Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ZAccInf-A; "Live Security Platinum"


  • Please log in to reply
16 replies to this topic

#1 Rootcat

Rootcat

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 PM

Posted 21 July 2012 - 08:25 PM

xxx Before I begin describing my problem, I am currently using Windows 7 (64 bit) on a Bootcamp partition of my MacBook Pro, so if you see something about an :E partition in these logs I'm about to post, that's my Mac side. In addition, my windows partition is currently running low on space (only ~9GB of free space remain)--I don't know if that matters, but I just wanted to mention it.

Earlier today a website which I have previously had no problems with asked to run a Java applet. I obliged and immediately found my Sophos antivirus giving me constant notifications that "suspicious behavior" had been detected and that it was moving stuff to quaratine. I immediately started looking online for a fix, but before I could get very far I found myself locked out of my computer, unable to open any programs besides Internet Explorer (I would get an error message saying the program was infected) and even then unable to access any webpages (redirecting to a page that said the page I was attempting to access was dangerous). I had apparently lost all privileges as a user--in fact, I couldn't even access my Sophos antivirus controls (they were greyed out as if I did not have permission to use them).

A few seconds later I found myself beset by messages telling me to purchase Live Security Platinum for some price per month to uninstall all the malware that was infected on my computer (of course I recognized that the Live Security Platinum stuff was in fact malware itself).

Using another computer, I followed this guide word-for-word (http://malwaretips.com/blogs/uninstall-live-security-platinum/), running my computer in Safe Mode and downloading and running MBAM. After restarting my computer, I found that my computer was functioning normally again, which is to say I had regained full control of it, but additional scans with Hitman Pro (trial version) and Sophos revealed that the threat (identified as a trojan, Sophos calls it ZAccInf-A, Hitman calls it Sirefef.A) was still present. They both point to two files: C:\Windows\assembly\GAC_32\Desktop.ini and C:\\Windows\system32\services.exe, and neither antvirus program is able to "clean up" or "restore" the infected files (they merely provide a message that says "Delete failed" or "Cleanup failed").

Even now as I type this, every few minutes or so, I get a notification from Sophos saying "W32/ZAccInf-A has been detected and moved to quarantine," but obviously the quarantine move keeps failing as these notifications aren't stopping. It makes me pretty nervous.

Please help. Thanks very much in advance. The DDS logs are posted and attached, I didn't do a GMER log per the preparation instructions because I am using a 64 bit machine.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514
Run by xxx at 19:47:27 on 2012-07-21
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4007.2343 [GMT -5:00]
.
AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Boot Camp\Bootcamp.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\system32\AppleOSSMgr.exe
C:\Windows\system32\AppleTimeSrv.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
C:\Program Files (x86)\Common Files\Steam\SteamService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Real\RealPlayer\Update\realsched.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uSearch Bar =
mWinlogon: Userinit=userinit.exe,
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SophosBHO.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll"
uRun: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
uRun: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [Google Update] "C:\Users\xxx\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
Trusted Zone: freetoolsassociation.com\activegs
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444552440000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{065C0EF0-D506-488F-B219-3592324798D1} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{065C0EF0-D506-488F-B219-3592324798D1}\8686F6E6F62737F5847494 : DhcpNameServer = 192.168.7.1 64.134.255.2 64.134.255.10
TCP: Interfaces\{065C0EF0-D506-488F-B219-3592324798D1}\A4847457563747E65647 : DhcpNameServer = 128.220.1.75 162.129.253.134
TCP: Interfaces\{065C0EF0-D506-488F-B219-3592324798D1}\D45627C61657 : DhcpNameServer = 68.87.72.134 68.87.77.134
TCP: Interfaces\{065C0EF0-D506-488F-B219-3592324798D1}\D45627C616570234163716 : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{CFA1E157-47BB-428F-96EA-F0AB89B3171B} : DhcpNameServer = 10.1.1.2 10.1.1.3
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL
mASetup: {2D46B6DC-2207-486B-B523-A557E6D54B47} - C:\Windows\system32\cmd.exe /D /C start C:\Windows\system32\ie4uinit.exe -ClearIconCache
BHO-X64: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO-X64: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SophosBHO.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BingExt.dll"
mRun-x64: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot
AppInit_DLLs-X64: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\5xl6kmhd.default\
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\xxx\AppData\Local\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AppleHFS;AppleHFS;C:\Windows\system32\drivers\AppleHFS.sys --> C:\Windows\system32\drivers\AppleHFS.sys [?]
R0 AppleMNT;AppleMNT;C:\Windows\system32\drivers\AppleMNT.sys --> C:\Windows\system32\drivers\AppleMNT.sys [?]
R1 SAVOnAccess;SAVOnAccess;C:\Windows\system32\DRIVERS\savonaccess.sys --> C:\Windows\system32\DRIVERS\savonaccess.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\Windows\system32\AppleOSSMgr.exe --> C:\Windows\system32\AppleOSSMgr.exe [?]
R2 AppleTimeSrv;Apple Time Service;C:\Windows\system32\AppleTimeSrv.exe --> C:\Windows\system32\AppleTimeSrv.exe [?]
R2 KeyAgent;KeyAgent;\??\C:\Windows\system32\drivers\KeyAgent.sys --> C:\Windows\system32\drivers\KeyAgent.sys [?]
R2 MacHALDriver;Mac HAL;\??\C:\Windows\system32\drivers\MacHALDriver.sys --> C:\Windows\system32\drivers\MacHALDriver.sys [?]
R2 SAVAdminService;Sophos Anti-Virus status reporter;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2011-4-26 163056]
R2 SAVService;Sophos Anti-Virus;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2011-4-26 97520]
R2 Sophos Agent;Sophos Agent;C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe [2011-4-26 282624]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe [2012-5-13 232472]
R2 Sophos Message Router;Sophos Message Router;C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe [2011-4-26 806912]
R2 swi_service;Sophos Web Intelligence Service;C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-3-8 1543704]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-4-24 2655768]
R3 acpials;ALS Sensor Filter;C:\Windows\system32\DRIVERS\acpials.sys --> C:\Windows\system32\DRIVERS\acpials.sys [?]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 AppleBtBc;Apple Broadcom Built-in Bluetooth;C:\Windows\system32\DRIVERS\AppleBtBc.sys --> C:\Windows\system32\DRIVERS\AppleBtBc.sys [?]
R3 applemtm;Apple Multitouch Mouse;C:\Windows\system32\DRIVERS\applemtm.sys --> C:\Windows\system32\DRIVERS\applemtm.sys [?]
R3 applemtp;Apple Multitouch;C:\Windows\system32\DRIVERS\applemtp.sys --> C:\Windows\system32\DRIVERS\applemtp.sys [?]
R3 BBUpdate;BBUpdate;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 bScsiSDa;bScsiSDa;C:\Windows\system32\DRIVERS\bScsiSDa.sys --> C:\Windows\system32\DRIVERS\bScsiSDa.sys [?]
R3 CirrusFilter;CS420xLowerFilter;C:\Windows\system32\DRIVERS\CS420x64.sys --> C:\Windows\system32\DRIVERS\CS420x64.sys [?]
R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);C:\Windows\system32\DRIVERS\vrtaucbl.sys --> C:\Windows\system32\DRIVERS\vrtaucbl.sys [?]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\Windows\system32\DRIVERS\IRFilter.sys --> C:\Windows\system32\DRIVERS\IRFilter.sys [?]
R3 KeyMagic;USB Keyboard HID Filter;C:\Windows\system32\DRIVERS\KeyMagic.sys --> C:\Windows\system32\DRIVERS\KeyMagic.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 ScreamBAudioSvc;ScreamBee Audio;C:\Windows\system32\drivers\ScreamingBAudio64.sys --> C:\Windows\system32\drivers\ScreamingBAudio64.sys [?]
S2 BBSvc;BingBar Service;C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-7-2 113120]
S3 sdcfilter;sdcfilter;C:\Windows\system32\DRIVERS\sdcfilter.sys --> C:\Windows\system32\DRIVERS\sdcfilter.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 SophosBootDriver;SophosBootDriver;C:\Windows\system32\DRIVERS\SophosBootDriver.sys --> C:\Windows\system32\DRIVERS\SophosBootDriver.sys [?]
.
=============== Created Last 30 ================
.
2012-07-22 00:09:57 -------- d-----w- C:\Program Files\HitmanPro
2012-07-22 00:09:07 -------- d-----w- C:\ProgramData\HitmanPro
2012-07-21 21:14:04 -------- d-----w- C:\Users\xxx\AppData\Roaming\Malwarebytes
2012-07-21 21:13:30 -------- d-----w- C:\ProgramData\Malwarebytes
2012-07-21 21:13:29 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-07-21 21:13:29 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-21 20:44:37 -------- d-----w- C:\ProgramData\225932FD1A797471813CA379F875F002
2012-07-21 17:59:46 -------- d-----w- C:\Users\xxx\AppData\Local\{E4ED0285-A339-41F2-B07B-DA4708569B9C}
2012-07-21 17:59:34 -------- d-----w- C:\Users\xxx\AppData\Local\{D8D533A3-3CC9-49FA-88EB-1223C9D894C3}
2012-07-21 05:59:07 -------- d-----w- C:\Users\xxx\AppData\Local\{61E253A7-519D-48D4-8146-78A84AC4E1DE}
2012-07-21 05:58:55 -------- d-----w- C:\Users\xxx\AppData\Local\{A71244C2-E3C9-4236-B519-2E94ADEFC984}
2012-07-20 21:44:10 -------- d-----w- C:\Users\xxx\AppData\Roaming\foobar2000
2012-07-20 21:43:54 -------- d-----w- C:\Program Files (x86)\foobar2000
2012-07-20 21:42:21 66728 ----a-w- C:\Windows\System32\drivers\vrtaucbl.sys
2012-07-20 21:42:21 -------- d-----w- C:\Program Files\Virtual Audio Cable
2012-07-20 17:58:26 -------- d-----w- C:\Users\xxx\AppData\Local\{2F9BBF2F-7E40-40A5-9926-874256DF4983}
2012-07-20 17:58:13 -------- d-----w- C:\Users\xxx\AppData\Local\{9A295D5A-3588-4E33-8336-A1076100685E}
2012-07-20 16:26:44 9133488 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{89BDDC2A-C551-4EF9-B1A2-1C940F5FF59F}\mpengine.dll
2012-07-20 05:57:57 -------- d-----w- C:\Users\xxx\AppData\Local\{6431DB9B-F2BC-466A-AD53-F4D2645C9119}
2012-07-20 05:57:46 -------- d-----w- C:\Users\xxx\AppData\Local\{C13FB841-DE7D-4A8D-98D1-9AC906518DF2}
2012-07-19 17:57:29 -------- d-----w- C:\Users\xxx\AppData\Local\{A3B95644-2A64-4926-A324-7E43BA29D6B4}
2012-07-19 17:57:15 -------- d-----w- C:\Users\xxx\AppData\Local\{E69B228C-4B2C-487A-9B85-0A7032EFBD20}
2012-07-19 05:28:35 -------- d-----w- C:\Users\xxx\AppData\Local\{3D30E2DB-2383-4867-816B-075A49EFA99D}
2012-07-19 05:28:23 -------- d-----w- C:\Users\xxx\AppData\Local\{A2C1CF13-D674-4ADA-804B-DF1145D7FE4C}
2012-07-18 17:28:09 -------- d-----w- C:\Users\xxx\AppData\Local\{12E9A36E-C93E-4125-A158-66CAB6F7463C}
2012-07-18 17:27:55 -------- d-----w- C:\Users\xxx\AppData\Local\{A8325438-27E7-4C66-B50D-5CAC27D9D512}
2012-07-18 05:13:14 -------- d-----w- C:\Users\xxx\AppData\Local\{A0BA40C1-32B8-4A0A-9465-1CA2D191076D}
2012-07-18 05:12:52 -------- d-----w- C:\Users\xxx\AppData\Local\{B3D3D990-8768-4B35-B25B-EDDBF49C5993}
2012-07-17 17:12:38 -------- d-----w- C:\Users\xxx\AppData\Local\{BF4171B8-CE74-40EE-BE28-EB00D3BD0C90}
2012-07-17 17:12:17 -------- d-----w- C:\Users\xxx\AppData\Local\{2F9B81DD-BF36-4D05-B3AE-0B9552F94EC9}
2012-07-17 05:12:02 -------- d-----w- C:\Users\xxx\AppData\Local\{5F3E4A69-CFF9-434D-BBCE-1CB910AFF645}
2012-07-17 05:11:39 -------- d-----w- C:\Users\xxx\AppData\Local\{D48D8071-C000-41B7-B76A-C8BC61B34FC6}
2012-07-16 17:11:26 -------- d-----w- C:\Users\xxx\AppData\Local\{67269A29-508B-42DF-B3E4-CC238B7354BD}
2012-07-16 17:11:12 -------- d-----w- C:\Users\xxx\AppData\Local\{3107A8A4-32D7-46B4-B2EB-C4AA9C4FA45B}
2012-07-16 04:52:37 -------- d-----w- C:\Users\xxx\AppData\Local\{A6BD928D-21F6-4D6C-B132-D511E9AF811D}
2012-07-16 04:52:25 -------- d-----w- C:\Users\xxx\AppData\Local\{B7CF00B7-143D-49FC-B492-31E4EAC6579D}
2012-07-15 16:52:10 -------- d-----w- C:\Users\xxx\AppData\Local\{66700CA9-50FC-476A-8BDA-19DE6B932DFB}
2012-07-15 04:51:43 -------- d-----w- C:\Users\xxx\AppData\Local\{3627EF06-B868-4FF2-BEBA-3350193902CD}
2012-07-15 04:51:32 -------- d-----w- C:\Users\xxx\AppData\Local\{EC1C2954-035A-4EFB-A208-7828E5025FA4}
2012-07-14 16:50:44 -------- d-----w- C:\Users\xxx\AppData\Local\{8F69290F-BD5F-4FE8-B884-8C72F9B9D0E3}
2012-07-13 22:43:37 -------- d-----w- C:\Users\xxx\AppData\Local\{8DB5F643-E575-4622-8CF2-6CBA44BB6FC9}
2012-07-13 22:43:15 -------- d-----w- C:\Users\xxx\AppData\Local\{3651CE10-F084-4DC6-918B-CA156C65DBD5}
2012-07-13 14:21:24 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-07-12 18:12:19 -------- d-----w- C:\Users\xxx\AppData\Local\{BE64965F-10F9-4AA7-A41B-2D878945B695}
2012-07-12 18:11:57 -------- d-----w- C:\Users\xxx\AppData\Local\{5F7C3ED6-8859-459C-93F5-5025AFE99379}
2012-07-12 06:11:43 -------- d-----w- C:\Users\xxx\AppData\Local\{9D3DF1E5-E842-4A59-A8E1-D43B877EFD2F}
2012-07-12 06:11:22 -------- d-----w- C:\Users\xxx\AppData\Local\{205B18C9-AF37-4029-8D38-FF4362817148}
2012-07-11 18:22:48 2048 ----a-w- C:\Windows\SysWow64\msxml3r.dll
2012-07-11 18:22:48 2048 ----a-w- C:\Windows\System32\msxml3r.dll
2012-07-11 18:22:48 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-07-11 18:22:48 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-07-11 18:22:48 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-07-11 18:22:48 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-07-11 18:19:33 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-07-11 18:19:33 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-07-11 18:19:33 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-07-11 18:19:33 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-07-11 18:19:33 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-07-11 18:19:33 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-07-11 18:19:33 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-07-11 18:19:33 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-07-11 18:19:33 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-07-11 18:11:07 -------- d-----w- C:\Users\xxx\AppData\Local\{2D7E57B9-9257-42A6-AC8E-1F63A23A63E1}
2012-07-11 18:10:45 -------- d-----w- C:\Users\xxx\AppData\Local\{5ABEB317-DCA6-498A-B6E9-068C09698CC5}
2012-07-11 04:22:26 -------- d-----w- C:\Users\xxx\AppData\Local\{013F4BDE-86E5-4AF8-B171-7E72779F2549}
2012-07-11 04:22:04 -------- d-----w- C:\Users\xxx\AppData\Local\{14738685-C2F0-4D26-B41B-5CE7FE1427E4}
2012-07-10 16:21:37 -------- d-----w- C:\Users\xxx\AppData\Local\{F221DCF2-DA64-48FA-A8EA-48CD75C0E038}
2012-07-10 16:21:16 -------- d-----w- C:\Users\xxx\AppData\Local\{16539C37-339D-4FA2-A1F8-292A00E9BF59}
2012-07-10 14:34:16 -------- d-----w- C:\Program Files\Microsoft IntelliPoint
2012-07-10 04:20:49 -------- d-----w- C:\Users\xxx\AppData\Local\{4ACC5476-E73C-41A0-946F-04782B28338A}
2012-07-10 04:20:28 -------- d-----w- C:\Users\xxx\AppData\Local\{F6B1EF2C-FF57-4EB3-83CC-E753DE79E571}
2012-07-09 16:20:01 -------- d-----w- C:\Users\xxx\AppData\Local\{62AC3818-12D8-4E94-9B34-F0C0BA24A45C}
2012-07-09 16:19:37 -------- d-----w- C:\Users\xxx\AppData\Local\{C3773540-6088-4477-A2DC-CE757673FA28}
2012-07-09 04:19:23 -------- d-----w- C:\Users\xxx\AppData\Local\{A640DA97-E2FD-46C9-941B-148946FC037F}
2012-07-09 04:19:00 -------- d-----w- C:\Users\xxx\AppData\Local\{6C8CD909-AED1-4D85-BC58-C2111BE7EF6E}
2012-07-08 16:18:44 -------- d-----w- C:\Users\xxx\AppData\Local\{D9F7D074-3A27-4F2B-8BAF-9C39E80B9D96}
2012-07-08 16:18:31 -------- d-----w- C:\Users\xxx\AppData\Local\{8602CC92-45F9-482E-8E95-C5A0C34C0ED3}
2012-07-08 02:05:26 -------- d-----w- C:\Users\xxx\AppData\Local\{5ED8198E-674E-4728-9E1F-75DB6B4D89AE}
2012-07-08 02:05:04 -------- d-----w- C:\Users\xxx\AppData\Local\{BAF562E8-48C7-4F28-A46E-729FADF91205}
2012-07-07 14:04:51 -------- d-----w- C:\Users\xxx\AppData\Local\{9332F7A3-A5F8-4898-B9E4-19EA5CE8E3FA}
2012-07-07 14:04:30 -------- d-----w- C:\Users\xxx\AppData\Local\{9C9B8535-FE8E-48BD-99DA-58F11E99CD02}
2012-07-07 02:04:16 -------- d-----w- C:\Users\xxx\AppData\Local\{E7B8E7B8-C011-4BBB-8EEB-5F92D09924AA}
2012-07-07 02:03:54 -------- d-----w- C:\Users\xxx\AppData\Local\{369FD7EE-4E07-4CCF-B1E7-AA739EE9AA70}
2012-07-06 14:03:06 -------- d-----w- C:\Users\xxx\AppData\Local\{E36528A9-1F7F-4F6D-B137-733D7F413F74}
2012-07-06 14:02:45 -------- d-----w- C:\Users\xxx\AppData\Local\{39F6C924-66FE-4D29-A5ED-16AA7902531C}
2012-07-05 21:00:26 -------- d-----w- C:\Users\xxx\AppData\Local\{12D148D8-DABB-472D-AC08-5B6A243AEEF4}
2012-07-05 21:00:04 -------- d-----w- C:\Users\xxx\AppData\Local\{28934A35-426F-4CD1-96CA-B4A1B9E0D02F}
2012-07-05 08:59:38 -------- d-----w- C:\Users\xxx\AppData\Local\{A09D55D7-BC40-4D6C-81F1-E72260B49FF5}
2012-07-05 08:59:16 -------- d-----w- C:\Users\xxx\AppData\Local\{6E313CCA-F2A1-4270-83DB-E062EF84A1EB}
2012-07-04 20:58:36 -------- d-----w- C:\Users\xxx\AppData\Local\{0C7FF8F9-4E84-4BDF-9CC1-20D7FDB9C119}
2012-07-04 20:58:12 -------- d-----w- C:\Users\xxx\AppData\Local\{BB3CD240-82EE-431D-AAEA-368DF97EA3FD}
2012-07-04 02:03:35 -------- d-----w- C:\Users\xxx\AppData\Local\{394ADA24-DA1B-4769-B8B5-8B2FC60EF4CE}
2012-07-04 02:03:13 -------- d-----w- C:\Users\xxx\AppData\Local\{742131F4-AB52-4B19-B276-396950371403}
2012-07-03 14:03:00 -------- d-----w- C:\Users\xxx\AppData\Local\{E31A735E-8235-44D8-87BE-0A7649B68214}
2012-07-03 14:02:39 -------- d-----w- C:\Users\xxx\AppData\Local\{8B3C53ED-3E9E-463E-A446-F663A22C3ACC}
2012-07-03 02:02:24 -------- d-----w- C:\Users\xxx\AppData\Local\{DF214CF4-0AB4-47B2-A314-7076753C970F}
2012-07-02 14:01:48 -------- d-----w- C:\Users\xxx\AppData\Local\{1D4EE35B-BC28-4D2B-8DFD-0FB1D4936AF4}
2012-07-02 14:01:25 -------- d-----w- C:\Users\xxx\AppData\Local\{DF3BF1A6-5986-4AB1-B77A-0B224C6EB0A1}
2012-07-02 04:24:31 -------- d-----w- C:\Program Files (x86)\WinDirStat
2012-07-01 17:54:27 -------- d-----w- C:\Users\xxx\AppData\Local\{8F0FCD4C-7CFD-4F2B-8CDC-5C00FDBFEF50}
2012-07-01 17:54:05 -------- d-----w- C:\Users\xxx\AppData\Local\{20ADB3C9-D344-44CC-A382-5DB50E4ADCF8}
2012-07-01 05:53:50 -------- d-----w- C:\Users\xxx\AppData\Local\{B14C24CA-8A71-4C91-B659-6920B2F42420}
2012-07-01 05:53:39 -------- d-----w- C:\Users\xxx\AppData\Local\{FBA35CCF-F17E-4D1D-BBB5-DC9A925EABD0}
2012-06-30 17:53:25 -------- d-----w- C:\Users\xxx\AppData\Local\{78E098EF-A5EC-49A6-94B6-61D7BFA97256}
2012-06-30 17:53:03 -------- d-----w- C:\Users\xxx\AppData\Local\{3ABC7F2C-FC5C-4295-AAC4-54E3E444C130}
2012-06-30 05:52:49 -------- d-----w- C:\Users\xxx\AppData\Local\{E94C6717-F177-4C80-ADE3-0A5126867FE0}
2012-06-30 05:52:27 -------- d-----w- C:\Users\xxx\AppData\Local\{DCC2F5B3-3A11-45E1-AF87-E5D25D9B74A3}
2012-06-29 17:52:13 -------- d-----w- C:\Users\xxx\AppData\Local\{5181597E-6650-4AA6-84EE-447E4BCEF608}
2012-06-29 17:51:51 -------- d-----w- C:\Users\xxx\AppData\Local\{2A293C9F-A391-41B5-AF41-BECE08E8281D}
2012-06-29 05:51:38 -------- d-----w- C:\Users\xxx\AppData\Local\{657DAE26-C629-4860-A72B-9AC76BC95B7F}
2012-06-29 05:51:16 -------- d-----w- C:\Users\xxx\AppData\Local\{1B8DE6AF-29DC-4640-BFEC-756CC031CC6B}
2012-06-28 17:50:49 -------- d-----w- C:\Users\xxx\AppData\Local\{B1D46611-42ED-4C8D-A6DA-3B03251FCFBE}
2012-06-28 17:50:27 -------- d-----w- C:\Users\xxx\AppData\Local\{05C9A621-A911-48C7-96E9-FB049652E208}
2012-06-28 05:50:13 -------- d-----w- C:\Users\xxx\AppData\Local\{E3062577-29F5-4F45-BB45-8DA6ABEE845A}
2012-06-28 05:49:50 -------- d-----w- C:\Users\xxx\AppData\Local\{ABAA2888-D107-4965-964B-D7014791699E}
2012-06-27 17:49:37 -------- d-----w- C:\Users\xxx\AppData\Local\{43CEE7AC-C5A9-4D55-86D0-5A9864192C8B}
2012-06-27 17:49:15 -------- d-----w- C:\Users\xxx\AppData\Local\{912C6847-F1C0-4B25-A2B9-25A0EDB00A0B}
2012-06-27 05:49:01 -------- d-----w- C:\Users\xxx\AppData\Local\{E438DB75-6999-4622-B4C1-DA092B09757C}
2012-06-27 05:48:39 -------- d-----w- C:\Users\xxx\AppData\Local\{DBF0B545-9308-4ABA-963C-E276B075F7CF}
2012-06-27 00:38:18 -------- d--h--w- C:\Windows\msdownld.tmp
2012-06-27 00:38:13 -------- d-----w- C:\Windows\SysWow64\directx
2012-06-26 17:48:13 -------- d-----w- C:\Users\xxx\AppData\Local\{1884F285-6DE7-4A91-A68D-F8C24571B9A5}
2012-06-26 05:47:37 -------- d-----w- C:\Users\xxx\AppData\Local\{4B67FD99-BDE5-4CCF-AC64-F2327C73E18E}
2012-06-25 17:46:59 -------- d-----w- C:\Users\xxx\AppData\Local\{3EB9DFC2-679B-4C21-8230-86387F944AB8}
2012-06-25 05:46:22 -------- d-----w- C:\Users\xxx\AppData\Local\{B00041E3-B787-40EE-B200-CDDD0B6107DC}
2012-06-25 05:46:11 -------- d-----w- C:\Users\xxx\AppData\Local\{2A55398F-D5D6-467F-94F9-80A61201B589}
2012-06-24 17:45:37 -------- d-----w- C:\Users\xxx\AppData\Local\{FFE4F7B2-D95B-4CA8-9FAA-19E6C774027B}
2012-06-24 17:45:26 -------- d-----w- C:\Users\xxx\AppData\Local\{80A102A3-7888-4F3C-A182-C322EEA022E4}
2012-06-24 04:38:13 -------- d-----w- C:\Users\xxx\AppData\Local\{6198C06A-D84A-40CD-B71D-1B0ACBE9E295}
2012-06-24 04:37:51 -------- d-----w- C:\Users\xxx\AppData\Local\{29784086-7E01-414F-B9FE-3B2B19EB4306}
2012-06-23 16:37:23 -------- d-----w- C:\Users\xxx\AppData\Local\{FD59D59F-78C5-4C7B-A3DA-642717C0FC13}
2012-06-23 16:36:53 -------- d-----w- C:\Users\xxx\AppData\Local\{ABD733D9-17C1-48BC-9326-5E4E5B397102}
2012-06-22 22:47:23 -------- d-----w- C:\Users\xxx\AppData\Local\{1D542165-937B-40B6-B0E8-022461E2FFBA}
2012-06-22 22:47:08 -------- d-----w- C:\Users\xxx\AppData\Local\{E773719B-2090-468B-9CC4-749C7C7C46E8}
2012-06-22 10:46:41 -------- d-----w- C:\Users\xxx\AppData\Local\{47DB3943-CF79-449F-AF5A-C3F3620991B3}
2012-06-22 10:46:25 -------- d-----w- C:\Users\xxx\AppData\Local\{E6064608-CC00-4C5F-BA87-90180C691D64}
2012-06-22 04:36:01 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-06-22 02:45:37 -------- d-----w- C:\Users\xxx\AppData\Local\{F15CE1D0-79BF-4219-B7FE-550905B5E32F}
.
==================== Find3M ====================
.
2012-06-22 04:36:01 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-05-31 17:25:12 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-05-15 04:01:31 1188864 ----a-w- C:\Windows\System32\wininet.dll
2012-05-15 03:03:54 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-05-04 11:06:22 5559664 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:03:53 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03:50 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-05-01 05:40:20 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-04-28 03:55:21 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-04-26 05:41:56 77312 ----a-w- C:\Windows\System32\rdpwsx.dll
2012-04-26 05:41:55 149504 ----a-w- C:\Windows\System32\rdpcorekmts.dll
2012-04-26 05:34:27 9216 ----a-w- C:\Windows\System32\rdrmemptylst.exe
2012-04-24 05:37:37 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2012-04-24 05:37:37 140288 ----a-w- C:\Windows\System32\cryptnet.dll
2012-04-24 05:37:36 1462272 ----a-w- C:\Windows\System32\crypt32.dll
2012-04-24 04:36:42 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2012-04-24 04:36:42 1158656 ----a-w- C:\Windows\SysWow64\crypt32.dll
2012-04-24 04:36:42 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
.
============= FINISH: 19:48:03.98 ===============


