136 UxSms - ok
14:01:16.0452 1136 VaultSvc (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
14:01:16.0454 1136 VaultSvc - ok
14:01:16.0508 1136 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
14:01:16.0510 1136 vdrvroot - ok
14:01:16.0582 1136 vds (c3cd30495687c2a2f66a65ca6fd89be9) C:\Windows\System32\vds.exe
14:01:16.0614 1136 vds - ok
14:01:16.0980 1136 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
14:01:16.0981 1136 vga - ok
14:01:17.0025 1136 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
14:01:17.0027 1136 VgaSave - ok
14:01:17.0140 1136 VGPU - ok
14:01:17.0297 1136 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
14:01:17.0344 1136 vhdmp - ok
14:01:17.0455 1136 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
14:01:17.0459 1136 viaagp - ok
14:01:17.0738 1136 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
14:01:17.0741 1136 ViaC7 - ok
14:01:17.0939 1136 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
14:01:17.0941 1136 viaide - ok
14:01:18.0370 1136 Virtuoso_VirtuosoInstance - ok
14:01:18.0450 1136 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
14:01:18.0455 1136 vmbus - ok
14:01:18.0552 1136 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
14:01:18.0808 1136 VMBusHID - ok
14:01:18.0935 1136 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
14:01:18.0937 1136 volmgr - ok
14:01:19.0146 1136 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
14:01:19.0152 1136 volmgrx - ok
14:01:19.0240 1136 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
14:01:19.0244 1136 volsnap - ok
14:01:19.0644 1136 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
14:01:19.0813 1136 vsmraid - ok
14:01:19.0985 1136 VSS (209a3b1901b83aeb8527ed211cce9e4c) C:\Windows\system32\vssvc.exe
14:01:20.0041 1136 VSS - ok
14:01:20.0079 1136 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
14:01:20.0081 1136 vwifibus - ok
14:01:20.0111 1136 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
14:01:20.0113 1136 vwififlt - ok
14:01:20.0167 1136 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys
14:01:20.0169 1136 vwifimp - ok
14:01:20.0264 1136 W32Time (55187fd710e27d5095d10a472c8baf1c) C:\Windows\system32\w32time.dll
14:01:20.0417 1136 W32Time - ok
14:01:20.0655 1136 W3SVC (57c8c20bfa5bef6bd851ebac67a8ced0) C:\Windows\system32\inetsrv\iisw3adm.dll
14:01:20.0661 1136 W3SVC - ok
14:01:20.0743 1136 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
14:01:20.0745 1136 WacomPen - ok
14:01:21.0313 1136 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
14:01:21.0327 1136 WANARP - ok
14:01:21.0332 1136 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
14:01:21.0336 1136 Wanarpv6 - ok
14:01:21.0345 1136 WAS (57c8c20bfa5bef6bd851ebac67a8ced0) C:\Windows\system32\inetsrv\iisw3adm.dll
14:01:21.0350 1136 WAS - ok
14:01:21.0511 1136 WatAdminSvc (353a04c273ec58475d8633e75ccd5604) C:\Windows\system32\Wat\WatAdminSvc.exe
14:01:21.0535 1136 WatAdminSvc - ok
14:01:21.0709 1136 wbengine (691e3285e53dca558e1a84667f13e15a) C:\Windows\system32\wbengine.exe
14:01:21.0729 1136 wbengine - ok
14:01:21.0786 1136 WbioSrvc (9614b5d29dc76ac3c29f6d2d3aa70e67) C:\Windows\System32\wbiosrvc.dll
14:01:21.0802 1136 WbioSrvc - ok
14:01:21.0862 1136 wcncsvc (34eee0dfaadb4f691d6d5308a51315dc) C:\Windows\System32\wcncsvc.dll
14:01:21.0871 1136 wcncsvc - ok
14:01:21.0884 1136 WcsPlugInService (5d930b6357a6d2af4d7653bdabbf352f) C:\Windows\System32\WcsPlugInService.dll
14:01:21.0888 1136 WcsPlugInService - ok
14:01:21.0972 1136 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
14:01:21.0974 1136 Wd - ok
14:01:22.0018 1136 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
14:01:22.0024 1136 Wdf01000 - ok
14:01:22.0046 1136 WdiServiceHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
14:01:22.0051 1136 WdiServiceHost - ok
14:01:22.0055 1136 WdiSystemHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
14:01:22.0060 1136 WdiSystemHost - ok
