Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible bootkit infection, plagued by random audio ads & semi-regular system freeze


  • This topic is locked This topic is locked
19 replies to this topic

#1 Scary Carey

Scary Carey

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 22 July 2012 - 01:27 PM

Referred from here: http://www.bleepingcomputer.com/forums/topic460816.html ~ OB

For the past two weeks, I've noticed that random audio advertisements tend to pop up on my computer. I hear them playing even after I've completely closed out of my browser windows. After performing multiple scans with Malwarebytes Pro AND PC Tools Spyware Doctor, nothing seems to have helped.

In addition, it's gotten to the point where my laptop has been freezing up more frequently, mainly when I click on a link to open a new window. Because of this, it's actually taken me a few days to perform the necessary functions provided in another forum on this site in order to run the diagnostic tools and be able to attach the associated log files with this message. I've also had problems with shutting down my computer properly, since I have actually noticed that it could be in the "Shutting down" mode for an hour and still not properly shut down. The only way I have of shutting down my laptop is to unplug it from its power source and remove the battery pack.

I'm extremely appreciative of the help I've gotten so far and look forward to finding out just how this issue can be resolved once and for all.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Cecilia at 13:32:12 on 2012-07-22
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2038.594 [GMT -4:00]
.
AV: PC Tools Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: PC Tools Spyware Doctor with AntiVirus *Enabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\PC Tools Security Spyware Dr\pctsAuxs.exe
C:\Program Files\PC Tools Security Spyware Dr\pctsSvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\PC Tools Security Spyware Dr\pctsGui.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\PC Tools Security Spyware Dr\TFEngine\TFService.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PC Tools Security Spyware Dr\TFEngine\TFUN.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.babylon.com/?affID=109935&tt=010712_6&babsrc=HP_ss&mntrId=ce25c89f000000000000001cbf309694
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /minimized /regrun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ISTray] "c:\program files\pc tools security spyware dr\pctsGui.exe" /hideGUI
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_3_300_257_ActiveX.exe -update activex
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{E26DAB64-6E59-44D1-8AE5-3A5138A2B187} : DhcpNameServer = 192.168.1.1 71.252.0.12
TCP: Interfaces\{E26DAB64-6E59-44D1-8AE5-3A5138A2B187}\958465C423 : DhcpNameServer = 192.168.1.1 71.252.0.12
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-7-9 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-7-9 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-7-9 909728]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2012-7-10 54328]
R0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys [2012-7-10 574424]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2012-7-9 253352]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-7-9 185560]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-7-3 22344]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2012-7-9 70536]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2012-7-10 35264]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2009-9-28 315392]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\RapportIaso.sys [2012-6-27 21520]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2011-6-19 15872]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-6-19 52224]
.
=============== Created Last 30 ================
.
2012-07-22 17:31:12 670 ----a-w- c:\programdata\agtxcaa.tmp
2012-07-22 17:16:34 884 ----a-w- c:\programdata\wdlkaaa.tmp
2012-07-22 15:44:01 627 ----a-w- c:\programdata\xdlkaaa.tmp
2012-07-22 15:44:01 623 ----a-w- c:\programdata\czvmcaa.tmp
2012-07-22 05:02:33 899 ----a-w- c:\programdata\djbidaa.tmp
2012-07-22 04:56:25 902 ----a-w- c:\programdata\hrmkaaa.tmp
2012-07-22 04:56:24 924 ----a-w- c:\programdata\grmkaaa.tmp
2012-07-21 08:59:00 666 ----a-w- c:\programdata\tpgkaaa.tmp
2012-07-21 08:56:23 656 ----a-w- c:\programdata\spgkaaa.tmp
2012-07-21 08:52:19 652 ----a-w- c:\programdata\ecmdcaa.tmp
2012-07-21 02:19:59 -------- d-----w- c:\users\cecilia\appdata\roaming\PCTools
2012-07-21 00:24:25 676 ----a-w- c:\programdata\nwcidaa.tmp
2012-07-21 00:10:05 677 ----a-w- c:\programdata\mwcidaa.tmp
2012-07-20 19:05:43 676 ----a-w- c:\programdata\kfrkaaa.tmp
2012-07-20 05:43:14 668 ----a-w- c:\programdata\noyraaa.tmp
2012-07-20 02:28:31 663 ----a-w- c:\programdata\mkknaaa.tmp
2012-07-19 10:26:13 655 ----a-w- c:\programdata\glpucaa.tmp
2012-07-19 10:19:06 650 ----a-w- c:\programdata\hlpucaa.tmp
2012-07-19 10:02:24 668 ----a-w- c:\programdata\beifdaa.tmp
2012-07-14 20:55:20 -------- d-----w- c:\users\cecilia\appdata\local\Macromedia
2012-07-14 19:40:27 952 ----a-w- c:\programdata\usurcaa.tmp