Edited by CatByte, 19 February 2013 - 12:23 PM.
removed name


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 25 July 2012 - 10:49 AM

please do the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
  • To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool

    • Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to the disclaimer.
  • Place a check next to List Drivers MD5 as well as the default check marks that are already there
  • Press Scan button.
  • FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
    services.exe
  • now press the search button
  • when the search is complete, search.txt will also be written to your USB
  • type exit and reboot the computer normally
  • please copy and paste both logs in your reply.(FRST.txt and Search.txt)

Edited by CatByte, 19 February 2013 - 12:24 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Rootcat

Rootcat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 PM

Posted 26 July 2012 - 03:30 PM

Hello and thank you for your help! I have followed your instructions and the contents of the text files, FRST.txt and Search.txt, are pasted below in that order.

Please advise with further instructions.

Thanks again.



Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 26-07-2012 20:07:59
Running from E:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\Bootcamp.exe [741760 2011-08-15] (Apple Inc.)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2417032 2011-08-01] (Microsoft Corporation)
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [900120 2012-07-26] (Sophos Limited)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2011-04-08] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKLM-x32\...\Run: [TkBellExe] "C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe" -osboot [296056 2011-12-21] (RealNetworks, Inc.)
HKU\xxx\...\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\Messenger\YahooMessenger.exe" -quiet [5252408 2010-06-01] (Yahoo! Inc.)
HKU\xxx\...\Run: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent [1242448 2011-10-16] (Valve Corporation)
HKU\xxx\...\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized [17351304 2011-10-13] (Skype Technologies S.A.)
HKU\xxx\...\Run: [Xvid] C:\Program Files (x86)\Xvid\CheckUpdate.exe [8192 2011-01-17] ()
HKU\xxx\...\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background [4280184 2012-03-08] (Microsoft Corporation)
HKU\xxx\...\Run: [Google Update] "C:\Users\xxx\AppData\Local\Google\Update\GoogleUpdate.exe" /c [135664 2010-03-05] (Google Inc.)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
AppInit_DLLs: C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL

==================== Services (Whitelisted) ======

2 AppleOSSMgr; C:\Windows\system32\AppleOSSMgr.exe [224640 2011-08-15] ()
2 SAVAdminService; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [216600 2012-07-26] (Sophos Limited)
2 SAVService; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" [139840 2012-07-26] (Sophos Limited)
2 Sophos Agent; "C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent [282624 2012-07-26] (Sophos Limited)
2 Sophos AutoUpdate Service; "C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe" [232472 2012-07-26] (Sophos Limited)
2 Sophos Message Router; "C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 [806912 2012-07-26] (Sophos Limited)
2 swi_service; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" [2862656 2012-07-26] (Sophos Limited)
2 swi_update_64; "C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe" [2009152 2012-07-26] (Sophos Limited)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2655768 2011-02-07] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 acpials; C:\Windows\System32\Drivers\acpials.sys [9728 2009-07-13] (Microsoft Corporation)
3 applemtm; C:\Windows\System32\Drivers\applemtm.sys [12288 2011-02-07] (Apple Inc.)
3 applemtp; C:\Windows\System32\Drivers\applemtp.sys [38912 2011-02-07] (Apple Inc.)
3 bScsiSDa; C:\Windows\System32\Drivers\bScsiSDa.sys [85544 2011-02-07] (Broadcom Corporation)
3 CirrusFilter; C:\Windows\System32\DRIVERS\CS420x64.sys [18432 2011-02-07] (Cirrus Logic)
3 IRRemoteFlt; C:\Windows\System32\DRIVERS\IRFilter.sys [18432 2011-02-07] (Apple Inc.)
1 SAVOnAccess; C:\Windows\System32\Drivers\SAVOnAccess.sys [144672 2012-07-26] (Sophos Limited)
3 sdcfilter; C:\Windows\System32\Drivers\sdcfilter.sys [25592 2011-04-26] (Sophos Plc)
4 SophosBootDriver; C:\Windows\System32\Drivers\SophosBootDriver.sys [25608 2011-04-26] (Sophos Plc)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-26 08:41 - 2012-07-26 08:41 - 00000542 ____A C:\Windows\Tasks\1am.job
2012-07-26 08:40 - 2012-07-26 08:36 - 00037400 ____A (Sophos Limited) C:\Windows\System32\SophosBootTasks.exe
2012-07-26 08:36 - 2012-07-26 08:36 - 00144672 ____A (Sophos Limited) C:\Windows\System32\Drivers\savonaccess.sys
2012-07-26 08:28 - 2012-07-26 08:29 - 00000000 ____D C:\Users\xxx\AppData\Local\{46682869-17BA-4B1D-835E-2FEB28C14C31}
2012-07-25 20:28 - 2012-07-26 08:28 - 00000000 ____D C:\Users\xxx\AppData\Local\{F9C95D4C-11B6-4C6E-8008-12810F421975}
2012-07-25 20:28 - 2012-07-25 20:28 - 00000000 ____D C:\Users\xxx\AppData\Local\{5C8BA2AD-015A-4A57-BF35-4DE3482DF7BE}
2012-07-25 19:50 - 2012-07-25 19:50 - 00000000 ____D C:\Users\xxx\AppData\Local\MSKLC
2012-07-25 19:49 - 2012-07-25 19:49 - 00000000 ____D C:\Program Files (x86)\Microsoft Keyboard Layout Creator 1.4
2012-07-25 08:27 - 2012-07-25 08:27 - 00000000 ____D C:\Users\xxx\AppData\Local\{FEC99C34-9CD8-4AD2-89F9-0134301084FE}
2012-07-25 08:27 - 2012-07-25 08:27 - 00000000 ____D C:\Users\xxx\AppData\Local\{59D2838C-A910-4300-82DD-7AC8E49A92DA}
2012-07-24 22:03 - 2012-07-24 22:03 - 00000000 ____D C:\Users\xxx\AppData\Local\{2BB17F4C-7211-439F-9A45-E5217B5D14E9}
2012-07-24 10:02 - 2012-07-24 10:02 - 00000000 ____D C:\Users\xxx\AppData\Local\{B3D7E72D-A68A-49F7-9733-7300B3D288DD}
2012-07-24 10:02 - 2012-07-24 10:02 - 00000000 ____D C:\Users\xxx\AppData\Local\{41C14156-8C42-4811-8D8E-AA7C529F80FD}
2012-07-23 22:02 - 2012-07-23 22:02 - 00000000 ____D C:\Users\xxx\AppData\Local\{378C9752-5389-4584-A1C2-D31F9E0EA34A}
2012-07-23 22:02 - 2012-07-23 22:02 - 00000000 ____D C:\Users\xxx\AppData\Local\{2412CCC3-6EB4-468F-81B8-FC3E2B426D0B}
2012-07-23 10:01 - 2012-07-23 10:01 - 00000000 ____D C:\Users\xxx\AppData\Local\{F6797A03-EE88-48B7-BABA-7D81F1BD335A}
2012-07-23 10:01 - 2012-07-23 10:01 - 00000000 ____D C:\Users\xxx\AppData\Local\{6CC88587-6D9B-4F87-9370-F24288A8D526}
2012-07-22 22:01 - 2012-07-22 22:01 - 00000000 ____D C:\Users\xxx\AppData\Local\{C49901D5-6BB1-42BE-8599-BAACBB356FB7}
2012-07-22 10:00 - 2012-07-22 10:01 - 00000000 ____D C:\Users\xxx\AppData\Local\{E319FDCE-BF1C-475C-9AC4-FA12F337936B}
2012-07-21 23:29 - 2012-07-21 23:29 - 00001070 ____A C:\Users\xxx\Desktop\andrea.txt
2012-07-21 22:00 - 2012-07-22 22:01 - 00000000 ____D C:\Users\xxx\AppData\Local\{3F5B9A30-11BA-416B-82E4-2E18B4525F79}
2012-07-21 22:00 - 2012-07-21 22:00 - 00000000 ____D C:\Users\xxx\AppData\Local\{F2C78568-3CBE-416B-B719-596FBF6D0F98}
2012-07-21 16:51 - 2012-07-21 16:51 - 00011718 ____A C:\Users\xxx\Desktop\Attach.txt
2012-07-21 16:49 - 2012-07-21 16:49 - 00031298 ____A C:\Users\xxx\Desktop\DDS.txt
2012-07-21 16:46 - 2012-07-21 16:46 - 00000000 ____A C:\Users\xxx\defogger_reenable
2012-07-21 16:19 - 2012-07-21 16:19 - 00001488 ____A C:\Windows\System32\.crusader
2012-07-21 16:09 - 2012-07-21 16:19 - 00000000 ____D C:\Users\All Users\HitmanPro
2012-07-21 16:09 - 2012-07-21 16:09 - 00000000 ____D C:\Program Files\HitmanPro
2012-07-21 13:14 - 2012-07-21 13:14 - 00000000 ____D C:\Users\xxx\AppData\Roaming\Malwarebytes
2012-07-21 13:13 - 2012-07-21 13:13 - 00000000 ____D C:\Users\All Users\Malwarebytes
2012-07-21 13:13 - 2012-07-21 13:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-07-21 13:13 - 2012-07-03 10:46 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-21 13:09 - 2012-07-21 17:07 - 00000361 ____A C:\rkill.log
2012-07-21 12:44 - 2012-07-21 12:46 - 00000000 ____D C:\Users\All Users\225932FD1A797471813CA379F875F002
2012-07-21 09:59 - 2012-07-21 09:59 - 00000000 ____D C:\Users\xxx\AppData\Local\{E4ED0285-A339-41F2-B07B-DA4708569B9C}
2012-07-21 09:59 - 2012-07-21 09:59 - 00000000 ____D C:\Users\xxx\AppData\Local\{D8D533A3-3CC9-49FA-88EB-1223C9D894C3}
2012-07-20 21:59 - 2012-07-20 21:59 - 00000000 ____D C:\Users\xxx\AppData\Local\{61E253A7-519D-48D4-8146-78A84AC4E1DE}
2012-07-20 21:58 - 2012-07-20 21:59 - 00000000 ____D C:\Users\xxx\AppData\Local\{A71244C2-E3C9-4236-B519-2E94ADEFC984}
2012-07-20 20:45 - 2012-07-20 20:45 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-07-20 13:44 - 2012-07-22 23:53 - 00000000 ____D C:\Users\xxx\AppData\Roaming\foobar2000
2012-07-20 13:43 - 2012-07-20 13:43 - 00001039 ____A C:\Users\Public\Desktop\foobar2000.lnk
2012-07-20 13:43 - 2012-07-20 13:43 - 00000000 ____D C:\Program Files (x86)\foobar2000
2012-07-20 13:42 - 2012-07-20 13:42 - 00066728 ____A (Eugene V. Muzychenko) C:\Windows\System32\Drivers\vrtaucbl.sys
2012-07-20 13:42 - 2012-07-20 13:42 - 00000000 ____D C:\Program Files\Virtual Audio Cable
2012-07-20 12:16 - 2012-07-22 15:52 - 00000000 ____D C:\Users\xxx\Desktop\musicfolder
2012-07-20 12:16 - 2012-07-20 20:28 - 00000000 ____D C:\Users\xxx\Desktop\Micspam_V5_Update
2012-07-20 09:58 - 2012-07-20 09:58 - 00000000 ____D C:\Users\xxx\AppData\Local\{9A295D5A-3588-4E33-8336-A1076100685E}
2012-07-20 09:58 - 2012-07-20 09:58 - 00000000 ____D C:\Users\xxx\AppData\Local\{2F9BBF2F-7E40-40A5-9926-874256DF4983}
2012-07-20 09:18 - 2012-07-20 12:10 - 00000000 ____D C:\Users\xxx\Desktop\HLDJ
2012-07-19 21:57 - 2012-07-19 21:58 - 00000000 ____D C:\Users\xxx\AppData\Local\{6431DB9B-F2BC-466A-AD53-F4D2645C9119}
2012-07-19 21:57 - 2012-07-19 21:57 - 00000000 ____D C:\Users\xxx\AppData\Local\{C13FB841-DE7D-4A8D-98D1-9AC906518DF2}
2012-07-19 09:57 - 2012-07-19 09:57 - 00000000 ____D C:\Users\xxx\AppData\Local\{E69B228C-4B2C-487A-9B85-0A7032EFBD20}
2012-07-19 09:57 - 2012-07-19 09:57 - 00000000 ____D C:\Users\xxx\AppData\Local\{A3B95644-2A64-4926-A324-7E43BA29D6B4}
2012-07-18 21:28 - 2012-07-18 21:28 - 00000000 ____D C:\Users\xxx\AppData\Local\{A2C1CF13-D674-4ADA-804B-DF1145D7FE4C}
2012-07-18 21:28 - 2012-07-18 21:28 - 00000000 ____D C:\Users\xxx\AppData\Local\{3D30E2DB-2383-4867-816B-075A49EFA99D}
2012-07-18 09:28 - 2012-07-18 09:28 - 00000000 ____D C:\Users\xxx\AppData\Local\{12E9A36E-C93E-4125-A158-66CAB6F7463C}
2012-07-18 09:27 - 2012-07-18 09:28 - 00000000 ____D C:\Users\xxx\AppData\Local\{A8325438-27E7-4C66-B50D-5CAC27D9D512}
2012-07-17 21:13 - 2012-07-17 21:13 - 00000000 ____D C:\Users\xxx\AppData\Local\{A0BA40C1-32B8-4A0A-9465-1CA2D191076D}
2012-07-17 21:12 - 2012-07-17 21:13 - 00000000 ____D C:\Users\xxx\AppData\Local\{B3D3D990-8768-4B35-B25B-EDDBF49C5993}
2012-07-17 09:12 - 2012-07-17 09:12 - 00000000 ____D C:\Users\xxx\AppData\Local\{BF4171B8-CE74-40EE-BE28-EB00D3BD0C90}
2012-07-17 09:12 - 2012-07-17 09:12 - 00000000 ____D C:\Users\xxx\AppData\Local\{2F9B81DD-BF36-4D05-B3AE-0B9552F94EC9}
2012-07-16 21:12 - 2012-07-16 21:12 - 00000000 ____D C:\Users\xxx\AppData\Local\{5F3E4A69-CFF9-434D-BBCE-1CB910AFF645}
2012-07-16 21:11 - 2012-07-16 21:12 - 00000000 ____D C:\Users\xxx\AppData\Local\{D48D8071-C000-41B7-B76A-C8BC61B34FC6}
2012-07-16 09:11 - 2012-07-16 09:11 - 00000000 ____D C:\Users\xxx\AppData\Local\{67269A29-508B-42DF-B3E4-CC238B7354BD}
2012-07-16 09:11 - 2012-07-16 09:11 - 00000000 ____D C:\Users\xxx\AppData\Local\{3107A8A4-32D7-46B4-B2EB-C4AA9C4FA45B}
2012-07-15 20:52 - 2012-07-15 20:52 - 00000000 ____D C:\Users\xxx\AppData\Local\{B7CF00B7-143D-49FC-B492-31E4EAC6579D}
2012-07-15 20:52 - 2012-07-15 20:52 - 00000000 ____D C:\Users\xxx\AppData\Local\{A6BD928D-21F6-4D6C-B132-D511E9AF811D}
2012-07-15 08:52 - 2012-07-15 08:52 - 00000000 ____D C:\Users\xxx\AppData\Local\{66700CA9-50FC-476A-8BDA-19DE6B932DFB}
2012-07-14 20:51 - 2012-07-15 08:52 - 00000000 ____D C:\Users\xxx\AppData\Local\{EC1C2954-035A-4EFB-A208-7828E5025FA4}
2012-07-14 20:51 - 2012-07-14 20:51 - 00000000 ____D C:\Users\xxx\AppData\Local\{3627EF06-B868-4FF2-BEBA-3350193902CD}
2012-07-14 08:50 - 2012-07-14 08:50 - 00000000 ____D C:\Users\xxx\AppData\Local\{8F69290F-BD5F-4FE8-B884-8C72F9B9D0E3}
2012-07-13 14:43 - 2012-07-14 08:50 - 00000000 ____D C:\Users\xxx\AppData\Local\{3651CE10-F084-4DC6-918B-CA156C65DBD5}
2012-07-13 14:43 - 2012-07-13 14:43 - 00000000 ____D C:\Users\xxx\AppData\Local\{8DB5F643-E575-4622-8CF2-6CBA44BB6FC9}
2012-07-13 06:21 - 2012-06-11 19:08 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-12 10:12 - 2012-07-12 10:12 - 00000000 ____D C:\Users\xxx\AppData\Local\{BE64965F-10F9-4AA7-A41B-2D878945B695}
2012-07-12 10:11 - 2012-07-12 10:12 - 00000000 ____D C:\Users\xxx\AppData\Local\{5F7C3ED6-8859-459C-93F5-5025AFE99379}
2012-07-11 22:11 - 2012-07-11 22:11 - 00000000 ____D C:\Users\xxx\AppData\Local\{9D3DF1E5-E842-4A59-A8E1-D43B877EFD2F}
2012-07-11 22:11 - 2012-07-11 22:11 - 00000000 ____D C:\Users\xxx\AppData\Local\{205B18C9-AF37-4029-8D38-FF4362817148}
2012-07-11 15:58 - 2012-07-11 15:58 - 00000333 ____A C:\Windows\SysWOW64\status.txt
2012-07-11 10:22 - 2012-06-05 22:06 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 10:22 - 2012-06-05 22:06 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 10:22 - 2012-06-05 21:05 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 10:22 - 2012-06-05 21:05 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 10:22 - 2010-06-25 19:55 - 00002048 ____A (Microsoft Corporation) C:\Windows\System32\msxml3r.dll
2012-07-11 10:22 - 2010-06-25 19:24 - 00002048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3r.dll
2012-07-11 10:20 - 2012-06-08 21:43 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 10:20 - 2012-06-08 20:41 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 10:20 - 2012-06-05 22:02 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-07-11 10:20 - 2012-06-05 21:03 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-07-11 10:19 - 2012-06-01 21:50 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-07-11 10:19 - 2012-06-01 21:48 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-07-11 10:19 - 2012-06-01 21:48 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 10:19 - 2012-06-01 21:45 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 10:19 - 2012-06-01 21:44 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 10:19 - 2012-06-01 20:40 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-11 10:19 - 2012-06-01 20:40 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 10:19 - 2012-06-01 20:39 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-07-11 10:19 - 2012-06-01 20:34 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-07-11 10:11 - 2012-07-11 10:11 - 00000000 ____D C:\Users\xxx\AppData\Local\{2D7E57B9-9257-42A6-AC8E-1F63A23A63E1}
2012-07-11 10:10 - 2012-07-11 10:11 - 00000000 ____D C:\Users\xxx\AppData\Local\{5ABEB317-DCA6-498A-B6E9-068C09698CC5}
2012-07-10 20:22 - 2012-07-10 20:22 - 00000000 ____D C:\Users\xxx\AppData\Local\{14738685-C2F0-4D26-B41B-5CE7FE1427E4}
2012-07-10 20:22 - 2012-07-10 20:22 - 00000000 ____D C:\Users\xxx\AppData\Local\{013F4BDE-86E5-4AF8-B171-7E72779F2549}
2012-07-10 08:21 - 2012-07-10 08:21 - 00000000 ____D C:\Users\xxx\AppData\Local\{F221DCF2-DA64-48FA-A8EA-48CD75C0E038}
2012-07-10 08:21 - 2012-07-10 08:21 - 00000000 ____D C:\Users\xxx\AppData\Local\{16539C37-339D-4FA2-A1F8-292A00E9BF59}
2012-07-10 06:34 - 2012-07-10 06:34 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_point64_01009.Wdf
2012-07-10 06:34 - 2012-07-10 06:34 - 00000000 ____D C:\Program Files\Microsoft IntelliPoint
2012-07-09 20:20 - 2012-07-09 20:20 - 00000000 ____D C:\Users\xxx\AppData\Local\{F6B1EF2C-FF57-4EB3-83CC-E753DE79E571}
2012-07-09 20:20 - 2012-07-09 20:20 - 00000000 ____D C:\Users\xxx\AppData\Local\{4ACC5476-E73C-41A0-946F-04782B28338A}
2012-07-09 08:20 - 2012-07-09 08:20 - 00000000 ____D C:\Users\xxx\AppData\Local\{62AC3818-12D8-4E94-9B34-F0C0BA24A45C}
2012-07-09 08:19 - 2012-07-09 08:19 - 00000000 ____D C:\Users\xxx\AppData\Local\{C3773540-6088-4477-A2DC-CE757673FA28}
2012-07-08 20:19 - 2012-07-08 20:19 - 00000000 ____D C:\Users\xxx\AppData\Local\{A640DA97-E2FD-46C9-941B-148946FC037F}
2012-07-08 20:19 - 2012-07-08 20:19 - 00000000 ____D C:\Users\xxx\AppData\Local\{6C8CD909-AED1-4D85-BC58-C2111BE7EF6E}
2012-07-08 08:18 - 2012-07-08 08:18 - 00000000 ____D C:\Users\xxx\AppData\Local\{D9F7D074-3A27-4F2B-8BAF-9C39E80B9D96}
2012-07-08 08:18 - 2012-07-08 08:18 - 00000000 ____D C:\Users\xxx\AppData\Local\{8602CC92-45F9-482E-8E95-C5A0C34C0ED3}
2012-07-07 18:05 - 2012-07-07 18:05 - 00000000 ____D C:\Users\xxx\AppData\Local\{BAF562E8-48C7-4F28-A46E-729FADF91205}
2012-07-07 18:05 - 2012-07-07 18:05 - 00000000 ____D C:\Users\xxx\AppData\Local\{5ED8198E-674E-4728-9E1F-75DB6B4D89AE}
2012-07-07 06:04 - 2012-07-07 06:05 - 00000000 ____D C:\Users\xxx\AppData\Local\{9332F7A3-A5F8-4898-B9E4-19EA5CE8E3FA}
2012-07-07 06:04 - 2012-07-07 06:04 - 00000000 ____D C:\Users\xxx\AppData\Local\{9C9B8535-FE8E-48BD-99DA-58F11E99CD02}
2012-07-06 18:04 - 2012-07-06 18:04 - 00000000 ____D C:\Users\xxx\AppData\Local\{E7B8E7B8-C011-4BBB-8EEB-5F92D09924AA}
2012-07-06 18:03 - 2012-07-06 18:04 - 00000000 ____D C:\Users\xxx\AppData\Local\{369FD7EE-4E07-4CCF-B1E7-AA739EE9AA70}
2012-07-06 07:39 - 2012-07-06 07:39 - 00000000 ____D C:\Users\xxx\Desktop\skse_1_05_09
2012-07-06 07:38 - 2012-07-06 07:38 - 00325160 ____A C:\Users\xxx\Desktop\skse_1_05_09.7z
2012-07-06 06:03 - 2012-07-06 06:03 - 00000000 ____D C:\Users\xxx\AppData\Local\{E36528A9-1F7F-4F6D-B137-733D7F413F74}
2012-07-06 06:02 - 2012-07-06 06:02 - 00000000 ____D C:\Users\xxx\AppData\Local\{39F6C924-66FE-4D29-A5ED-16AA7902531C}
2012-07-05 13:00 - 2012-07-05 13:00 - 00000000 ____D C:\Users\xxx\AppData\Local\{28934A35-426F-4CD1-96CA-B4A1B9E0D02F}
2012-07-05 13:00 - 2012-07-05 13:00 - 00000000 ____D C:\Users\xxx\AppData\Local\{12D148D8-DABB-472D-AC08-5B6A243AEEF4}
2012-07-05 00:59 - 2012-07-05 00:59 - 00000000 ____D C:\Users\xxx\AppData\Local\{A09D55D7-BC40-4D6C-81F1-E72260B49FF5}
2012-07-05 00:59 - 2012-07-05 00:59 - 00000000 ____D C:\Users\xxx\AppData\Local\{6E313CCA-F2A1-4270-83DB-E062EF84A1EB}
2012-07-04 12:58 - 2012-07-04 12:58 - 00000000 ____D C:\Users\xxx\AppData\Local\{BB3CD240-82EE-431D-AAEA-368DF97EA3FD}
2012-07-04 12:58 - 2012-07-04 12:58 - 00000000 ____D C:\Users\xxx\AppData\Local\{0C7FF8F9-4E84-4BDF-9CC1-20D7FDB9C119}
2012-07-03 18:03 - 2012-07-03 18:03 - 00000000 ____D C:\Users\xxx\AppData\Local\{742131F4-AB52-4B19-B276-396950371403}
2012-07-03 18:03 - 2012-07-03 18:03 - 00000000 ____D C:\Users\xxx\AppData\Local\{394ADA24-DA1B-4769-B8B5-8B2FC60EF4CE}
2012-07-03 06:03 - 2012-07-03 06:03 - 00000000 ____D C:\Users\xxx\AppData\Local\{E31A735E-8235-44D8-87BE-0A7649B68214}
2012-07-03 06:02 - 2012-07-03 06:03 - 00000000 ____D C:\Users\xxx\AppData\Local\{8B3C53ED-3E9E-463E-A446-F663A22C3ACC}
2012-07-02 18:02 - 2012-07-02 18:02 - 00000000 ____D C:\Users\xxx\AppData\Local\{DF214CF4-0AB4-47B2-A314-7076753C970F}
2012-07-02 06:01 - 2012-07-02 18:02 - 00000000 ____D C:\Users\xxx\AppData\Local\{DF3BF1A6-5986-4AB1-B77A-0B224C6EB0A1}
2012-07-02 06:01 - 2012-07-02 06:01 - 00000000 ____D C:\Users\xxx\AppData\Local\{1D4EE35B-BC28-4D2B-8DFD-0FB1D4936AF4}
2012-07-01 21:25 - 2012-07-01 21:25 - 00001138 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-01 21:25 - 2012-07-01 21:25 - 00000000 ____D C:\Users\xxx\AppData\Local\Mozilla
2012-07-01 21:25 - 2012-07-01 21:25 - 00000000 ____D C:\Users\All Users\Mozilla
2012-07-01 21:25 - 2012-07-01 21:25 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2012-07-01 21:25 - 2012-07-01 21:25 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2012-07-01 21:25 - 2012-07-01 21:24 - 16574016 ____A (Mozilla) C:\Users\xxx\Downloads\Firefox_Setup_13.0.exe
2012-07-01 20:24 - 2012-07-01 20:24 - 00001039 ____A C:\Users\xxx\Desktop\WinDirStat.lnk
2012-07-01 20:24 - 2012-07-01 20:24 - 00000000 ____D C:\Program Files (x86)\WinDirStat
2012-07-01 20:04 - 2012-07-01 20:04 - 00000045 ____A C:\Windows\SysWOW64\initdebug.nfo
2012-07-01 19:50 - 2012-07-01 19:50 - 00376944 ____A C:\Windows\Minidump\070112-23056-01.dmp
2012-07-01 09:54 - 2012-07-01 09:54 - 00000000 ____D C:\Users\xxx\AppData\Local\{8F0FCD4C-7CFD-4F2B-8CDC-5C00FDBFEF50}
2012-07-01 09:54 - 2012-07-01 09:54 - 00000000 ____D C:\Users\xxx\AppData\Local\{20ADB3C9-D344-44CC-A382-5DB50E4ADCF8}
2012-06-30 21:53 - 2012-06-30 21:53 - 00000000 ____D C:\Users\xxx\AppData\Local\{FBA35CCF-F17E-4D1D-BBB5-DC9A925EABD0}
2012-06-30 21:53 - 2012-06-30 21:53 - 00000000 ____D C:\Users\xxx\AppData\Local\{B14C24CA-8A71-4C91-B659-6920B2F42420}
2012-06-30 09:53 - 2012-06-30 09:53 - 00000000 ____D C:\Users\xxx\AppData\Local\{78E098EF-A5EC-49A6-94B6-61D7BFA97256}
2012-06-30 09:53 - 2012-06-30 09:53 - 00000000 ____D C:\Users\xxx\AppData\Local\{3ABC7F2C-FC5C-4295-AAC4-54E3E444C130}
2012-06-29 21:52 - 2012-06-29 21:52 - 00000000 ____D C:\Users\xxx\AppData\Local\{E94C6717-F177-4C80-ADE3-0A5126867FE0}
2012-06-29 21:52 - 2012-06-29 21:52 - 00000000 ____D C:\Users\xxx\AppData\Local\{DCC2F5B3-3A11-45E1-AF87-E5D25D9B74A3}
2012-06-29 09:52 - 2012-06-29 09:52 - 00000000 ____D C:\Users\xxx\AppData\Local\{5181597E-6650-4AA6-84EE-447E4BCEF608}
2012-06-29 09:51 - 2012-06-29 09:52 - 00000000 ____D C:\Users\xxx\AppData\Local\{2A293C9F-A391-41B5-AF41-BECE08E8281D}
2012-06-28 21:51 - 2012-06-28 21:51 - 00000000 ____D C:\Users\xxx\AppData\Local\{657DAE26-C629-4860-A72B-9AC76BC95B7F}
2012-06-28 21:51 - 2012-06-28 21:51 - 00000000 ____D C:\Users\xxx\AppData\Local\{1B8DE6AF-29DC-4640-BFEC-756CC031CC6B}
2012-06-28 14:12 - 2012-06-28 14:12 - 00001908 ____A C:\Users\xxx\Desktop\SkyrimLauncher - Shortcut.lnk
2012-06-28 14:02 - 2012-06-28 14:02 - 00325160 ____A C:\Users\xxx\Downloads\skse_1_05_09.7z
2012-06-28 14:02 - 2012-06-28 14:02 - 00000000 ____D C:\Users\xxx\Downloads\skse_1_05_09
2012-06-28 09:50 - 2012-06-28 09:50 - 00000000 ____D C:\Users\xxx\AppData\Local\{B1D46611-42ED-4C8D-A6DA-3B03251FCFBE}
2012-06-28 09:50 - 2012-06-28 09:50 - 00000000 ____D C:\Users\xxx\AppData\Local\{05C9A621-A911-48C7-96E9-FB049652E208}
2012-06-27 21:50 - 2012-06-27 21:50 - 00000000 ____D C:\Users\xxx\AppData\Local\{E3062577-29F5-4F45-BB45-8DA6ABEE845A}
2012-06-27 21:49 - 2012-06-27 21:50 - 00000000 ____D C:\Users\xxx\AppData\Local\{ABAA2888-D107-4965-964B-D7014791699E}
2012-06-27 09:49 - 2012-06-27 09:49 - 00000000 ____D C:\Users\xxx\AppData\Local\{912C6847-F1C0-4B25-A2B9-25A0EDB00A0B}
2012-06-27 09:49 - 2012-06-27 09:49 - 00000000 ____D C:\Users\xxx\AppData\Local\{43CEE7AC-C5A9-4D55-86D0-5A9864192C8B}
2012-06-26 21:49 - 2012-06-26 21:49 - 00000000 ____D C:\Users\xxx\AppData\Local\{E438DB75-6999-4622-B4C1-DA092B09757C}
2012-06-26 21:48 - 2012-06-26 21:49 - 00000000 ____D C:\Users\xxx\AppData\Local\{DBF0B545-9308-4ABA-963C-E276B075F7CF}
2012-06-26 16:38 - 2012-06-26 16:38 - 00000000 ___HD C:\Windows\msdownld.tmp
2012-06-26 16:38 - 2012-06-26 16:38 - 00000000 ____D C:\Windows\SysWOW64\directx
2012-06-26 11:58 - 2012-06-22 10:48 - 00000820 ____A C:\Users\xxx\Desktop\readme.txt
2012-06-26 11:58 - 2012-06-22 10:43 - 00197120 ____A C:\Users\xxx\Desktop\oshbptf2.dll
2012-06-26 11:58 - 2011-04-18 21:57 - 00731648 ____A C:\Users\xxx\Desktop\oshbptf2.exe.exe
2012-06-26 09:48 - 2012-06-26 09:48 - 00000000 ____D C:\Users\xxx\AppData\Local\{1884F285-6DE7-4A91-A68D-F8C24571B9A5}