14:01:22.0110 1136 WebClient (a9d880f97530d5b8fee278923349929d) C:\Windows\System32\webclnt.dll
14:01:22.0124 1136 WebClient - ok
14:01:22.0147 1136 Wecsvc (760f0afe937a77cff27153206534f275) C:\Windows\system32\wecsvc.dll
14:01:22.0152 1136 Wecsvc - ok
14:01:22.0168 1136 wercplsupport (ac804569bb2364fb6017370258a4091b) C:\Windows\System32\wercplsupport.dll
14:01:22.0172 1136 wercplsupport - ok
14:01:22.0200 1136 WerSvc (08e420d873e4fd85241ee2421b02c4a4) C:\Windows\System32\WerSvc.dll
14:01:22.0205 1136 WerSvc - ok
14:01:22.0230 1136 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
14:01:22.0232 1136 WfpLwf - ok
14:01:22.0248 1136 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
14:01:22.0249 1136 WIMMount - ok
14:01:22.0499 1136 WinDefend (3fae8f94296001c32eab62cd7d82e0fd) C:\Program Files\Windows Defender\mpsvc.dll
14:01:22.0514 1136 WinDefend - ok
14:01:22.0530 1136 WinHttpAutoProxySvc - ok
14:01:22.0626 1136 Winmgmt (f62e510b6ad4c21eb9fe8668ed251826) C:\Windows\system32\wbem\WMIsvc.dll
14:01:22.0674 1136 Winmgmt - ok
14:01:22.0824 1136 WinRM (1b91cd34ea3a90ab6a4ef0550174f4cc) C:\Windows\system32\WsmSvc.dll
14:01:22.0888 1136 WinRM - ok
14:01:23.0023 1136 Wlansvc (16935c98ff639d185086a3529b1f2067) C:\Windows\System32\wlansvc.dll
14:01:23.0039 1136 Wlansvc - ok
14:01:23.0145 1136 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
14:01:23.0146 1136 WmiAcpi - ok
14:01:23.0265 1136 wmiApSrv (6eb6b66517b048d87dc1856ddf1f4c3f) C:\Windows\system32\wbem\WmiApSrv.exe
14:01:23.0281 1136 wmiApSrv - ok
14:01:23.0477 1136 WMPNetworkSvc (3b40d3a61aa8c21b88ae57c58ab3122e) C:\Program Files\Windows Media Player\wmpnetwk.exe
14:01:23.0486 1136 WMPNetworkSvc - ok
14:01:23.0601 1136 WMSVC (768eb4cf354b061dfd38c5569abf4c59) C:\Windows\system32\inetsrv\wmsvc.exe
14:01:23.0603 1136 WMSVC - ok
14:01:23.0645 1136 WPCSvc (a2f0ec770a92f2b3f9de6d518e11409c) C:\Windows\System32\wpcsvc.dll
14:01:23.0649 1136 WPCSvc - ok
14:01:23.0704 1136 WPDBusEnum (aa53356d60af47eacc85bc617a4f3f66) C:\Windows\system32\wpdbusenum.dll
14:01:23.0709 1136 WPDBusEnum - ok
14:01:23.0785 1136 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
14:01:23.0791 1136 ws2ifsl - ok
14:01:23.0827 1136 wscsvc (6f5d49efe0e7164e03ae773a3fe25340) C:\Windows\system32\wscsvc.dll
14:01:23.0832 1136 wscsvc - ok
14:01:23.0897 1136 WSDPrintDevice (553f6ccd7c58eb98d4a8fbdaf283d7a9) C:\Windows\system32\DRIVERS\WSDPrint.sys
14:01:23.0899 1136 WSDPrintDevice - ok
14:01:23.0905 1136 WSearch - ok
14:01:24.0138 1136 wuauserv (fc3ec24fce372c89423e015a2ac1a31e) C:\Windows\system32\wuaueng.dll
14:01:24.0176 1136 wuauserv - ok
14:01:24.0609 1136 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
14:01:24.0650 1136 WudfPf - ok
14:01:24.0731 1136 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
14:01:24.0759 1136 WUDFRd - ok
14:01:24.0947 1136 wudfsvc (8d1e1e529a2c9e9b6a85b55a345f7629) C:\Windows\System32\WUDFSvc.dll
14:01:24.0966 1136 wudfsvc - ok
14:01:25.0076 1136 WwanSvc (ff2d745b560f7c71b31f30f4d49f73d2) C:\Windows\System32\wwansvc.dll
14:01:25.0122 1136 WwanSvc - ok
14:01:25.0207 1136 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
14:01:25.0796 1136 \Device\Harddisk0\DR0 - ok
14:01:25.0818 1136 Boot (0x1200) (871f9c39cc6d3acdcff31c8a54aaa7cf) \Device\Harddisk0\DR0\Partition0
14:01:25.0820 1136 \Device\Harddisk0\DR0\Partition0 - ok
14:01:25.0877 1136 Boot (0x1200) (0547d50d2061d23313366ed9081987e6) \Device\Harddisk0\DR0\Partition1
14:01:25.0879 1136 \Device\Harddisk0\DR0\Partition1 - ok
14:01:26.0325 1136 Boot (0x1200) (69112a846c83dfa3056d1b01d1484f4a) \Device\Harddisk0\DR0\Partition2
14:01:26.0329 1136 \Device\Harddisk0\DR0\Partition2 - ok
14:01:26.0333 1136 ============================================================
14:01:26.0333 1136 Scan finished
14:01:26.0333 1136 ============================================================
14:01:26.0357 0672 Detected object count: 0
14:01:26.0357 0672 Actual detected object count: 0