============ 3 Months Modified Files ========================

2012-07-26 10:53 - 2012-06-20 13:43 - 00000928 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1046876759-1607990632-92284226-1000UA.job
2012-07-26 08:41 - 2012-07-26 08:41 - 00000542 ____A C:\Windows\Tasks\1am.job
2012-07-26 08:36 - 2012-07-26 08:40 - 00037400 ____A (Sophos Limited) C:\Windows\System32\SophosBootTasks.exe
2012-07-26 08:36 - 2012-07-26 08:36 - 00144672 ____A (Sophos Limited) C:\Windows\System32\Drivers\savonaccess.sys
2012-07-25 22:23 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-25 22:23 - 2009-07-13 20:51 - 00072055 ____A C:\Windows\setupact.log
2012-07-25 18:53 - 2012-06-20 13:43 - 00000876 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1046876759-1607990632-92284226-1000Core.job
2012-07-25 17:30 - 2009-07-13 20:45 - 00020688 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-25 17:30 - 2009-07-13 20:45 - 00020688 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 17:29 - 2009-07-13 21:13 - 00726444 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-21 23:29 - 2012-07-21 23:29 - 00001070 ____A C:\Users\xxx\Desktop\andrea.txt
2012-07-21 19:11 - 2010-11-20 19:47 - 00021552 ____A C:\Windows\PFRO.log
2012-07-21 17:07 - 2012-07-21 13:09 - 00000361 ____A C:\rkill.log
2012-07-21 16:51 - 2012-07-21 16:51 - 00011718 ____A C:\Users\xxx\Desktop\Attach.txt
2012-07-21 16:49 - 2012-07-21 16:49 - 00031298 ____A C:\Users\xxx\Desktop\DDS.txt
2012-07-21 16:46 - 2012-07-21 16:46 - 00000000 ____A C:\Users\xxx\defogger_reenable
2012-07-21 16:19 - 2012-07-21 16:19 - 00001488 ____A C:\Windows\System32\.crusader
2012-07-21 12:44 - 2011-04-24 03:34 - 01243567 ____A C:\Windows\WindowsUpdate.log
2012-07-20 20:45 - 2012-07-20 20:45 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2012-07-20 13:43 - 2012-07-20 13:43 - 00001039 ____A C:\Users\Public\Desktop\foobar2000.lnk
2012-07-20 13:42 - 2012-07-20 13:42 - 00066728 ____A (Eugene V. Muzychenko) C:\Windows\System32\Drivers\vrtaucbl.sys
2012-07-20 00:25 - 2012-03-06 16:44 - 00000942 ____A C:\Users\Public\Desktop\Nexus Mod Manager.lnk
2012-07-15 17:36 - 2011-07-08 12:51 - 00109400 ___AH C:\Windows\SysWOW64\mlfcache.dat
2012-07-13 14:41 - 2009-07-13 20:45 - 00276216 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 23:58 - 2012-06-20 13:46 - 00002434 ____A C:\Users\xxx\Desktop\Google Chrome.lnk
2012-07-11 15:58 - 2012-07-11 15:58 - 00000333 ____A C:\Windows\SysWOW64\status.txt
2012-07-10 13:09 - 2011-04-24 10:19 - 00057952 ____A C:\Users\xxx\AppData\Local\GDIPFONTCACHEV1.DAT
2012-07-10 06:34 - 2012-07-10 06:34 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_Kernel_point64_01009.Wdf
2012-07-06 07:38 - 2012-07-06 07:38 - 00325160 ____A C:\Users\xxx\Desktop\skse_1_05_09.7z
2012-07-03 10:46 - 2012-07-21 13:13 - 00024904 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2012-07-01 21:25 - 2012-07-01 21:25 - 00001138 ____A C:\Users\Public\Desktop\Mozilla Firefox.lnk
2012-07-01 21:24 - 2012-07-01 21:25 - 16574016 ____A (Mozilla) C:\Users\xxx\Downloads\Firefox_Setup_13.0.exe
2012-07-01 20:24 - 2012-07-01 20:24 - 00001039 ____A C:\Users\xxx\Desktop\WinDirStat.lnk
2012-07-01 20:13 - 2011-09-04 22:40 - 00007597 ____A C:\Users\xxx\AppData\Local\Resmon.ResmonCfg
2012-07-01 20:04 - 2012-07-01 20:04 - 00000045 ____A C:\Windows\SysWOW64\initdebug.nfo
2012-07-01 19:50 - 2012-07-01 19:50 - 00376944 ____A C:\Windows\Minidump\070112-23056-01.dmp
2012-06-28 14:12 - 2012-06-28 14:12 - 00001908 ____A C:\Users\xxx\Desktop\SkyrimLauncher - Shortcut.lnk
2012-06-28 14:02 - 2012-06-28 14:02 - 00325160 ____A C:\Users\xxx\Downloads\skse_1_05_09.7z
2012-06-26 17:06 - 2011-04-25 09:37 - 00251967 ____A C:\Windows\DirectX.log
2012-06-24 13:43 - 2012-06-24 13:43 - 00376456 ____A C:\Windows\Minidump\062412-19266-01.dmp
2012-06-23 12:33 - 2012-06-23 12:33 - 00376424 ____A C:\Windows\Minidump\062312-19468-01.dmp
2012-06-22 12:47 - 2012-06-22 12:47 - 00376440 ____A C:\Windows\Minidump\062212-23618-01.dmp
2012-06-22 10:48 - 2012-06-26 11:58 - 00000820 ____A C:\Users\xxx\Desktop\readme.txt
2012-06-22 10:43 - 2012-06-26 11:58 - 00197120 ____A C:\Users\xxx\Desktop\oshbptf2.dll
2012-06-21 20:36 - 2012-06-21 20:36 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-06-21 20:36 - 2011-06-19 10:22 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-06-11 19:08 - 2012-07-13 06:21 - 03148800 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 21:43 - 2012-07-11 10:20 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 20:41 - 2012-07-11 10:20 - 12873728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 22:06 - 2012-07-11 10:22 - 02004480 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-05 22:06 - 2012-07-11 10:22 - 01881600 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 22:02 - 2012-07-11 10:20 - 01133568 ____A (Microsoft Corporation) C:\Windows\System32\cdosys.dll
2012-06-05 21:05 - 2012-07-11 10:22 - 01390080 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 21:05 - 2012-07-11 10:22 - 01236992 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 21:03 - 2012-07-11 10:20 - 00805376 ____A (Microsoft Corporation) C:\Windows\SysWOW64\cdosys.dll
2012-06-02 14:19 - 2012-06-21 02:10 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 02:10 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 02:10 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 02:10 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 02:10 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:15 - 2012-06-21 02:10 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 02:10 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 11:19 - 2012-06-21 02:10 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:15 - 2012-06-21 02:10 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-01 21:50 - 2012-07-11 10:19 - 00458704 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\cng.sys
2012-06-01 21:48 - 2012-07-11 10:19 - 00151920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecpkg.sys
2012-06-01 21:48 - 2012-07-11 10:19 - 00095600 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-01 21:45 - 2012-07-11 10:19 - 00340992 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 21:44 - 2012-07-11 10:19 - 00307200 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 20:40 - 2012-07-11 10:19 - 00225280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 20:40 - 2012-07-11 10:19 - 00022016 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 20:39 - 2012-07-11 10:19 - 00219136 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-06-01 20:34 - 2012-07-11 10:19 - 00096768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\sspicli.dll
2012-05-31 09:25 - 2010-11-20 19:27 - 00279656 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
2012-05-14 20:01 - 2012-06-18 16:46 - 01188864 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-05-14 19:59 - 2012-06-18 16:46 - 00064512 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-05-14 19:03 - 2012-06-18 16:46 - 00981504 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-05-14 19:00 - 2012-06-18 16:46 - 00048128 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-05-04 03:06 - 2012-06-18 16:46 - 05559664 ____A (Microsoft Corporation) C:\Windows\System32\ntoskrnl.exe
2012-05-04 02:03 - 2012-06-18 16:46 - 03968368 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2012-05-04 02:03 - 2012-06-18 16:46 - 03913072 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2012-04-30 21:40 - 2012-06-18 16:46 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\profsvc.dll
2012-04-30 18:52 - 2012-04-30 18:52 - 00000221 ____A C:\Users\xxx\Desktop\Tropico 4.url


ZeroAccess:
C:\Windows\Installer\{d8b01f96-2640-cb67-ae2b-35559bff4b62}
C:\Windows\Installer\{d8b01f96-2640-cb67-ae2b-35559bff4b62}\L
C:\Windows\Installer\{d8b01f96-2640-cb67-ae2b-35559bff4b62}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 50BEA589F7D7958BDD2528A8F69D05CC ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 4006.73 MB
Available physical RAM: 3444.52 MB
Total Pagefile: 4004.93 MB
Available Pagefile: 3427.98 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (BOOTCAMP) (Fixed) (Total:93.89 GB) (Free:7.84 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
3 Drive e: (HP v125w) (Removable) (Total:1.89 GB) (Free:1.83 GB) FAT
4 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 698 GB 128 MB
Disk 1 Online 1937 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 200 MB 512 B
Partition 2 Primary 604 GB 200 MB
Partition 3 Primary 93 GB 604 GB

==================================================================================

Disk: 0
Partition 1
Type : EE
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Disk: 0
Partition 2
Type : AF
Hidden: Yes
Active: No

There is no volume associated with this partition.

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C BOOTCAMP NTFS Partition 93 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1933 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0E
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E HP v125w FAT Removable 1933 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-18 23:01

======================= End Of Log ==========================






Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-26 20:10:47
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0329216 ____A (Microsoft Corporation) 50BEA589F7D7958BDD2528A8F69D05CC

====== End Of Search ======


Edited by CatByte, 19 February 2013 - 12:25 PM.
removed name


#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 26 July 2012 - 04:06 PM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{d8b01f96-2640-cb67-ae2b-35559bff4b62}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT

Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Rootcat

Rootcat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 PM

Posted 31 July 2012 - 12:31 AM

Hello--I know that these threads are automatically closed after 5 days of inactivity, and so I'm just getting a quick word in to indicate that I'm still here, as on my clock it is currently 12:30 in the morning on the 5th day. These past few days I have been out of town and haven't been at my laptop. I will be editing this post with the result of the FRST and ComboFix logs when I wake up and execute your instructions in the morning.

Thank you for your continued help.

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 31 July 2012 - 08:46 AM

no problem, thanks for letting me know, I'll keep the thread open for you

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Rootcat

Rootcat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 PM

Posted 31 July 2012 - 02:23 PM

Fixlog.txt and the ComboFix log (log.txt) are pasted below in that order. A few things to note:
 

  • Before running combofix I disabled my Sophos Antivirus on-access scanner as instructed, but upon running it combofix warned me that the SAV on-access scanner was still enabled and asked me to disable it before clicking "OK", so I checked about 5 more times to be absolutely sure before clicking "OK", at which point I was provided with another box saying combofix STILL detected enabled on-access scanners but that it would proceed anyway upon clicking "OK" again. I clicked OK again and proceeded.
  • After combofix's scan, it restarted my computer, and upon reboot I was greeted with a message saying ComboFix was generating a log and not to run any other programs until it was finished--but I have a few benign programs that automatically run on startup (ie Yahoo messenger) that did indeed start to run while combofix was generating its log. I don't know if that's a bad thing.
  • Sophos Antivirus is still indicating Troj/Sirefef in quarantine, pointing to C:\Windows\assembly\GAC_32\Desktop.ini and is prompting me to clean it up. I am currently ignoring those prompts.
  • Besides Sophos's warnings, my computer has been asymptomatic (as far as I can tell) since I ran MBAM and Hitman back at the very beginning. I was wondering if I would come back from my traveling to see if the virus had acted up again, it hasn't.


Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-31 13:16:00 Run:1
Running from E:\

==============================================

C:\Windows\Installer\{d8b01f96-2640-cb67-ae2b-35559bff4b62} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
Could not find C:\Windows\System32\services.exe.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====




ComboFix 12-07-30.03 - xxx 07/31/2012 13:33:52.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4007.2752 [GMT -5:00]
Running from: c:\users\xxx\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\SysWow64\logs
c:\windows\SysWow64\logs\2011-05-25.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-31 )))))))))))))))))))))))))))))))
.
.
2012-07-31 21:16 . 2009-07-14 01:39 328704 ----a-w- c:\windows\system32\services.exe
2012-07-27 04:07 . 2012-07-27 04:08 -------- d-----w- C:\FRST
2012-07-26 16:40 . 2012-07-26 16:40 -------- d-----w- c:\program files (x86)\Common Files\Cisco Systems
2012-07-26 16:40 . 2012-07-26 16:36 37400 ----a-w- c:\windows\system32\SophosBootTasks.exe
2012-07-26 16:36 . 2012-07-26 16:36 144672 ----a-w- c:\windows\system32\drivers\savonaccess.sys
2012-07-26 03:50 . 2012-07-26 03:50 -------- d-----w- c:\users\xxx\AppData\Local\MSKLC
2012-07-26 03:49 . 2012-07-26 03:49 -------- d-----w- c:\program files (x86)\Microsoft Keyboard Layout Creator 1.4
2012-07-22 00:09 . 2012-07-22 00:09 -------- d-----w- c:\program files\HitmanPro
2012-07-22 00:09 . 2012-07-22 00:19 -------- d-----w- c:\programdata\HitmanPro
2012-07-21 21:14 . 2012-07-21 21:14 -------- d-----w- c:\users\xxx\AppData\Roaming\Malwarebytes
2012-07-21 21:13 . 2012-07-21 21:13 -------- d-----w- c:\programdata\Malwarebytes
2012-07-21 21:13 . 2012-07-21 21:13 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-21 21:13 . 2012-07-03 18:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-21 20:44 . 2012-07-21 20:46 -------- d-----w- c:\programdata\225932FD1A797471813CA379F875F002
2012-07-20 21:44 . 2012-07-23 07:53 -------- d-----w- c:\users\xxx\AppData\Roaming\foobar2000
2012-07-20 21:43 . 2012-07-20 21:43 -------- d-----w- c:\program files (x86)\foobar2000
2012-07-20 21:42 . 2012-07-20 21:42 -------- d-----w- c:\program files\Virtual Audio Cable
2012-07-20 21:42 . 2012-07-20 21:42 66728 ----a-w- c:\windows\system32\drivers\vrtaucbl.sys
2012-07-13 14:21 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 18:22 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 18:22 . 2012-06-06 06:06 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 18:22 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-07-11 18:22 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-07-11 18:22 . 2010-06-26 03:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-11 18:22 . 2010-06-26 03:24 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2012-07-11 18:19 . 2012-06-02 05:50 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-11 18:19 . 2012-06-02 05:48 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 18:19 . 2012-06-02 05:48 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-11 18:19 . 2012-06-02 05:45 340992 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 18:19 . 2012-06-02 05:44 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-11 18:19 . 2012-06-02 04:40 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-07-11 18:19 . 2012-06-02 04:40 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-07-11 18:19 . 2012-06-02 04:39 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-07-11 18:19 . 2012-06-02 04:34 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
2012-07-10 14:34 . 2012-07-10 14:34 -------- d-----w- c:\program files\Microsoft IntelliPoint
2012-07-02 05:25 . 2012-07-02 05:25 -------- d-----w- c:\users\xxx\AppData\Local\Mozilla
2012-07-02 05:25 . 2012-07-02 05:25 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-07-02 04:24 . 2012-07-02 04:24 -------- d-----w- c:\program files (x86)\WinDirStat
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-29 10:04 . 2012-07-20 16:26 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{89BDDC2A-C551-4EF9-B1A2-1C940F5FF59F}\mpengine.dll
2012-06-22 04:36 . 2012-06-22 04:36 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-22 04:36 . 2011-06-19 18:22 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-21 10:10 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 10:10 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 10:10 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 10:10 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 10:10 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 10:10 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 10:10 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 10:10 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-21 10:10 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 17:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-05-15 04:01 . 2012-06-19 00:46 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-19 00:46 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-19 00:46 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2012-05-04 11:06 . 2012-06-19 00:46 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 10:03 . 2012-06-19 00:46 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:03 . 2012-06-19 00:46 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-10-16 1242448]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-07-26 900120]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2011-12-22 296056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-07-26 2009152]
R3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-01 113120]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2011-04-26 25592]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-25 1255736]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2011-04-26 25608]
S0 AppleHFS;AppleHFS; [x]
S0 AppleMNT;AppleMNT; [x]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-07-26 144672]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-02-07 203776]
S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2011-08-16 224640]
S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2011-02-07 110904]
S2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2011-08-16 17752]
S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2011-02-07 21048]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-07-26 216600]
S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-26 139840]
S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-07-26 2862656]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-07 2655768]
S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-14 9728]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-02-07 8283136]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-02-07 294400]
S3 AppleBtBc;Apple Broadcom Built-in Bluetooth;c:\windows\system32\DRIVERS\AppleBtBc.sys [2011-06-28 19456]
S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys [2011-02-07 12288]
S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys [2011-02-07 38912]
S3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys [2011-02-07 85544]
S3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x64.sys [2011-02-07 18432]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\DRIVERS\vrtaucbl.sys [2012-07-20 66728]
S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys [2011-02-07 18432]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [2011-06-03 32256]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2011-02-07 56344]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-08-01 45416]
S3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [2009-12-01 38992]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-31 c:\windows\Tasks\1am.job
- c:\program files (x86)\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2012-07-26 16:36]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1046876759-1607990632-92284226-1000Core.job
- c:\users\xxx\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-24 05:42]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1046876759-1607990632-92284226-1000UA.job
- c:\users\xxx\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-24 05:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2011-08-16 741760]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 2417032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: freetoolsassociation.com\activegs
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\5xl6kmhd.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
AddRemove-chat-messenger - c:\program files (x86)\Chat Messenger\uninstall.exe
AddRemove-{3CC29C1A-B5FE-457B-8F22-32A2557A92C7}}_is1 - c:\program files (x86)\Windows Movie Maker\unins000.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]
"ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Yahoo!\Messenger\YahooMessenger.exe
c:\program files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
c:\program files (x86)\Sophos\AutoUpdate\ALsvc.exe
c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-07-31 14:02:07 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-31 19:02
.
Pre-Run: 8,328,622,080 bytes free
Post-Run: 9,907,142,656 bytes free
.
- - End Of File - - 1C7462871E8A6A002D4A2A6D8BBEB79B


Edited by CatByte, 19 February 2013 - 12:26 PM.
removed name


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 31 July 2012 - 02:38 PM

please confirm that your AV finds C:\Windows\assembly\GAC_32\Desktop.ini in the C:\FRST\Quarantine folder (it should no longer be active)

we just have a couple more scans to run to make sure there are no leftovers

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish


NEXT


  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.
NEXT

Please download Farbar Service Scanner to your desktop and run it.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Rootcat

Rootcat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 PM

Posted 04 August 2012 - 08:33 PM

Sophos AV still appears to think the infection is present at C:\Windows\assembly\GAC_32\Desktop.ini and is still prompting me to clean it up (I am, again, ignoring these prompts), but I cannot find any Desktop.ini file in the GAC_32 folder or the GAC_64 folder; instead, I do in fact find it in C:\FRST\Quarantine. My computer continues to be asymptomatic.

A few notes:
  • MBAM quickscan found no threats. Log is posted first.
  • ESET online scan found 5 threats on my Windows partition. Log is posted second.
  • The minitoolbox and service scanner logs are posted third and fourth, respectively.
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.01.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
xxx :: xxxxxxxxx-PC [administrator]

8/1/2012 10:28:12 AM
mbam-log-2012-08-01 (10-28-12).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200938
Time elapsed: 3 minute(s), 44 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[ESETSCAN]
C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\services.exe.000 Win64/Patched.A.Gen trojan
C:\Users\All Users\Sophos\Sophos Anti-Virus\INFECTED\services.exe.000 Win64/Patched.A.Gen trojan
C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K40FL6MS\hoobachan_net[1].htm JS/Exploit.MS05-013 trojan
C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\713bb693-3b5328b5 Java/TrojanDownloader.OpenStream.NCA trojan
C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\6eba7426-1cd3c334 a variant of Java/Exploit.CVE-2012-1723.Q trojan

MiniToolBox by Farbar Version: 23-07-2012
Ran by xxx (administrator) on 04-08-2012 at 20:18:53
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

µTorrent (Version: 3.1.3)
7-Zip 9.20 (x64 edition) (Version: 9.20.00.0)
Adobe AIR (Version: 2.6.0.19140)
Adobe Flash Player 10 Plugin (Version: 10.3.183.7)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.257)
Apple Application Support (Version: 2.1.5)
Apple Software Update (Version: 2.1.3.127)
Audacity 1.3.13 (Unicode)
Bing Bar (Version: 7.1.361.0)
Bing Rewards Client Installer (Version: 16.0.345.0)
Boot Camp Services (Version: 3.3.2921)
Chat Messenger
D3DX10 (Version: 15.4.2368.0902)
Driver Detective (Version: 7)
ESET Online Scanner v3
FLV Player (Version: 2.0.25)
foobar2000 v1.1.7 (Version: 1.1.7)
Fraps
Google Chrome (Version: 21.0.1180.60)
HitmanPro 3.6 (Version: 3.6.0.160)
HP Deskjet 3050 J610 series Basic Device Software (Version: 22.50.231.0)
HP Deskjet 3050 J610 series Help (Version: 140.0.63.63)
HP Photo Creations (Version: 1.0.0.3781)
Intel® Management Engine Components (Version: 7.0.0.1118)
Java Auto Updater (Version: 2.0.5.1)
Java™ 6 Update 26 (Version: 6.0.260)
Magic Online (Version: 3.00.0000)
Magic Workstation 0.94f
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft Keyboard Layout Creator 1.4 (Version: 1.4.6000)
Microsoft Mouse and Keyboard Center (Version: 1.1.500.0)
Microsoft Silverlight (Version: 5.1.10411.0)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.61001)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (Version: 9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Mozilla Firefox 13.0 (x86 en-US) (Version: 13.0)
Mozilla Maintenance Service (Version: 13.0)
MSVCRT (Version: 15.4.2862.0708)
Pando Media Booster (Version: 2.3.5.6)
PDFlite (remove only)
QuickTime (Version: 7.71.80.42)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealPlayer
Realtek High Definition Audio Driver (Version: 6.0.1.5936)
RealUpgrade 1.1 (Version: 1.1.0)
RedMon - Redirection Port Monitor
Safari (Version: 5.34.50.0)
Skype Click to Call (Version: 5.6.8442)
Skype™ 5.5 (Version: 5.5.124)
Sophos Anti-Virus (Version: 10.0.6)
Sophos AutoUpdate (Version: 2.7.1)
Sophos Remote Management System (Version: 3.4.0)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523) (Version: 1)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217) (Version: 1)
Ventrilo Client for Windows x64 (Version: 3.0.8.0)
Virtual Audio Cable 4.10
WinDirStat 1.1.2
Windows Driver Package - Apple Inc. (AppleUSBEthernet) Net (02/01/2008 3.10.3.10) (Version:

02/01/2008 3.10.3.10)
Windows Driver Package - Apple Inc. Apple Bluetooth (03/01/2010 3.0.0.5) (Version: 03/01/2010

3.0.0.5)
Windows Driver Package - Apple Inc. Apple Bluetooth Enabler (06/27/2007 2.0.0.1) (Version:

06/27/2007 2.0.0.1)
Windows Driver Package - Apple Inc. Apple Broadcom Bluetooth (04/27/2011 4.0.0.1) (Version:

04/27/2011 4.0.0.1)
Windows Driver Package - Apple Inc. Apple Broadcom Bluetooth (10/05/2010 3.2.0.1) (Version:

10/05/2010 3.2.0.1)
Windows Driver Package - Apple Inc. Apple Built-in iSight (10/25/2007 2.0.1.0) (Version: 10/25/2007

2.0.1.0)
Windows Driver Package - Apple Inc. Apple Display (01/23/2009 3.0.0.0) (Version: 01/23/2009

3.0.0.0)
Windows Driver Package - Apple Inc. Apple IR Receiver (02/21/2008 2.0.4.0) (Version: 02/21/2008

2.0.4.0)
Windows Driver Package - Apple Inc. Apple Keyboard (05/05/2011 4.0.0.1) (Version: 05/05/2011

4.0.0.1)
Windows Driver Package - Apple Inc. Apple Keyboard (10/12/2010 3.2.0.2) (Version: 10/12/2010

3.2.0.2)
Windows Driver Package - Apple Inc. Apple Multitouch (05/05/2011 4.0.0.1) (Version: 05/05/2011

4.0.0.1)
Windows Driver Package - Apple Inc. Apple Multitouch (12/22/2010 3.2.0.2) (Version: 12/22/2010

3.2.0.2)
Windows Driver Package - Apple Inc. Apple Multitouch Mouse (05/05/2011 4.0.0.1) (Version:

05/05/2011 4.0.0.1)
Windows Driver Package - Apple Inc. Apple Multitouch Mouse (12/22/2010 3.2.0.2) (Version:

12/22/2010 3.2.0.2)
Windows Driver Package - Apple Inc. Apple ODD (05/17/2010 3.1.0.0) (Version: 05/17/2010 3.1.0.0)
Windows Driver Package - Apple Inc. Apple System Device (01/28/2011 3.2.0.6) (Version: 01/28/2011

3.2.0.6)
Windows Driver Package - Apple Inc. Apple System Device (04/05/2011 3.2.0.8) (Version: 04/05/2011

3.2.0.8)
Windows Driver Package - Apple Inc. Apple Trackpad (07/13/2009 3.0.0.1) (Version: 07/13/2009

3.0.0.1)
Windows Driver Package - Apple Inc. Apple Trackpad Enabler (07/13/2009 3.0.0.1) (Version:

07/13/2009 3.0.0.1)
Windows Driver Package - Apple Inc. Apple Wireless Mouse (04/12/2010 3.1.0.0) (Version: 04/12/2010

3.1.0.0)
Windows Driver Package - Apple Inc. Apple Wireless Mouse (06/01/2011 4.0.0.1) (Version: 06/01/2011

4.0.0.1)
Windows Driver Package - Apple Inc. Apple Wireless Trackpad (08/24/2010 3.1.0.7) (Version:

08/24/2010 3.1.0.7)
Windows Driver Package - Atheros Communications Inc. (athr) Net (11/18/2009 8.0.0.258) (Version:

11/18/2009 8.0.0.258)
Windows Driver Package - Broadcom (b57nd60a) Net (12/02/2010 14.4.2.2) (Version: 12/02/2010

14.4.2.2)
Windows Driver Package - Broadcom (BCM43XX) Net (01/22/2011 5.100.198.11) (Version: 01/22/2011

5.100.198.11)
Windows Driver Package - Broadcom (BCM43XX) Net (04/06/2011 5.100.198.22) (Version: 04/06/2011

5.100.198.22)
Windows Driver Package - Broadcom Corporation (bScsiSDa) SDHost (01/18/2011 1.0.0.220) (Version:

01/18/2011 1.0.0.220)
Windows Driver Package - Cirrus Logic, Inc. (CirrusFilter) MEDIA (12/03/2010 6.6001.1.30)

(Version: 12/03/2010 6.6001.1.30)
Windows Driver Package - Intel (e1express) Net (03/26/2010 9.13.41.0) (Version: 03/26/2010

9.13.41.0)
Windows Driver Package - Intel (e1kexpress) Net (04/12/2010 11.6.92.0) (Version: 04/12/2010

11.6.92.0)
Windows Driver Package - Intel (e1qexpress) Net (12/04/2009 11.4.7.0) (Version: 12/04/2009

11.4.7.0)
Windows Driver Package - Intel (e1rexpress) Net (01/07/2010 11.4.16.0) (Version: 01/07/2010

11.4.16.0)
Windows Driver Package - Intel (e1yexpress) Net (04/07/2010 10.1.9.0) (Version: 04/07/2010

10.1.9.0)
Windows Driver Package - Intel System (07/20/2007 1.2.76.0) (Version: 07/20/2007 1.2.76.0)
Windows Driver Package - Marvell (yukonx64) Net (12/06/2007 10.51.1.3) (Version: 12/06/2007

10.51.1.3)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3555.0308)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3555.0308)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Movie Maker 6.1
Xvid Video Codec (Version: 1.3.2)
Yahoo! Messenger

**** End of log ****


Farbar Service Scanner Version: 04-08-2012 01
Ran by xxx (administrator) on 04-08-2012 at 20:26:04
Running from "C:\Users\xxx\Desktop"
Microsoft Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****

Edited by CatByte, 28 November 2013 - 12:14 PM.
removed name


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 04 August 2012 - 09:27 PM

please run the following:
 

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K40FL6MS\hoobachan_net[1].htm
C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\713bb693-3b5328b5
C:\Users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\6eba7426-1cd3c334

ClearJavaCache::


Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please download TDSSKiller.zip

  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System/TDSS File system is found then ensure Cure is selected (if cure is not available, choose skip)
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT

Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp



NEXT


Please advise how your computer is running now and if there are any outstanding issues


Edited by CatByte, 19 February 2013 - 12:27 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Rootcat

Rootcat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 PM

Posted 05 August 2012 - 01:49 PM

Logs are attached, first ComboFix then TDSSKiller. TDSSKiller found a "TDSS File system" and the "Cure" option was not available, so I chose Skip per your instructions. I also updated Java. The Desktop.ini file is still sitting in FRST\Quarantine, Sophos Antivirus is still prompting me to clean it up, performance-wise my computer is totally asymptomatic, as it has been since I took the initial steps to free myself from the "Live Security Platinum" scareware scam that was locking me out of my computer.


ComboFix 12-08-05.02 - xxx 08/05/2012 13:21:52.2.8 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4007.2605 [GMT -5:00]
Running from: c:\users\xxx\Desktop\ComboFix.exe
Command switches used :: c:\users\xxx\Desktop\CFScript.txt
AV: Sophos Anti-Virus *Disabled/Updated* {65FBD860-96D8-75EF-C7ED-7BE27E6C498A}
SP: Sophos Anti-Virus *Disabled/Updated* {DE9A3984-B0E2-7A61-FD5D-409005EB0337}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K40FL6MS\hoobachan_net[1].htm"
"c:\users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\19\713bb693-3b5328b5"
"c:\users\xxx\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\38\6eba7426-1cd3c334"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K40FL6MS\hoobachan_net[1].htm
.
.
((((((((((((((((((((((((( Files Created from 2012-07-05 to 2012-08-05 )))))))))))))))))))))))))))))))
.
.
2012-08-05 18:28 . 2012-08-05 18:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-04 21:35 . 2012-08-04 21:35 -------- d-----w- c:\program files (x86)\ESET
2012-08-03 08:25 . 2012-06-29 10:04 9133488 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{45D201D7-76D8-42B8-A70C-05DD644C45BA}\mpengine.dll
2012-08-02 18:35 . 2012-08-02 18:35 -------- d-----w- c:\program files\Microsoft Device Center
2012-07-31 21:16 . 2009-07-14 01:39 328704 ----a-w- c:\windows\system32\services.exe
2012-07-27 04:07 . 2012-07-27 04:08 -------- d-----w- C:\FRST
2012-07-26 16:40 . 2012-07-26 16:40 -------- d-----w- c:\program files (x86)\Common Files\Cisco Systems
2012-07-26 16:40 . 2012-07-26 16:36 37400 ----a-w- c:\windows\system32\SophosBootTasks.exe
2012-07-26 16:36 . 2012-07-26 16:36 144672 ----a-w- c:\windows\system32\drivers\savonaccess.sys
2012-07-26 03:50 . 2012-07-26 03:50 -------- d-----w- c:\users\xxx\AppData\Local\MSKLC
2012-07-26 03:49 . 2012-07-26 03:49 -------- d-----w- c:\program files (x86)\Microsoft Keyboard Layout Creator 1.4
2012-07-22 00:09 . 2012-07-22 00:09 -------- d-----w- c:\program files\HitmanPro
2012-07-22 00:09 . 2012-07-22 00:19 -------- d-----w- c:\programdata\HitmanPro
2012-07-21 21:14 . 2012-07-21 21:14 -------- d-----w- c:\users\xxx\AppData\Roaming\Malwarebytes
2012-07-21 21:13 . 2012-07-21 21:13 -------- d-----w- c:\programdata\Malwarebytes
2012-07-21 21:13 . 2012-07-21 21:13 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-21 21:13 . 2012-07-03 18:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-21 20:44 . 2012-07-21 20:46 -------- d-----w- c:\programdata\225932FD1A797471813CA379F875F002
2012-07-20 21:44 . 2012-08-02 05:59 -------- d-----w- c:\users\xxx\AppData\Roaming\foobar2000
2012-07-20 21:43 . 2012-07-20 21:43 -------- d-----w- c:\program files (x86)\foobar2000
2012-07-20 21:42 . 2012-07-20 21:42 -------- d-----w- c:\program files\Virtual Audio Cable
2012-07-20 21:42 . 2012-07-20 21:42 66728 ----a-w- c:\windows\system32\drivers\vrtaucbl.sys
2012-07-13 14:21 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 18:22 . 2012-06-06 06:06 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 18:22 . 2012-06-06 06:06 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 18:22 . 2012-06-06 05:05 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-07-11 18:22 . 2012-06-06 05:05 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-07-11 18:22 . 2010-06-26 03:55 2048 ----a-w- c:\windows\system32\msxml3r.dll
2012-07-11 18:22 . 2010-06-26 03:24 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2012-07-11 18:19 . 2012-06-02 05:50 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-07-11 18:19 . 2012-06-02 05:48 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 18:19 . 2012-06-02 05:48 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-07-11 18:19 . 2012-06-02 05:45 340992 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 18:19 . 2012-06-02 05:44 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-07-11 18:19 . 2012-06-02 04:40 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-07-11 18:19 . 2012-06-02 04:40 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-07-11 18:19 . 2012-06-02 04:39 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-07-11 18:19 . 2012-06-02 04:34 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-27 02:38 . 2012-06-27 02:38 827728 ----a-w- c:\windows\system32\msvcr100.dll
2012-06-27 02:38 . 2012-06-27 02:38 607568 ----a-w- c:\windows\system32\msvcp100.dll
2012-06-27 02:38 . 2012-06-27 02:38 46176 ----a-w- c:\windows\system32\drivers\point64.sys
2012-06-22 04:36 . 2012-06-22 04:36 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-06-22 04:36 . 2011-06-19 18:22 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-21 10:10 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-21 10:10 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-21 10:10 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-21 10:10 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-21 10:10 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-21 10:10 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-21 10:10 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-21 10:10 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-21 10:10 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-05-31 17:25 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-05-28 12:09 . 2012-05-28 12:09 2168416 ----a-w- c:\windows\system32\coin91.dll
2012-05-15 04:01 . 2012-06-19 00:46 1188864 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 03:59 . 2012-06-19 00:46 64512 ----a-w- c:\windows\system32\jsproxy.dll
2012-05-15 03:03 . 2012-06-19 00:46 981504 ----a-w- c:\windows\SysWow64\wininet.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-31_23.56.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-07-31 18:17 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-08-05 17:47 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-07-31 18:17 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-05 17:47 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-31 18:17 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-05 17:47 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-11-21 03:09 . 2012-07-31 19:00 36636 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-05 17:49 31140 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:30 . 2012-07-31 18:08 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2009-07-14 05:30 . 2012-08-02 18:36 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2012-06-27 02:38 . 2012-06-27 02:38 46176 c:\windows\system32\DriverStore\FileRepository\point64.inf_amd64_neutral_9dfb37c4551846b5\point64.sys
+ 2012-06-27 02:38 . 2012-06-27 02:38 23648 c:\windows\system32\DriverStore\FileRepository\nuidfltr.inf_amd64_neutral_bc0f6ac836b7c530\nuidfltr.sys
+ 2012-06-25 03:24 . 2012-06-25 03:24 52320 c:\windows\system32\DriverStore\FileRepository\dc3du.inf_amd64_neutral_5dff7a66d62494f4\dc3d.sys
+ 2012-06-27 02:38 . 2012-06-27 02:38 52320 c:\windows\system32\DriverStore\FileRepository\dc3dh.inf_amd64_neutral_38eb2f3558845570\dc3d.sys
+ 2011-04-24 11:37 . 2012-08-05 14:23 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-24 11:37 . 2012-07-31 18:21 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-24 11:37 . 2012-07-31 18:21 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-04-24 11:37 . 2012-08-05 14:23 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-31 18:21 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-05 14:23 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-09-04 21:40 . 2012-07-31 18:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-09-04 21:40 . 2012-08-05 17:50 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2012-07-31 19:02 93456 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-09-04 21:40 . 2012-08-05 17:50 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-09-04 21:40 . 2012-07-31 18:20 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-09-04 21:40 . 2012-07-31 18:20 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-09-04 21:40 . 2012-08-05 17:50 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-04-24 16:13 . 2012-07-31 18:20 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-04-24 16:13 . 2012-08-05 18:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-04-24 16:13 . 2012-07-31 18:20 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-24 16:13 . 2012-08-05 18:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-04-24 15:21 . 2012-08-05 17:49 8094 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1046876759-1607990632-92284226-1000_UserData.bin
+ 2012-08-05 17:47 . 2012-08-05 17:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-31 23:56 . 2012-07-31 23:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-31 23:56 . 2012-07-31 23:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-05 17:47 . 2012-08-05 17:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-04-24 15:56 . 2012-08-04 19:12 239300 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-07-14 02:36 . 2012-07-31 18:24 624412 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-05 17:54 624412 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-05 17:54 106756 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-07-31 18:24 106756 c:\windows\system32\perfc009.dat
- 2009-07-14 05:30 . 2012-07-31 18:08 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-08-02 18:36 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-07-20 21:42 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 05:30 . 2012-08-02 18:36 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 05:01 . 2012-08-05 17:45 230752 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-07-31 18:39 230752 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-06-27 02:38 . 2012-06-27 02:38 1721576 c:\windows\system32\DriverStore\FileRepository\point64.inf_amd64_neutral_9dfb37c4551846b5\wdfcoinstaller01009.dll
+ 2012-06-27 02:38 . 2012-06-27 02:38 1721576 c:\windows\system32\DriverStore\FileRepository\nuidfltr.inf_amd64_neutral_bc0f6ac836b7c530\wdfcoinstaller01009.dll
+ 2012-06-27 02:38 . 2012-06-27 02:38 2168416 c:\windows\system32\DriverStore\FileRepository\itpcdless.inf_amd64_neutral_a0e2ebca1e67cc14\coin91.dll
+ 2012-05-28 12:09 . 2012-05-28 12:09 2168416 c:\windows\system32\DriverStore\FileRepository\ipcdless.inf_amd64_neutral_ce4fd77c67982835\coin91.dll
+ 2012-06-25 03:24 . 2012-06-25 03:24 1721576 c:\windows\system32\DriverStore\FileRepository\dc3du.inf_amd64_neutral_5dff7a66d62494f4\WdfCoInstaller01009.dll
+ 2012-06-27 02:38 . 2012-06-27 02:38 1721576 c:\windows\system32\DriverStore\FileRepository\dc3dh.inf_amd64_neutral_38eb2f3558845570\WdfCoInstaller01009.dll
+ 2012-06-27 02:38 . 2012-06-27 02:38 2168416 c:\windows\system32\DriverStore\FileRepository\dc3dh.inf_amd64_neutral_38eb2f3558845570\coin91.dll
+ 2012-06-27 02:38 . 2012-06-27 02:38 2168416 c:\windows\system32\DriverStore\FileRepository\bthcdless.inf_amd64_neutral_b6816e1b1034fed6\coin91.dll
+ 2012-06-27 02:38 . 2012-06-27 02:38 2019328 c:\windows\Installer\5a0b3db.msi
+ 2011-04-26 22:51 . 2012-08-05 17:46 16758567 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1046876759-1607990632-92284226-1000-12288.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~2\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2012-08-05 1353080]
"Skype"="c:\program files (x86)\Skype\Phone\Skype.exe" [2011-10-13 17351304]
"Xvid"="c:\program files (x86)\Xvid\CheckUpdate.exe" [2011-01-17 8192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2012-07-26 900120]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"TkBellExe"="c:\program files (x86)\Real\RealPlayer\update\realsched.exe" [2011-12-22 296056]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro36.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro36CrusaderBoot]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 BBSvc;BingBar Service;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe [2012-02-10 193816]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 swi_update_64;Sophos Web Intelligence Update;c:\programdata\Sophos\Web Intelligence\swi_update_64.exe [2012-07-26 2009152]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-06-01 113120]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2011-04-26 25592]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-04-25 1255736]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2011-04-26 25608]
S0 AppleHFS;AppleHFS; [x]
S0 AppleMNT;AppleMNT; [x]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2012-07-26 144672]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-02-07 203776]
S2 AppleOSSMgr;Apple OS Switch Manager;c:\windows\system32\AppleOSSMgr.exe [2011-08-16 224640]
S2 AppleTimeSrv;Apple Time Service;c:\windows\system32\AppleTimeSrv.exe [2011-02-07 110904]
S2 KeyAgent;KeyAgent;c:\windows\system32\drivers\KeyAgent.sys [2011-08-16 17752]
S2 MacHALDriver;Mac HAL;c:\windows\system32\drivers\MacHALDriver.sys [2011-02-07 21048]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2012-07-26 216600]
S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2012-07-26 139840]
S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-07-26 2862656]
S2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2011-02-07 2655768]
S3 acpials;ALS Sensor Filter;c:\windows\system32\DRIVERS\acpials.sys [2009-07-14 9728]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-02-07 8283136]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-02-07 294400]
S3 AppleBtBc;Apple Broadcom Built-in Bluetooth;c:\windows\system32\DRIVERS\AppleBtBc.sys [2011-06-28 19456]
S3 applemtm;Apple Multitouch Mouse;c:\windows\system32\DRIVERS\applemtm.sys [2011-02-07 12288]
S3 applemtp;Apple Multitouch;c:\windows\system32\DRIVERS\applemtp.sys [2011-02-07 38912]
S3 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe [2012-02-10 240408]
S3 bScsiSDa;bScsiSDa;c:\windows\system32\DRIVERS\bScsiSDa.sys [2011-02-07 85544]
S3 CirrusFilter;CS420xLowerFilter;c:\windows\system32\DRIVERS\CS420x64.sys [2011-02-07 18432]
S3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\DRIVERS\vrtaucbl.sys [2012-07-20 66728]
S3 IRRemoteFlt;IR Receiver Filter Driver;c:\windows\system32\DRIVERS\IRFilter.sys [2011-02-07 18432]
S3 KeyMagic;USB Keyboard HID Filter;c:\windows\system32\DRIVERS\KeyMagic.sys [2011-06-03 32256]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2011-02-07 56344]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2012-06-27 46176]
S3 ScreamBAudioSvc;ScreamBee Audio;c:\windows\system32\drivers\ScreamingBAudio64.sys [2009-12-01 38992]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1046876759-1607990632-92284226-1000Core.job
- c:\users\xxx\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-24 05:42]
.
2012-08-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1046876759-1607990632-92284226-1000UA.job
- c:\users\xxx\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-24 05:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apple_KbdMgr"="c:\program files\Boot Camp\Bootcamp.exe" [2011-08-16 741760]
"IntelliType Pro"="c:\program files\Microsoft Device Center\itype.exe" [2012-06-27 1464928]
"IntelliPoint"="c:\program files\Microsoft Device Center\ipoint.exe" [2012-06-27 2004584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
LSP: c:\programdata\Sophos\Web Intelligence\swi_ifslsp.dll
Trusted Zone: freetoolsassociation.com\activegs
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\5xl6kmhd.default\
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]
"ImagePath"="\"c:\program files (x86)\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-05 13:30:46
ComboFix-quarantined-files.txt 2012-08-05 18:30
ComboFix2.txt 2012-07-31 19:02
.
Pre-Run: 8,261,033,984 bytes free
Post-Run: 8,408,637,440 bytes free
.
- - End Of File - - 3269EAD74C3A5A24EDEEE4512D23CDD0