-------------------------------------------

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-26 14:03:13
-----------------------------
14:03:13.137 OS Version: Windows 6.1.7601 Service Pack 1
14:03:13.137 Number of processors: 2 586 0xF0D
14:03:13.139 ComputerName: CROW UserName:
14:03:28.397 Initialize success
14:03:35.841 AVAST engine defs: 12072602
14:04:07.606 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:04:07.613 Disk 0 Vendor: WDC_WD2500BEVT-75ZCT2 11.01A11 Size: 238475MB BusType: 11
14:04:07.632 Disk 0 MBR read successfully
14:04:07.639 Disk 0 MBR scan
14:04:07.652 Disk 0 Windows 7 default MBR code
14:04:07.662 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 86 MB offset 63
14:04:07.686 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 750 MB offset 178176
14:04:07.701 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 187637 MB offset 1714176
14:04:07.709 Disk 0 Partition - 00 0F Extended LBA 50000 MB offset 385994752
14:04:07.870 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 49999 MB offset 385996800
14:04:07.911 Disk 0 scanning sectors +488394752
14:04:08.530 Disk 0 scanning C:\Windows\system32\drivers
14:04:40.580 Service scanning
14:05:13.324 Modules scanning
14:05:36.273 Disk 0 trace - called modules:
14:05:36.302 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys dxgkrnl.sys igdkmd32.sys dxgmms1.sys ndis.sys bcmwl6.sys vwififlt.sys nwifi.sys
14:05:36.310 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d63030]
14:05:36.317 3 CLASSPNP.SYS[8afdd59e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8587c030]
14:05:37.678 AVAST engine scan C:\Windows
14:05:40.636 AVAST engine scan C:\Windows\system32
14:09:39.000 AVAST engine scan C:\Windows\system32\drivers
14:09:54.011 AVAST engine scan C:\Users\jeshleman.IO-INFORMATICS
14:55:38.166 AVAST engine scan C:\ProgramData
15:01:02.128 Scan finished successfully
15:03:40.124 Disk 0 MBR has been saved successfully to "C:\Users\jeshleman.IO-INFORMATICS\Desktop\MBR.dat"
15:03:40.135 The log file has been saved successfully to "C:\Users\jeshleman.IO-INFORMATICS\Desktop\aswMBR.txt"

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:07 PM

Posted 26 July 2012 - 05:12 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 jason1213

jason1213
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 27 July 2012 - 04:28 PM

Everything seems to be running fine, though it erased my host file settings. I realize that host files can be exploited, but I cannot find the original and now need to recreate it for my company network addresses.

here's the ComboFix log:

ComboFix 12-07-27.03 - jeshleman 07/27/2012 14:08:21.3.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.3027.1946 [GMT -7:00]
Running from: c:\users\jeshleman.IO-INFORMATICS\Desktop\ComboFix.exe
Command switches used :: c:\users\jeshleman.IO-INFORMATICS\Desktop\CFScript.txt
AV: Sunbelt VIPRE *Disabled/Updated* {BE5DD172-7F42-7948-1A60-E6A720288F81}
SP: Sunbelt VIPRE *Disabled/Updated* {053C3096-5978-76C6-20D0-DDD55BAFC53C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\rdf
c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Microsoft\Windows\Temporary Internet Files\rdf.xml
.
.
((((((((((((((((((((((((( Files Created from 2012-06-27 to 2012-07-27 )))))))))))))))))))))))))))))))
.
.
2012-07-27 21:15 . 2012-07-27 21:15 -------- d-----w- c:\users\jeshleman\AppData\Local\temp
2012-07-27 21:15 . 2012-07-27 21:15 -------- d-----w- c:\users\DefaultAppPool\AppData\Local\temp
2012-07-27 21:15 . 2012-07-27 21:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-27 21:15 . 2012-07-27 21:15 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2012-07-27 21:15 . 2012-07-27 21:15 -------- d-----w- c:\users\2adminio\AppData\Local\temp
2012-07-14 17:57 . 2012-07-14 17:57 -------- d-----w- C:\FRST
2012-07-14 17:27 . 2012-07-14 17:35 -------- d-----w- c:\programdata\RegRun
2012-07-14 17:27 . 2012-07-16 15:53 -------- d-----w- c:\program files\UnHackMe
2012-07-13 17:05 . 2012-07-16 15:53 -------- d-----w- c:\users\jeshleman.IO-INFORMATICS\AppData\Local\ATT Connect
2012-07-13 17:05 . 2012-07-13 17:05 -------- d-----w- c:\users\jeshleman.IO-INFORMATICS\AppData\Roaming\ATT Connect
2012-07-13 17:04 . 2012-07-13 17:04 -------- d-----w- c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Downloaded Installations
2012-07-13 15:32 . 2012-07-13 15:32 97961 ----a-w- c:\windows\system32\drivers\klick.dat
2012-07-13 15:32 . 2012-07-13 15:32 115369 ----a-w- c:\windows\system32\drivers\klin.dat
2012-07-13 15:21 . 2012-07-13 16:29 -------- d-----w- c:\programdata\PLAV
2012-07-13 15:21 . 2012-07-13 15:21 -------- d-----w- c:\programdata\ParetoLogic Anti-Virus PLUS
2012-07-10 21:38 . 2012-07-10 21:38 -------- d-----w- c:\program files\TDSSKiller
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-27 17:25 . 2012-06-27 17:25 140832 ----a-w- c:\windows\system32\drivers\str.sys
2012-06-02 22:19 . 2012-06-25 00:29 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-25 00:30 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-25 00:30 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-25 00:30 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-25 00:30 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-25 00:30 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-25 00:30 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-25 00:29 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-06-25 00:30 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-05-17 22:45 . 2012-06-25 00:54 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-05-17 22:35 . 2012-06-25 00:54 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-17 22:35 . 2012-06-25 00:54 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-05-17 22:29 . 2012-06-25 00:54 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-05-17 22:24 . 2012-06-25 00:54 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-05-15 01:05 . 2012-06-25 00:38 2343936 ----a-w- c:\windows\system32\win32k.sys
2012-07-19 14:42 . 2012-01-03 16:44 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2011-06-13 18:20 64792 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\880\g2mstart.exe" [2012-01-25 39816]
"Workrave"="c:\program files\Workrave\lib\workrave.exe" [2011-03-25 3871246]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-02-29 17148552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
"SBAMTray"="c:\program files\Sunbelt Software\SBEAgent\SBAMTray.exe" [2011-06-23 1336656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-527237240-1897051121-725345543-1710\Scripts\Logon\0\0]
"Script"=logon.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBPIMSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware]
2012-04-04 22:56 462408 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R2 Virtuoso_VirtuosoInstance;OpenLink Virtuoso Server [VirtuosoInstance];c:\virtuoso-opensource\bin\virtuoso-t.exe [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 CFcatchme;CFcatchme;c:\users\JESHLE~1.IO-\AppData\Local\Temp\CFcatchme.sys [x]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 WMSVC;Web Management Service;c:\windows\system32\inetsrv\wmsvc.exe [x]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [x]
R4 RsFx0150;RsFx0150 Driver;c:\windows\system32\DRIVERS\RsFx0150.sys [x]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
S1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe [x]
S2 SBAMSvc;VIPRE Enterprise Agent;c:\program files\Sunbelt Software\SBEAgent\SBAMSvc.exe [x]
S2 sbapifs;sbapifs;c:\windows\system32\DRIVERS\sbapifs.sys [x]
S2 SBPIMSvc;SB Recovery Service;c:\program files\Sunbelt Software\SBEAgent\SBPIMSvc.exe [x]
S3 BthAudioHF;BthAudioHF Service;c:\windows\system32\DRIVERS\BthAudioHF.sys [x]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\DRIVERS\BthAvrcp.sys [x]
S3 csr_a2dp;Bluetooth AV Profile;c:\windows\system32\drivers\bthav.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthaudiosvc REG_MULTI_SZ HFGService
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-27 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-29 18:08]
.
2012-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1897051121-725345543-1710Core1cd6106ad9570e1.job
- c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-03 20:37]
.
2012-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-527237240-1897051121-725345543-1710UA.job
- c:\users\jeshleman.IO-INFORMATICS\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-03 20:37]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://blekkosearch.mystart.com/blekkotb_soc/?source=64bd786b&toolbarid=blekkotb_soc&u=34369BE6554FA493DFFDF24FE7BD8727&tbp=homepage&v=2_0
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.200.2.4 10.200.2.5
FF - ProfilePath - c:\users\jeshleman.IO-INFORMATICS\AppData\Roaming\Mozilla\Firefox\Profiles\hmmrubyk.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
c:\windows\system32\msiexec.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2012-07-27 14:24:18 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-27 21:24
ComboFix2.txt 2012-07-26 19:42
.
Pre-Run: 66,232,012,800 bytes free
Post-Run: 66,190,073,856 bytes free
.
- - End Of File - - 7D1B2B9D6EE17870D3212F6BD629F1A9




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users