13:34:13.0375 4476 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
13:34:13.0625 4476 ============================================================
13:34:13.0625 4476 Current date / time: 2012/08/05 13:34:13.0625
13:34:13.0625 4476 SystemInfo:
13:34:13.0625 4476
13:34:13.0625 4476 OS Version: 6.1.7601 ServicePack: 1.0
13:34:13.0625 4476 Product type: Workstation
13:34:13.0625 4476 ComputerName: xxxxxxxxx-PC
13:34:13.0625 4476 UserName: xxx
13:34:13.0625 4476 Windows directory: C:\Windows
13:34:13.0625 4476 System windows directory: C:\Windows
13:34:13.0625 4476 Running under WOW64
13:34:13.0625 4476 Processor architecture: Intel x64
13:34:13.0625 4476 Number of processors: 8
13:34:13.0625 4476 Page size: 0x1000
13:34:13.0625 4476 Boot type: Normal boot
13:34:13.0625 4476 ============================================================
13:34:14.0810 4476 Drive \Device\Harddisk0\DR0 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
13:34:14.0810 4476 ============================================================
13:34:14.0810 4476 \Device\Harddisk0\DR0:
13:34:14.0810 4476 MBR partitions:
13:34:14.0810 4476 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x4B97F800, BlocksNum 0xBBC6800
13:34:14.0810 4476 ============================================================
13:34:14.0873 4476 C: <-> \Device\Harddisk0\DR0\Partition0
13:34:14.0873 4476 ============================================================
13:34:14.0873 4476 Initialize success
13:34:14.0873 4476 ============================================================
13:35:40.0227 4648 ============================================================
13:35:40.0227 4648 Scan started
13:35:40.0227 4648 Mode: Manual; TDLFS;
13:35:40.0227 4648 ============================================================
13:35:42.0115 4648 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\DRIVERS\1394ohci.sys
13:35:42.0131 4648 1394ohci - ok
13:35:42.0162 4648 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
13:35:42.0177 4648 ACPI - ok
13:35:42.0209 4648 acpials (12c5274cd87449a2a37a607cdb321922) C:\Windows\system32\DRIVERS\acpials.sys
13:35:42.0209 4648 acpials - ok
13:35:42.0255 4648 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
13:35:42.0255 4648 AcpiPmi - ok
13:35:42.0318 4648 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\drivers\adp94xx.sys
13:35:42.0333 4648 adp94xx - ok
13:35:42.0365 4648 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\drivers\adpahci.sys
13:35:42.0380 4648 adpahci - ok
13:35:42.0411 4648 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\drivers\adpu320.sys
13:35:42.0427 4648 adpu320 - ok
13:35:42.0443 4648 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
13:35:42.0443 4648 AeLookupSvc - ok
13:35:42.0521 4648 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\Windows\system32\drivers\afd.sys
13:35:42.0536 4648 AFD - ok
13:35:42.0567 4648 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
13:35:42.0567 4648 agp440 - ok
13:35:42.0599 4648 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
13:35:42.0599 4648 ALG - ok
13:35:42.0614 4648 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
13:35:42.0614 4648 aliide - ok
13:35:42.0677 4648 AMD External Events Utility (11276158eeeeadf3eb154061bfc80a19) C:\Windows\system32\atiesrxx.exe
13:35:42.0677 4648 AMD External Events Utility - ok
13:35:42.0677 4648 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
13:35:42.0677 4648 amdide - ok
13:35:42.0723 4648 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\drivers\amdk8.sys
13:35:42.0723 4648 AmdK8 - ok
13:35:43.0082 4648 amdkmdag (df943a113060d3abfda4730ae4163d6f) C:\Windows\system32\DRIVERS\atikmdag.sys
13:35:43.0113 4648 amdkmdag - ok
13:35:43.0316 4648 amdkmdap (4003b34b4a83de29cd1c88eb6c869e58) C:\Windows\system32\DRIVERS\atikmpag.sys
13:35:43.0316 4648 amdkmdap - ok
13:35:43.0363 4648 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\drivers\amdppm.sys
13:35:43.0363 4648 AmdPPM - ok
13:35:43.0394 4648 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
13:35:43.0394 4648 amdsata - ok
13:35:43.0425 4648 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\drivers\amdsbs.sys
13:35:43.0425 4648 amdsbs - ok
13:35:43.0457 4648 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
13:35:43.0457 4648 amdxata - ok
13:35:43.0488 4648 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
13:35:43.0488 4648 AppID - ok
13:35:43.0519 4648 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
13:35:43.0519 4648 AppIDSvc - ok
13:35:43.0535 4648 Appinfo (3977d4a871ca0d4f2ed1e7db46829731) C:\Windows\System32\appinfo.dll
13:35:43.0550 4648 Appinfo - ok
13:35:43.0581 4648 AppleBtBc (0c84cf12d12ba8a65ed1a43cf83f88b5) C:\Windows\system32\DRIVERS\AppleBtBc.sys
13:35:43.0581 4648 AppleBtBc - ok
13:35:43.0628 4648 AppleHFS (b3d07ac99e35aadd1eec5669cdc15cc6) C:\Windows\system32\drivers\AppleHFS.sys
13:35:43.0628 4648 AppleHFS - ok
13:35:43.0659 4648 AppleMNT (6882a29f98bad0c7e77d6773b072b462) C:\Windows\system32\drivers\AppleMNT.sys
13:35:43.0659 4648 AppleMNT - ok
13:35:43.0722 4648 applemtm (a0a045a7cc583e1b024aba3e9b38e2c0) C:\Windows\system32\DRIVERS\applemtm.sys
13:35:43.0722 4648 applemtm - ok
13:35:43.0753 4648 applemtp (cc8879aaa4de50f70d194f54b50ff5cf) C:\Windows\system32\DRIVERS\applemtp.sys
13:35:43.0753 4648 applemtp - ok
13:35:43.0800 4648 AppleOSSMgr (0039e9279a22baa91f4edea153bbdaff) C:\Windows\system32\AppleOSSMgr.exe
13:35:43.0800 4648 AppleOSSMgr - ok
13:35:43.0831 4648 AppleTimeSrv (fb3cfe1112d68febaff307df88efded4) C:\Windows\system32\AppleTimeSrv.exe
13:35:43.0831 4648 AppleTimeSrv - ok
13:35:43.0893 4648 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\drivers\arc.sys
13:35:43.0893 4648 arc - ok
13:35:43.0909 4648 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\drivers\arcsas.sys
13:35:43.0909 4648 arcsas - ok
13:35:43.0925 4648 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
13:35:43.0925 4648 AsyncMac - ok
13:35:43.0956 4648 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
13:35:43.0956 4648 atapi - ok
13:35:44.0065 4648 AudioEndpointBuilder (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
13:35:44.0065 4648 AudioEndpointBuilder - ok
13:35:44.0081 4648 AudioSrv (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
13:35:44.0096 4648 AudioSrv - ok
13:35:44.0127 4648 AxInstSV (a6bf31a71b409dfa8cac83159e1e2aff) C:\Windows\System32\AxInstSV.dll
13:35:44.0127 4648 AxInstSV - ok
13:35:44.0205 4648 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\drivers\bxvbda.sys
13:35:44.0205 4648 b06bdrv - ok
13:35:44.0283 4648 b57nd60a (bfd70bea3f8398f6b8b44e5cded3249c) C:\Windows\system32\DRIVERS\b57nd60a.sys
13:35:44.0283 4648 b57nd60a - ok
13:35:44.0439 4648 BBSvc (a2494901e7226b356b8c1005c45f1c5f) C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\BBSvc.exe
13:35:44.0455 4648 BBSvc - ok
13:35:44.0502 4648 BBUpdate (63b1cbbae4790b5bac98f01bf9449722) C:\Program Files (x86)\Microsoft\BingBar\7.1.361.0\SeaPort.exe
13:35:44.0502 4648 BBUpdate - ok
13:35:44.0923 4648 BCM43XX (64032ca1644a336bd98acfa5601e925e) C:\Windows\system32\DRIVERS\bcmwl664.sys
13:35:44.0954 4648 BCM43XX - ok
13:35:45.0079 4648 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll
13:35:45.0079 4648 BDESVC - ok
13:35:45.0141 4648 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
13:35:45.0141 4648 Beep - ok
13:35:45.0235 4648 BFE (82974d6a2fd19445cc5171fc378668a4) C:\Windows\System32\bfe.dll
13:35:45.0251 4648 BFE - ok
13:35:45.0344 4648 BITS (1ea7969e3271cbc59e1730697dc74682) C:\Windows\system32\qmgr.dll
13:35:45.0344 4648 BITS - ok
13:35:45.0422 4648 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
13:35:45.0422 4648 blbdrive - ok
13:35:45.0485 4648 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
13:35:45.0485 4648 bowser - ok
13:35:45.0500 4648 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\BrFiltLo.sys
13:35:45.0500 4648 BrFiltLo - ok
13:35:45.0516 4648 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\BrFiltUp.sys
13:35:45.0516 4648 BrFiltUp - ok
13:35:45.0563 4648 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
13:35:45.0563 4648 BridgeMP - ok
13:35:45.0609 4648 Browser (8ef0d5c41ec907751b8429162b1239ed) C:\Windows\System32\browser.dll
13:35:45.0609 4648 Browser - ok
13:35:45.0656 4648 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
13:35:45.0672 4648 Brserid - ok
13:35:45.0687 4648 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
13:35:45.0687 4648 BrSerWdm - ok
13:35:45.0703 4648 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
13:35:45.0719 4648 BrUsbMdm - ok
13:35:45.0734 4648 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
13:35:45.0734 4648 BrUsbSer - ok
13:35:45.0765 4648 bScsiSDa (d751deea9b2206532aade60aa94c475a) C:\Windows\system32\DRIVERS\bScsiSDa.sys
13:35:45.0765 4648 bScsiSDa - ok
13:35:45.0828 4648 BthEnum (cf98190a94f62e405c8cb255018b2315) C:\Windows\system32\drivers\BthEnum.sys
13:35:45.0828 4648 BthEnum - ok
13:35:45.0859 4648 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\drivers\bthmodem.sys
13:35:45.0859 4648 BTHMODEM - ok
13:35:45.0906 4648 BthPan (02dd601b708dd0667e1331fa8518e9ff) C:\Windows\system32\DRIVERS\bthpan.sys
13:35:45.0906 4648 BthPan - ok
13:35:45.0999 4648 BTHPORT (64c198198501f7560ee41d8d1efa7952) C:\Windows\system32\Drivers\BTHport.sys
13:35:45.0999 4648 BTHPORT - ok
13:35:46.0031 4648 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll
13:35:46.0031 4648 bthserv - ok
13:35:46.0062 4648 BTHUSB (f188b7394d81010767b6df3178519a37) C:\Windows\system32\Drivers\BTHUSB.sys
13:35:46.0062 4648 BTHUSB - ok
13:35:46.0077 4648 catchme - ok
13:35:46.0140 4648 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
13:35:46.0140 4648 cdfs - ok
13:35:46.0187 4648 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
13:35:46.0187 4648 cdrom - ok
13:35:46.0218 4648 CertPropSvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
13:35:46.0218 4648 CertPropSvc - ok
13:35:46.0265 4648 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\drivers\circlass.sys
13:35:46.0265 4648 circlass - ok
13:35:46.0296 4648 CirrusFilter (11da0ccbce49e7a4c6a4f9f2b4e858f8) C:\Windows\system32\DRIVERS\CS420x64.sys
13:35:46.0296 4648 CirrusFilter - ok
13:35:46.0343 4648 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
13:35:46.0343 4648 CLFS - ok
13:35:46.0405 4648 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
13:35:46.0405 4648 clr_optimization_v2.0.50727_32 - ok
13:35:46.0452 4648 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
13:35:46.0452 4648 clr_optimization_v2.0.50727_64 - ok
13:35:46.0545 4648 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
13:35:46.0545 4648 clr_optimization_v4.0.30319_32 - ok
13:35:46.0608 4648 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
13:35:46.0608 4648 clr_optimization_v4.0.30319_64 - ok
13:35:46.0639 4648 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
13:35:46.0639 4648 CmBatt - ok
13:35:46.0655 4648 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
13:35:46.0655 4648 cmdide - ok
13:35:46.0733 4648 CNG (9ac4f97c2d3e93367e2148ea940cd2cd) C:\Windows\system32\Drivers\cng.sys
13:35:46.0748 4648 CNG - ok
13:35:46.0764 4648 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
13:35:46.0764 4648 Compbatt - ok
13:35:46.0811 4648 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\DRIVERS\CompositeBus.sys
13:35:46.0811 4648 CompositeBus - ok
13:35:46.0826 4648 COMSysApp - ok
13:35:46.0842 4648 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\drivers\crcdisk.sys
13:35:46.0842 4648 crcdisk - ok
13:35:46.0889 4648 CryptSvc (4f5414602e2544a4554d95517948b705) C:\Windows\system32\cryptsvc.dll
13:35:46.0904 4648 CryptSvc - ok
13:35:46.0967 4648 DcomLaunch (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
13:35:46.0967 4648 DcomLaunch - ok
13:35:47.0060 4648 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll
13:35:47.0060 4648 defragsvc - ok
13:35:47.0091 4648 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
13:35:47.0107 4648 DfsC - ok
13:35:47.0169 4648 Dhcp (43d808f5d9e1a18e5eeb5ebc83969e4e) C:\Windows\system32\dhcpcore.dll
13:35:47.0169 4648 Dhcp - ok
13:35:47.0201 4648 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
13:35:47.0201 4648 discache - ok
13:35:47.0247 4648 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\drivers\disk.sys
13:35:47.0247 4648 Disk - ok
13:35:47.0310 4648 Dnscache (16835866aaa693c7d7fceba8fff706e4) C:\Windows\System32\dnsrslvr.dll
13:35:47.0310 4648 Dnscache - ok
13:35:47.0357 4648 dot3svc (b1fb3ddca0fdf408750d5843591afbc6) C:\Windows\System32\dot3svc.dll
13:35:47.0357 4648 dot3svc - ok
13:35:47.0388 4648 DPS (b26f4f737e8f9df4f31af6cf31d05820) C:\Windows\system32\dps.dll
13:35:47.0403 4648 DPS - ok
13:35:47.0435 4648 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
13:35:47.0435 4648 drmkaud - ok
13:35:47.0544 4648 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
13:35:47.0559 4648 DXGKrnl - ok
13:35:47.0591 4648 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll
13:35:47.0591 4648 EapHost - ok
13:35:47.0856 4648 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\drivers\evbda.sys
13:35:47.0887 4648 ebdrv - ok
13:35:48.0012 4648 EFS (c118a82cd78818c29ab228366ebf81c3) C:\Windows\System32\lsass.exe
13:35:48.0012 4648 EFS - ok
13:35:48.0121 4648 ehRecvr (c4002b6b41975f057d98c439030cea07) C:\Windows\ehome\ehRecvr.exe
13:35:48.0137 4648 ehRecvr - ok
13:35:48.0152 4648 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe
13:35:48.0168 4648 ehSched - ok
13:35:48.0277 4648 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\drivers\elxstor.sys
13:35:48.0277 4648 elxstor - ok
13:35:48.0293 4648 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
13:35:48.0293 4648 ErrDev - ok
13:35:48.0371 4648 EuMusDesignVirtualAudioCableWdm (932c05033053ada2404fd836c9ab2c70) C:\Windows\system32\DRIVERS\vrtaucbl.sys
13:35:48.0371 4648 EuMusDesignVirtualAudioCableWdm - ok
13:35:48.0417 4648 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll
13:35:48.0433 4648 EventSystem - ok
13:35:48.0480 4648 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
13:35:48.0495 4648 exfat - ok
13:35:48.0527 4648 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
13:35:48.0527 4648 fastfat - ok
13:35:48.0605 4648 Fax (dbefd454f8318a0ef691fdd2eaab44eb) C:\Windows\system32\fxssvc.exe
13:35:48.0620 4648 Fax - ok
13:35:48.0636 4648 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\drivers\fdc.sys
13:35:48.0636 4648 fdc - ok
13:35:48.0667 4648 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll
13:35:48.0667 4648 fdPHost - ok
13:35:48.0683 4648 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll
13:35:48.0683 4648 FDResPub - ok
13:35:48.0729 4648 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
13:35:48.0729 4648 FileInfo - ok
13:35:48.0761 4648 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
13:35:48.0761 4648 Filetrace - ok
13:35:48.0776 4648 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\drivers\flpydisk.sys
13:35:48.0776 4648 flpydisk - ok
13:35:48.0823 4648 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
13:35:48.0823 4648 FltMgr - ok
13:35:48.0963 4648 FontCache (5c4cb4086fb83115b153e47add961a0c) C:\Windows\system32\FntCache.dll
13:35:48.0963 4648 FontCache - ok
13:35:49.0026 4648 FontCache3.0.0.0 (a8b7f3818ab65695e3a0bb3279f6dce6) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
13:35:49.0026 4648 FontCache3.0.0.0 - ok
13:35:49.0088 4648 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
13:35:49.0104 4648 FsDepends - ok
13:35:49.0135 4648 Fs_Rec (6bd9295cc032dd3077c671fccf579a7b) C:\Windows\system32\drivers\Fs_Rec.sys
13:35:49.0135 4648 Fs_Rec - ok
13:35:49.0182 4648 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
13:35:49.0182 4648 fvevol - ok
13:35:49.0229 4648 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\drivers\gagp30kx.sys
13:35:49.0229 4648 gagp30kx - ok
13:35:49.0322 4648 gpsvc (277bbc7e1aa1ee957f573a10eca7ef3a) C:\Windows\System32\gpsvc.dll
13:35:49.0338 4648 gpsvc - ok
13:35:49.0369 4648 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
13:35:49.0369 4648 hcw85cir - ok
13:35:49.0431 4648 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
13:35:49.0431 4648 HdAudAddService - ok
13:35:49.0478 4648 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\DRIVERS\HDAudBus.sys
13:35:49.0478 4648 HDAudBus - ok
13:35:49.0509 4648 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\drivers\HidBatt.sys
13:35:49.0509 4648 HidBatt - ok
13:35:49.0541 4648 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\drivers\hidbth.sys
13:35:49.0541 4648 HidBth - ok
13:35:49.0556 4648 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\drivers\hidir.sys
13:35:49.0556 4648 HidIr - ok
13:35:49.0587 4648 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\System32\hidserv.dll
13:35:49.0587 4648 hidserv - ok
13:35:49.0634 4648 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
13:35:49.0634 4648 HidUsb - ok
13:35:49.0681 4648 hkmsvc (387e72e739e15e3d37907a86d9ff98e2) C:\Windows\system32\kmsvc.dll
13:35:49.0681 4648 hkmsvc - ok
13:35:49.0728 4648 HomeGroupListener (efdfb3dd38a4376f93e7985173813abd) C:\Windows\system32\ListSvc.dll
13:35:49.0728 4648 HomeGroupListener - ok
13:35:49.0775 4648 HomeGroupProvider (908acb1f594274965a53926b10c81e89) C:\Windows\system32\provsvc.dll
13:35:49.0775 4648 HomeGroupProvider - ok
13:35:49.0821 4648 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
13:35:49.0821 4648 HpSAMD - ok
13:35:49.0899 4648 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
13:35:49.0915 4648 HTTP - ok
13:35:49.0931 4648 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
13:35:49.0931 4648 hwpolicy - ok
13:35:49.0977 4648 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
13:35:49.0993 4648 i8042prt - ok
13:35:50.0071 4648 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
13:35:50.0087 4648 iaStorV - ok
13:35:50.0211 4648 idsvc (5988fc40f8db5b0739cd1e3a5d0d78bd) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
13:35:50.0227 4648 idsvc - ok
13:35:50.0258 4648 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\drivers\iirsp.sys
13:35:50.0258 4648 iirsp - ok
13:35:50.0367 4648 IKEEXT (fcd84c381e0140af901e58d48882d26b) C:\Windows\System32\ikeext.dll
13:35:50.0383 4648 IKEEXT - ok
13:35:50.0399 4648 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
13:35:50.0399 4648 intelide - ok
13:35:50.0445 4648 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
13:35:50.0445 4648 intelppm - ok
13:35:50.0492 4648 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll
13:35:50.0492 4648 IPBusEnum - ok
13:35:50.0523 4648 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
13:35:50.0523 4648 IpFilterDriver - ok
13:35:50.0617 4648 iphlpsvc (a34a587fffd45fa649fba6d03784d257) C:\Windows\System32\iphlpsvc.dll
13:35:50.0633 4648 iphlpsvc - ok
13:35:50.0648 4648 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
13:35:50.0648 4648 IPMIDRV - ok
13:35:50.0679 4648 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
13:35:50.0679 4648 IPNAT - ok
13:35:50.0711 4648 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
13:35:50.0711 4648 IRENUM - ok
13:35:50.0742 4648 IRRemoteFlt (a2ea52f7140d9439ef0eca7a9e2940c9) C:\Windows\system32\DRIVERS\IRFilter.sys
13:35:50.0742 4648 IRRemoteFlt - ok
13:35:50.0773 4648 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
13:35:50.0773 4648 isapnp - ok
13:35:50.0835 4648 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
13:35:50.0835 4648 iScsiPrt - ok
13:35:50.0867 4648 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
13:35:50.0867 4648 kbdclass - ok
13:35:50.0898 4648 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
13:35:50.0898 4648 kbdhid - ok
13:35:50.0945 4648 KeyAgent (d807b0b9549705d0536458cbbc8a0857) C:\Windows\system32\drivers\KeyAgent.sys
13:35:50.0945 4648 KeyAgent - ok
13:35:51.0007 4648 KeyIso (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
13:35:51.0007 4648 KeyIso - ok
13:35:51.0038 4648 KeyMagic (c307a605c49d21592b6c9bb41fbe893b) C:\Windows\system32\DRIVERS\KeyMagic.sys
13:35:51.0038 4648 KeyMagic - ok
13:35:51.0085 4648 KSecDD (97a7070aea4c058b6418519e869a63b4) C:\Windows\system32\Drivers\ksecdd.sys
13:35:51.0085 4648 KSecDD - ok
13:35:51.0132 4648 KSecPkg (26c43a7c2862447ec59deda188d1da07) C:\Windows\system32\Drivers\ksecpkg.sys
13:35:51.0132 4648 KSecPkg - ok
13:35:51.0163 4648 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
13:35:51.0163 4648 ksthunk - ok
13:35:51.0225 4648 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll
13:35:51.0225 4648 KtmRm - ok
13:35:51.0288 4648 LanmanServer (d9f42719019740baa6d1c6d536cbdaa6) C:\Windows\System32\srvsvc.dll
13:35:51.0303 4648 LanmanServer - ok
13:35:51.0335 4648 LanmanWorkstation (851a1382eed3e3a7476db004f4ee3e1a) C:\Windows\System32\wkssvc.dll
13:35:51.0335 4648 LanmanWorkstation - ok
13:35:51.0381 4648 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
13:35:51.0381 4648 lltdio - ok
13:35:51.0444 4648 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll
13:35:51.0444 4648 lltdsvc - ok
13:35:51.0491 4648 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll
13:35:51.0491 4648 lmhosts - ok
13:35:51.0600 4648 LMS (926eba26a8b49d1597751ced06b50862) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
13:35:51.0615 4648 LMS - ok
13:35:51.0662 4648 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\drivers\lsi_fc.sys
13:35:51.0662 4648 LSI_FC - ok
13:35:51.0678 4648 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\drivers\lsi_sas.sys
13:35:51.0678 4648 LSI_SAS - ok
13:35:51.0709 4648 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\drivers\lsi_sas2.sys
13:35:51.0709 4648 LSI_SAS2 - ok
13:35:51.0740 4648 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\drivers\lsi_scsi.sys
13:35:51.0740 4648 LSI_SCSI - ok
13:35:51.0771 4648 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
13:35:51.0771 4648 luafv - ok
13:35:51.0803 4648 MacHALDriver (9abb699f225a8a0b63a1407f5fa60385) C:\Windows\system32\drivers\MacHALDriver.sys
13:35:51.0803 4648 MacHALDriver - ok
13:35:51.0834 4648 Mcx2Svc (0be09cd858abf9df6ed259d57a1a1663) C:\Windows\system32\Mcx2Svc.dll
13:35:51.0849 4648 Mcx2Svc - ok
13:35:51.0865 4648 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\drivers\megasas.sys
13:35:51.0865 4648 megasas - ok
13:35:51.0927 4648 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\drivers\MegaSR.sys
13:35:51.0927 4648 MegaSR - ok
13:35:51.0959 4648 MEIx64 (1c6e73fc46b509eff9d0086aa37132df) C:\Windows\system32\DRIVERS\HECIx64.sys
13:35:51.0959 4648 MEIx64 - ok
13:35:52.0005 4648 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
13:35:52.0005 4648 MMCSS - ok
13:35:52.0037 4648 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
13:35:52.0037 4648 Modem - ok
13:35:52.0083 4648 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
13:35:52.0083 4648 monitor - ok
13:35:52.0115 4648 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
13:35:52.0115 4648 mouclass - ok
13:35:52.0130 4648 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
13:35:52.0130 4648 mouhid - ok
13:35:52.0161 4648 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
13:35:52.0161 4648 mountmgr - ok
13:35:52.0271 4648 MozillaMaintenance (6380ff81dd4d78b23398752d2f46ea43) C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
13:35:52.0271 4648 MozillaMaintenance - ok
13:35:52.0302 4648 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
13:35:52.0302 4648 mpio - ok
13:35:52.0333 4648 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
13:35:52.0333 4648 mpsdrv - ok
13:35:52.0442 4648 MpsSvc (54ffc9c8898113ace189d4aa7199d2c1) C:\Windows\system32\mpssvc.dll
13:35:52.0458 4648 MpsSvc - ok
13:35:52.0489 4648 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
13:35:52.0489 4648 MRxDAV - ok
13:35:52.0536 4648 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
13:35:52.0536 4648 mrxsmb - ok
13:35:52.0598 4648 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
13:35:52.0598 4648 mrxsmb10 - ok
13:35:52.0629 4648 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
13:35:52.0629 4648 mrxsmb20 - ok
13:35:52.0661 4648 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
13:35:52.0661 4648 msahci - ok
13:35:52.0692 4648 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
13:35:52.0692 4648 msdsm - ok
13:35:52.0723 4648 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe
13:35:52.0723 4648 MSDTC - ok
13:35:52.0754 4648 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
13:35:52.0754 4648 Msfs - ok
13:35:52.0785 4648 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
13:35:52.0785 4648 mshidkmdf - ok
13:35:52.0801 4648 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
13:35:52.0801 4648 msisadrv - ok
13:35:52.0848 4648 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll
13:35:52.0848 4648 MSiSCSI - ok
13:35:52.0848 4648 msiserver - ok
13:35:52.0879 4648 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
13:35:52.0879 4648 MSKSSRV - ok
13:35:52.0910 4648 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
13:35:52.0910 4648 MSPCLOCK - ok
13:35:52.0910 4648 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
13:35:52.0910 4648 MSPQM - ok
13:35:52.0957 4648 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
13:35:52.0973 4648 MsRPC - ok
13:35:52.0988 4648 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
13:35:52.0988 4648 mssmbios - ok
13:35:53.0019 4648 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
13:35:53.0019 4648 MSTEE - ok
13:35:53.0019 4648 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\drivers\MTConfig.sys
13:35:53.0035 4648 MTConfig - ok
13:35:53.0051 4648 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
13:35:53.0051 4648 Mup - ok
13:35:53.0113 4648 napagent (582ac6d9873e31dfa28a4547270862dd) C:\Windows\system32\qagentRT.dll
13:35:53.0129 4648 napagent - ok
13:35:53.0175 4648 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
13:35:53.0191 4648 NativeWifiP - ok
13:35:53.0285 4648 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
13:35:53.0300 4648 NDIS - ok
13:35:53.0316 4648 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
13:35:53.0316 4648 NdisCap - ok
13:35:53.0363 4648 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
13:35:53.0363 4648 NdisTapi - ok
13:35:53.0378 4648 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
13:35:53.0378 4648 Ndisuio - ok
13:35:53.0409 4648 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
13:35:53.0409 4648 NdisWan - ok
13:35:53.0441 4648 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
13:35:53.0441 4648 NDProxy - ok
13:35:53.0487 4648 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
13:35:53.0487 4648 NetBIOS - ok
13:35:53.0519 4648 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
13:35:53.0519 4648 NetBT - ok
13:35:53.0565 4648 Netlogon (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
13:35:53.0565 4648 Netlogon - ok
13:35:53.0643 4648 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll
13:35:53.0643 4648 Netman - ok
13:35:53.0690 4648 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll
13:35:53.0690 4648 netprofm - ok
13:35:53.0784 4648 NetTcpPortSharing (3e5a36127e201ddf663176b66828fafe) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
13:35:53.0784 4648 NetTcpPortSharing - ok
13:35:53.0815 4648 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\drivers\nfrd960.sys
13:35:53.0815 4648 nfrd960 - ok
13:35:53.0893 4648 NlaSvc (1ee99a89cc788ada662441d1e9830529) C:\Windows\System32\nlasvc.dll
13:35:53.0893 4648 NlaSvc - ok
13:35:53.0909 4648 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
13:35:53.0909 4648 Npfs - ok
13:35:53.0924 4648 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll
13:35:53.0924 4648 nsi - ok
13:35:53.0940 4648 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
13:35:53.0940 4648 nsiproxy - ok
13:35:54.0111 4648 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
13:35:54.0143 4648 Ntfs - ok
13:35:54.0252 4648 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
13:35:54.0252 4648 Null - ok
13:35:54.0299 4648 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
13:35:54.0314 4648 nvraid - ok
13:35:54.0330 4648 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
13:35:54.0345 4648 nvstor - ok
13:35:54.0377 4648 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
13:35:54.0377 4648 nv_agp - ok
13:35:54.0392 4648 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
13:35:54.0392 4648 ohci1394 - ok
13:35:54.0455 4648 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
13:35:54.0455 4648 p2pimsvc - ok
13:35:54.0501 4648 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll
13:35:54.0517 4648 p2psvc - ok
13:35:54.0548 4648 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\drivers\parport.sys
13:35:54.0548 4648 Parport - ok
13:35:54.0579 4648 partmgr (e9766131eeade40a27dc27d2d68fba9c) C:\Windows\system32\drivers\partmgr.sys
13:35:54.0579 4648 partmgr - ok
13:35:54.0626 4648 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll
13:35:54.0626 4648 PcaSvc - ok
13:35:54.0657 4648 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
13:35:54.0657 4648 pci - ok
13:35:54.0689 4648 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
13:35:54.0689 4648 pciide - ok
13:35:54.0720 4648 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\drivers\pcmcia.sys
13:35:54.0720 4648 pcmcia - ok
13:35:54.0751 4648 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
13:35:54.0751 4648 pcw - ok
13:35:54.0813 4648 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
13:35:54.0813 4648 PEAUTH - ok
13:35:54.0938 4648 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe
13:35:54.0938 4648 PerfHost - ok
13:35:55.0079 4648 pla (c7cf6a6e137463219e1259e3f0f0dd6c) C:\Windows\system32\pla.dll
13:35:55.0094 4648 pla - ok
13:35:55.0203 4648 PlugPlay (25fbdef06c4d92815b353f6e792c8129) C:\Windows\system32\umpnpmgr.dll
13:35:55.0219 4648 PlugPlay - ok
13:35:55.0250 4648 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll
13:35:55.0250 4648 PNRPAutoReg - ok
13:35:55.0281 4648 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
13:35:55.0281 4648 PNRPsvc - ok
13:35:55.0359 4648 Point64 (32d374c60778253b81fa76c2fe19e155) C:\Windows\system32\DRIVERS\point64.sys
13:35:55.0359 4648 Point64 - ok
13:35:55.0422 4648 PolicyAgent (4f15d75adf6156bf56eced6d4a55c389) C:\Windows\System32\ipsecsvc.dll
13:35:55.0437 4648 PolicyAgent - ok
13:35:55.0500 4648 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll
13:35:55.0500 4648 Power - ok
13:35:55.0547 4648 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
13:35:55.0547 4648 PptpMiniport - ok
13:35:55.0562 4648 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\drivers\processr.sys
13:35:55.0562 4648 Processor - ok
13:35:55.0609 4648 ProfSvc (53e83f1f6cf9d62f32801cf66d8352a8) C:\Windows\system32\profsvc.dll
13:35:55.0625 4648 ProfSvc - ok
13:35:55.0656 4648 ProtectedStorage (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
13:35:55.0656 4648 ProtectedStorage - ok
13:35:55.0703 4648 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
13:35:55.0703 4648 Psched - ok
13:35:55.0843 4648 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\drivers\ql2300.sys
13:35:55.0874 4648 ql2300 - ok
13:35:55.0999 4648 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\drivers\ql40xx.sys
13:35:55.0999 4648 ql40xx - ok
13:35:56.0046 4648 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll
13:35:56.0061 4648 QWAVE - ok
13:35:56.0077 4648 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
13:35:56.0077 4648 QWAVEdrv - ok
13:35:56.0093 4648 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
13:35:56.0093 4648 RasAcd - ok
13:35:56.0139 4648 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
13:35:56.0139 4648 RasAgileVpn - ok
13:35:56.0186 4648 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll
13:35:56.0202 4648 RasAuto - ok
13:35:56.0217 4648 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
13:35:56.0217 4648 Rasl2tp - ok
13:35:56.0264 4648 RasMan (ee867a0870fc9e4972ba9eaad35651e2) C:\Windows\System32\rasmans.dll
13:35:56.0264 4648 RasMan - ok
13:35:56.0311 4648 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
13:35:56.0311 4648 RasPppoe - ok
13:35:56.0327 4648 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
13:35:56.0327 4648 RasSstp - ok
13:35:56.0373 4648 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
13:35:56.0373 4648 rdbss - ok
13:35:56.0389 4648 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\drivers\rdpbus.sys
13:35:56.0389 4648 rdpbus - ok
13:35:56.0420 4648 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
13:35:56.0420 4648 RDPCDD - ok
13:35:56.0436 4648 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
13:35:56.0436 4648 RDPENCDD - ok
13:35:56.0451 4648 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
13:35:56.0451 4648 RDPREFMP - ok
13:35:56.0514 4648 RDPWD (e61608aa35e98999af9aaeeea6114b0a) C:\Windows\system32\drivers\RDPWD.sys
13:35:56.0514 4648 RDPWD - ok
13:35:56.0561 4648 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
13:35:56.0561 4648 rdyboost - ok
13:35:56.0623 4648 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll
13:35:56.0623 4648 RemoteAccess - ok
13:35:56.0670 4648 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll
13:35:56.0670 4648 RemoteRegistry - ok
13:35:56.0701 4648 RFCOMM (3dd798846e2c28102b922c56e71b7932) C:\Windows\system32\DRIVERS\rfcomm.sys
13:35:56.0701 4648 RFCOMM - ok
13:35:56.0732 4648 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll
13:35:56.0732 4648 RpcEptMapper - ok
13:35:56.0763 4648 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe
13:35:56.0763 4648 RpcLocator - ok
13:35:56.0826 4648 RpcSs (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
13:35:56.0841 4648 RpcSs - ok
13:35:56.0873 4648 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
13:35:56.0888 4648 rspndr - ok
13:35:56.0919 4648 SamSs (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
13:35:56.0935 4648 SamSs - ok
13:35:57.0075 4648 SAVAdminService (ecc98e6458d8250f834c42bb5928b1d2) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
13:35:57.0075 4648 SAVAdminService - ok
13:35:57.0153 4648 SAVOnAccess (2192ae4d310adb821b38595150f5a384) C:\Windows\system32\DRIVERS\savonaccess.sys
13:35:57.0153 4648 SAVOnAccess - ok
13:35:57.0169 4648 SAVService (b8a272d4e91efb366e16bea0fa42d7ee) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
13:35:57.0185 4648 SAVService - ok
13:35:57.0216 4648 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\DRIVERS\sbp2port.sys
13:35:57.0216 4648 sbp2port - ok
13:35:57.0263 4648 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll
13:35:57.0278 4648 SCardSvr - ok
13:35:57.0278 4648 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
13:35:57.0294 4648 scfilter - ok
13:35:57.0387 4648 Schedule (262f6592c3299c005fd6bec90fc4463a) C:\Windows\system32\schedsvc.dll
13:35:57.0403 4648 Schedule - ok
13:35:57.0450 4648 SCPolicySvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
13:35:57.0450 4648 SCPolicySvc - ok
13:35:57.0497 4648 ScreamBAudioSvc (490b0b68bb938d5c628ec4a67277be75) C:\Windows\system32\drivers\ScreamingBAudio64.sys
13:35:57.0497 4648 ScreamBAudioSvc - ok
13:35:57.0528 4648 sdbus (111e0ebc0ad79cb0fa014b907b231cf0) C:\Windows\system32\DRIVERS\sdbus.sys
13:35:57.0543 4648 sdbus - ok
13:35:57.0606 4648 sdcfilter (894bfbec492e9e838d9e4406a90a3edb) C:\Windows\system32\DRIVERS\sdcfilter.sys
13:35:57.0606 4648 sdcfilter - ok
13:35:57.0653 4648 SDRSVC (6ea4234dc55346e0709560fe7c2c1972) C:\Windows\System32\SDRSVC.dll
13:35:57.0653 4648 SDRSVC - ok
13:35:57.0684 4648 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
13:35:57.0684 4648 secdrv - ok
13:35:57.0699 4648 seclogon (bc617a4e1b4fa8df523a061739a0bd87) C:\Windows\system32\seclogon.dll
13:35:57.0715 4648 seclogon - ok
13:35:57.0746 4648 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\system32\sens.dll
13:35:57.0746 4648 SENS - ok
13:35:57.0762 4648 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll
13:35:57.0762 4648 SensrSvc - ok
13:35:57.0777 4648 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\drivers\serenum.sys
13:35:57.0777 4648 Serenum - ok
13:35:57.0809 4648 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\drivers\serial.sys
13:35:57.0809 4648 Serial - ok
13:35:57.0855 4648 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\drivers\sermouse.sys
13:35:57.0855 4648 sermouse - ok
13:35:57.0902 4648 SessionEnv (0b6231bf38174a1628c4ac812cc75804) C:\Windows\system32\sessenv.dll
13:35:57.0902 4648 SessionEnv - ok
13:35:57.0918 4648 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
13:35:57.0918 4648 sffdisk - ok
13:35:57.0933 4648 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
13:35:57.0933 4648 sffp_mmc - ok
13:35:57.0933 4648 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
13:35:57.0933 4648 sffp_sd - ok
13:35:57.0949 4648 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\drivers\sfloppy.sys
13:35:57.0949 4648 sfloppy - ok
13:35:58.0027 4648 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\Windows\System32\ipnathlp.dll
13:35:58.0043 4648 SharedAccess - ok
13:35:58.0089 4648 ShellHWDetection (aaf932b4011d14052955d4b212a4da8d) C:\Windows\System32\shsvcs.dll
13:35:58.0089 4648 ShellHWDetection - ok
13:35:58.0136 4648 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\drivers\SiSRaid2.sys
13:35:58.0136 4648 SiSRaid2 - ok
13:35:58.0167 4648 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\drivers\sisraid4.sys
13:35:58.0167 4648 SiSRaid4 - ok
13:35:58.0199 4648 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
13:35:58.0214 4648 Smb - ok
13:35:58.0245 4648 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe
13:35:58.0261 4648 SNMPTRAP - ok
13:35:58.0386 4648 Sophos Agent (1dd15cbae4aa7b2f5166d0c2700aef94) C:\Program Files (x86)\Sophos\Remote Management System\ManagementAgentNT.exe
13:35:58.0386 4648 Sophos Agent - ok
13:35:58.0479 4648 Sophos AutoUpdate Service (6067896db061a2169688980ada2ddc30) C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
13:35:58.0479 4648 Sophos AutoUpdate Service - ok
13:35:58.0573 4648 Sophos Message Router (65f816d7534d25623da909911ff7e7d8) C:\Program Files (x86)\Sophos\Remote Management System\RouterNT.exe
13:35:58.0589 4648 Sophos Message Router - ok
13:35:58.0651 4648 SophosBootDriver (69fbe35a8165adbc313aa7f64b868ca1) C:\Windows\system32\DRIVERS\SophosBootDriver.sys
13:35:58.0651 4648 SophosBootDriver - ok
13:35:58.0698 4648 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
13:35:58.0698 4648 spldr - ok
13:35:58.0760 4648 Spooler (b96c17b5dc1424d56eea3a99e97428cd) C:\Windows\System32\spoolsv.exe
13:35:58.0776 4648 Spooler - ok
13:35:59.0072 4648 sppsvc (e17e0188bb90fae42d83e98707efa59c) C:\Windows\system32\sppsvc.exe
13:35:59.0103 4648 sppsvc - ok
13:35:59.0228 4648 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll
13:35:59.0228 4648 sppuinotify - ok
13:35:59.0306 4648 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
13:35:59.0322 4648 srv - ok
13:35:59.0369 4648 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
13:35:59.0369 4648 srv2 - ok
13:35:59.0400 4648 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
13:35:59.0400 4648 srvnet - ok
13:35:59.0447 4648 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll
13:35:59.0447 4648 SSDPSRV - ok
13:35:59.0478 4648 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll
13:35:59.0478 4648 SstpSvc - ok
13:35:59.0571 4648 Steam Client Service - ok
13:35:59.0603 4648 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\drivers\stexstor.sys
13:35:59.0603 4648 stexstor - ok
13:35:59.0681 4648 stisvc (8dd52e8e6128f4b2da92ce27402871c1) C:\Windows\System32\wiaservc.dll
13:35:59.0681 4648 stisvc - ok
13:35:59.0712 4648 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
13:35:59.0712 4648 swenum - ok
13:36:00.0039 4648 swi_service (4f1b0bdb039a0719da55fb490114df0f) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
13:36:00.0055 4648 swi_service - ok
13:36:00.0336 4648 swi_update_64 (f31244e493863ca1edc856e4f24284b5) C:\ProgramData\Sophos\Web Intelligence\swi_update_64.exe
13:36:00.0367 4648 swi_update_64 - ok
13:36:00.0507 4648 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll
13:36:00.0523 4648 swprv - ok
13:36:00.0679 4648 SysMain (bf9ccc0bf39b418c8d0ae8b05cf95b7d) C:\Windows\system32\sysmain.dll
13:36:00.0695 4648 SysMain - ok
13:36:00.0819 4648 TabletInputService (e3c61fd7b7c2557e1f1b0b4cec713585) C:\Windows\System32\TabSvc.dll
13:36:00.0819 4648 TabletInputService - ok
13:36:00.0866 4648 TapiSrv (40f0849f65d13ee87b9a9ae3c1dd6823) C:\Windows\System32\tapisrv.dll
13:36:00.0866 4648 TapiSrv - ok
13:36:00.0897 4648 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll
13:36:00.0897 4648 TBS - ok
13:36:01.0100 4648 Tcpip (acb82bda8f46c84f465c1afa517dc4b9) C:\Windows\system32\drivers\tcpip.sys
13:36:01.0131 4648 Tcpip - ok
13:36:01.0412 4648 TCPIP6 (acb82bda8f46c84f465c1afa517dc4b9) C:\Windows\system32\DRIVERS\tcpip.sys
13:36:01.0428 4648 TCPIP6 - ok
13:36:01.0553 4648 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
13:36:01.0553 4648 tcpipreg - ok
13:36:01.0568 4648 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
13:36:01.0568 4648 TDPIPE - ok
13:36:01.0599 4648 TDTCP (51c5eceb1cdee2468a1748be550cfbc8) C:\Windows\system32\drivers\tdtcp.sys
13:36:01.0599 4648 TDTCP - ok
13:36:01.0631 4648 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
13:36:01.0631 4648 tdx - ok
13:36:01.0662 4648 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\DRIVERS\termdd.sys
13:36:01.0662 4648 TermDD - ok
13:36:01.0740 4648 TermService (2e648163254233755035b46dd7b89123) C:\Windows\System32\termsrv.dll
13:36:01.0755 4648 TermService - ok
13:36:01.0771 4648 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll
13:36:01.0771 4648 Themes - ok
13:36:01.0802 4648 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
13:36:01.0818 4648 THREADORDER - ok
13:36:01.0849 4648 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll
13:36:01.0865 4648 TrkWks - ok
13:36:01.0911 4648 TrustedInstaller (773212b2aaa24c1e31f10246b15b276c) C:\Windows\servicing\TrustedInstaller.exe
13:36:01.0911 4648 TrustedInstaller - ok
13:36:01.0943 4648 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
13:36:01.0943 4648 tssecsrv - ok
13:36:01.0974 4648 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
13:36:01.0989 4648 TsUsbFlt - ok
13:36:02.0005 4648 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\Windows\system32\drivers\TsUsbGD.sys
13:36:02.0005 4648 TsUsbGD - ok
13:36:02.0052 4648 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
13:36:02.0052 4648 tunnel - ok
13:36:02.0067 4648 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\drivers\uagp35.sys
13:36:02.0083 4648 uagp35 - ok
13:36:02.0114 4648 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
13:36:02.0130 4648 udfs - ok
13:36:02.0161 4648 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe
13:36:02.0161 4648 UI0Detect - ok
13:36:02.0177 4648 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
13:36:02.0192 4648 uliagpkx - ok
13:36:02.0208 4648 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
13:36:02.0208 4648 umbus - ok
13:36:02.0239 4648 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\drivers\umpass.sys
13:36:02.0239 4648 UmPass - ok
13:36:02.0504 4648 UNS (fdf92ec84fecee834fb10a2a0a19bcda) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
13:36:02.0535 4648 UNS - ok
13:36:02.0676 4648 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll
13:36:02.0676 4648 upnphost - ok
13:36:02.0738 4648 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
13:36:02.0754 4648 usbccgp - ok
13:36:02.0785 4648 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
13:36:02.0785 4648 usbcir - ok
13:36:02.0801 4648 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\drivers\usbehci.sys
13:36:02.0801 4648 usbehci - ok
13:36:02.0847 4648 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
13:36:02.0847 4648 usbhub - ok
13:36:02.0894 4648 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
13:36:02.0894 4648 usbohci - ok
13:36:02.0925 4648 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
13:36:02.0925 4648 usbprint - ok
13:36:02.0972 4648 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
13:36:02.0972 4648 usbscan - ok
13:36:03.0019 4648 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
13:36:03.0019 4648 USBSTOR - ok
13:36:03.0050 4648 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\DRIVERS\usbuhci.sys
13:36:03.0050 4648 usbuhci - ok
13:36:03.0113 4648 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows\system32\Drivers\usbvideo.sys
13:36:03.0113 4648 usbvideo - ok
13:36:03.0144 4648 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll
13:36:03.0144 4648 UxSms - ok
13:36:03.0191 4648 VaultSvc (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
13:36:03.0191 4648 VaultSvc - ok
13:36:03.0237 4648 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
13:36:03.0237 4648 vdrvroot - ok
13:36:03.0284 4648 vds (8d6b481601d01a456e75c3210f1830be) C:\Windows\System32\vds.exe
13:36:03.0300 4648 vds - ok
13:36:03.0331 4648 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
13:36:03.0331 4648 vga - ok
13:36:03.0347 4648 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
13:36:03.0347 4648 VgaSave - ok
13:36:03.0378 4648 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
13:36:03.0378 4648 vhdmp - ok
13:36:03.0409 4648 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
13:36:03.0409 4648 viaide - ok
13:36:03.0440 4648 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
13:36:03.0456 4648 volmgr - ok
13:36:03.0487 4648 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
13:36:03.0503 4648 volmgrx - ok
13:36:03.0534 4648 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
13:36:03.0549 4648 volsnap - ok
13:36:03.0596 4648 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\drivers\vsmraid.sys
13:36:03.0596 4648 vsmraid - ok
13:36:03.0752 4648 VSS (b60ba0bc31b0cb414593e169f6f21cc2) C:\Windows\system32\vssvc.exe
13:36:03.0768 4648 VSS - ok
13:36:03.0893 4648 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
13:36:03.0893 4648 vwifibus - ok
13:36:03.0924 4648 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
13:36:03.0924 4648 vwififlt - ok
13:36:03.0986 4648 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll
13:36:04.0002 4648 W32Time - ok
13:36:04.0017 4648 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\drivers\wacompen.sys
13:36:04.0017 4648 WacomPen - ok
13:36:04.0064 4648 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
13:36:04.0064 4648 WANARP - ok
13:36:04.0064 4648 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
13:36:04.0064 4648 Wanarpv6 - ok
13:36:04.0236 4648 WatAdminSvc (3cec96de223e49eaae3651fcf8faea6c) C:\Windows\system32\Wat\WatAdminSvc.exe
13:36:04.0267 4648 WatAdminSvc - ok
13:36:04.0407 4648 wbengine (78f4e7f5c56cb9716238eb57da4b6a75) C:\Windows\system32\wbengine.exe
13:36:04.0423 4648 wbengine - ok
13:36:04.0548 4648 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll
13:36:04.0548 4648 WbioSrvc - ok
13:36:04.0595 4648 wcncsvc (7368a2afd46e5a4481d1de9d14848edd) C:\Windows\System32\wcncsvc.dll
13:36:04.0595 4648 wcncsvc - ok
13:36:04.0610 4648 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
13:36:04.0626 4648 WcsPlugInService - ok
13:36:04.0673 4648 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\drivers\wd.sys
13:36:04.0673 4648 Wd - ok
13:36:04.0751 4648 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
13:36:04.0766 4648 Wdf01000 - ok
13:36:04.0782 4648 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
13:36:04.0782 4648 WdiServiceHost - ok
13:36:04.0797 4648 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
13:36:04.0797 4648 WdiSystemHost - ok
13:36:04.0844 4648 WebClient (3db6d04e1c64272f8b14eb8bc4616280) C:\Windows\System32\webclnt.dll
13:36:04.0844 4648 WebClient - ok
13:36:04.0875 4648 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
13:36:04.0891 4648 Wecsvc - ok
13:36:04.0907 4648 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
13:36:04.0922 4648 wercplsupport - ok
13:36:04.0969 4648 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
13:36:04.0969 4648 WerSvc - ok
13:36:05.0031 4648 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
13:36:05.0031 4648 WfpLwf - ok
13:36:05.0047 4648 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
13:36:05.0047 4648 WIMMount - ok
13:36:05.0078 4648 WinDefend - ok
13:36:05.0094 4648 WinHttpAutoProxySvc - ok
13:36:05.0156 4648 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
13:36:05.0172 4648 Winmgmt - ok
13:36:05.0359 4648 WinRM (bcb1310604aa415c4508708975b3931e) C:\Windows\system32\WsmSvc.dll
13:36:05.0375 4648 WinRM - ok
13:36:05.0546 4648 WinUsb (fe88b288356e7b47b74b13372add906d) C:\Windows\system32\DRIVERS\WinUsb.sys
13:36:05.0546 4648 WinUsb - ok
13:36:05.0655 4648 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
13:36:05.0671 4648 Wlansvc - ok
13:36:05.0936 4648 wlidsvc (2bacd71123f42cea603f4e205e1ae337) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
13:36:05.0967 4648 wlidsvc - ok
13:36:06.0092 4648 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
13:36:06.0092 4648 WmiAcpi - ok
13:36:06.0170 4648 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
13:36:06.0170 4648 wmiApSrv - ok
13:36:06.0217 4648 WMPNetworkSvc - ok
13:36:06.0248 4648 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
13:36:06.0248 4648 WPCSvc - ok
13:36:06.0279 4648 WPDBusEnum (93221146d4ebbf314c29b23cd6cc391d) C:\Windows\system32\wpdbusenum.dll
13:36:06.0279 4648 WPDBusEnum - ok
13:36:06.0311 4648 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
13:36:06.0311 4648 ws2ifsl - ok
13:36:06.0357 4648 wscsvc (e8b1fe6669397d1772d8196df0e57a9e) C:\Windows\system32\wscsvc.dll
13:36:06.0357 4648 wscsvc - ok
13:36:06.0373 4648 WSearch - ok
13:36:06.0607 4648 wuauserv (d9ef901dca379cfe914e9fa13b73b4c4) C:\Windows\system32\wuaueng.dll
13:36:06.0654 4648 wuauserv - ok
13:36:06.0779 4648 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
13:36:06.0779 4648 WudfPf - ok
13:36:06.0810 4648 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
13:36:06.0825 4648 WUDFRd - ok
13:36:06.0841 4648 wudfsvc (7a95c95b6c4cf292d689106bcae49543) C:\Windows\System32\WUDFSvc.dll
13:36:06.0857 4648 wudfsvc - ok
13:36:06.0888 4648 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
13:36:06.0888 4648 WwanSvc - ok
13:36:06.0935 4648 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
13:36:07.0309 4648 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
13:36:07.0309 4648 \Device\Harddisk0\DR0 - detected TDSS File System (1)
13:36:07.0309 4648 Boot (0x1200) (12c579913cfdeb80dfeea55d7f11c0cb) \Device\Harddisk0\DR0\Partition0
13:36:07.0309 4648 \Device\Harddisk0\DR0\Partition0 - ok
13:36:07.0309 4648 ============================================================
13:36:07.0309 4648 Scan finished
13:36:07.0309 4648 ============================================================
13:36:07.0340 1760 Detected object count: 1
13:36:07.0340 1760 Actual detected object count: 1
13:37:21.0550 1760 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
13:37:21.0550 1760 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
13:37:31.0440 3168 Deinitialize success

Edited by CatByte, 28 November 2013 - 12:11 PM.
removed name


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 05 August 2012 - 02:08 PM

please re-run TDSSKiller and this time allow it to delete the TDSS File system that it finds


NEXT


please run the following:

  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Rootcat

Rootcat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 PM

Posted 05 August 2012 - 04:30 PM

I allowed TDSSKiller to delete the file system. You didn't ask for a log of that so I'm not going to paste one, but if you want it, please let me know.

MBR log is pasted, .dat is attached: Attached File  MBR.zip   567bytes   1 downloads

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-05 15:49:58
-----------------------------
15:49:58.374 OS Version: Windows x64 6.1.7601 Service Pack 1
15:49:58.374 Number of processors: 8 586 0x2A07
15:49:58.374 ComputerName: xxxxxxxxx-PC UserName: xxx
15:49:59.232 Initialize success
15:52:16.628 AVAST engine defs: 12080501
15:55:31.206 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:55:31.206 Disk 0 Vendor: TOSHIBA_MK7559GSXF GQ005B Size: 715404MB BusType: 3
15:55:31.237 Disk 0 MBR read successfully
15:55:31.253 Disk 0 MBR scan
15:55:31.253 Disk 0 Windows 7 default MBR code
15:55:31.269 Disk 0 Partition 1 00 EE GPT 200 MB offset 1
15:55:31.284 Disk 0 Partition 2 00 AF HFS / HFS+ 618934 MB offset 409640
15:55:31.331 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 96141 MB offset 1268250624
15:55:31.362 Disk 0 scanning C:\Windows\system32\drivers
15:55:43.624 Service scanning
15:56:25.167 Modules scanning
15:56:25.182 Disk 0 trace - called modules:
15:56:25.213 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
15:56:25.728 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800560f790]
15:56:25.728 3 CLASSPNP.SYS[fffff880019cc43f] -> nt!IofCallDriver -> [0xfffffa80053cc520]
15:56:25.744 5 ACPI.sys[fffff88000faf7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80053c8680]
15:56:27.616 AVAST engine scan C:\Windows
15:56:32.093 AVAST engine scan C:\Windows\system32
16:01:24.313 AVAST engine scan C:\Windows\system32\drivers
16:01:41.379 AVAST engine scan C:\Users\xxx
16:15:38.286 AVAST engine scan C:\ProgramData
16:17:33.396 Scan finished successfully
16:22:49.391 Disk 0 MBR has been saved successfully to "C:\Users\xxx\Desktop\MBR.dat"
16:22:49.406 The log file has been saved successfully to "C:\Users\xxx\Desktop\aswMBR.txt

Edited by CatByte, 28 November 2013 - 12:13 PM.
removed name


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:14 PM

Posted 05 August 2012 - 05:26 PM

looks good

how is the computer running now?

Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 Rootcat

Rootcat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:14 PM

Posted 05 August 2012 - 05:39 PM

Thanks for all your help. As I said, my computer's performance has been normal as far as I can tell from the very beginning. If it weren't for MBAM/Hitman/Sophos all giving me red lights and saying my computer was still infected, I would've stopped worrying about it as soon as I broke free of the scareware's lockdown.

The only outstanding issue is my antivirus still acting up. Now it says it's worried about two things--the Desktop.ini file, which is still in FRST\Quarantine, seems to be scaring it. Should I delete that file?

The other item is NirCmd, I know what that is, it was probably installed with aswMBR, I'll just clean it up for the sake of it so my AV has one less thing to fuss about.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users