2012-07-14 19:39:23 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 21:03:58 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-11 21:03:58 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-07-11 21:03:58 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-10 22:58:42 574424 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2012-07-10 22:58:42 54328 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2012-07-10 22:58:42 35264 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2012-07-10 15:46:25 107864 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2012-07-10 15:21:41 -------- d-----r- c:\program files\Skype
2012-07-10 15:17:20 694 ----a-w- c:\programdata\baqkdaa.tmp
2012-07-10 15:16:14 883 ----a-w- c:\programdata\aaqkdaa.tmp
2012-07-10 15:11:55 -------- d-----w- c:\windows\system32\appmgmt
2012-07-09 22:46:30 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-07-09 22:46:30 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-07-09 22:46:29 253352 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-07-09 22:46:23 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-07-09 22:46:23 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-07-09 22:46:20 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-07-09 22:46:20 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2012-07-09 22:46:05 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-07-09 22:45:42 -------- d-----w- c:\programdata\PC Tools
2012-07-09 22:45:42 -------- d-----w- c:\program files\PC Tools Security Spyware Dr
2012-07-09 22:45:42 -------- d-----w- c:\program files\common files\PC Tools
2012-07-09 22:41:55 -------- d-----w- c:\users\cecilia\appdata\roaming\GetRightToGo
2012-07-09 21:16:30 -------- d-----w- c:\users\cecilia\appdata\local\Mozilla
2012-07-09 21:14:51 -------- d-----w- c:\users\cecilia\appdata\local\Google
2012-07-09 21:13:56 -------- d-----w- c:\programdata\Babylon
2012-07-09 21:13:55 -------- d-----w- c:\users\cecilia\appdata\roaming\Babylon
2012-07-06 18:21:21 911 ----a-w- c:\programdata\pjijaaa.tmp
2012-07-03 05:53:45 -------- d-----w- c:\users\cecilia\appdata\roaming\Malwarebytes
2012-07-03 05:53:37 -------- d-----w- c:\programdata\Malwarebytes
2012-07-03 05:53:36 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 05:53:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-02 18:29:29 917 ----a-w- c:\programdata\vsgobaa.tmp
2012-07-02 18:01:59 931 ----a-w- c:\programdata\bmerbaa.tmp
2012-06-29 20:52:56 617 ----a-w- c:\programdata\mgqjdaa.tmp
2012-06-28 18:20:19 693 ----a-w- c:\programdata\obudbaa.tmp
2012-06-27 22:32:05 673 ----a-w- c:\programdata\minybaa.tmp
2012-06-27 22:25:51 -------- d-----w- c:\users\cecilia\appdata\local\Trusteer
2012-06-27 22:24:21 -------- d-----w- c:\programdata\Trusteer
2012-06-26 20:42:17 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5c55a2fc-c307-4526-89fd-1cea8a7777ca}\mpengine.dll
2012-06-26 02:19:58 -------- d-----w- c:\programdata\FreeRIP
2012-06-26 02:19:55 -------- d-----w- c:\program files\FreeRIP3
2012-06-23 05:25:16 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-23 05:25:01 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-23 05:24:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-23 05:24:44 171904 ----a-w- c:\windows\system32\wuwebv.dll
.
==================== Find3M ====================
.
2012-07-14 20:54:29 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-14 20:54:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-06 05:05:52 1390080 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- c:\windows\system32\cdosys.dll
2012-06-02 08:33:25 1800192 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 04:45:04 67440 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 04:45:03 134000 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 04:40:59 369336 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 04:40:39 225280 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-04-28 04:41:44 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-28 03:17:07 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45:55 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45:54 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41:16 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
.
============= FINISH: 13:35:20.29 ===============

Attached Files


Edited by Orange Blossom, 22 July 2012 - 08:41 PM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 AM

Posted 23 July 2012 - 01:16 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Scary Carey

Scary Carey
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 23 July 2012 - 04:14 PM

Rather than post the necessary contents all at once, I'm going to break up the steps and reply to each suggestion individually. This is in the event of another system freeze, which would require me to do everything all over again. If this is a problem, let me know and I'll just include the resulting text files in a single reply. Meanwhile, here's the text file that popped up after performing the Security Check.

Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
PC Tools Spyware Doctor with AntiVirus
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
PC Tools Spyware Doctor with AntiVirus 9.0
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 30
Java version out of Date!
Adobe Flash Player 11.3.300.265
Adobe Reader X (10.1.3)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
ThreatFire TFService.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 AM

Posted 23 July 2012 - 04:39 PM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Scary Carey

Scary Carey
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 23 July 2012 - 11:59 PM

Unfortunately, I am not at this time able to post the results of the Combofix scan because it's taken me all day just to get to this point. First, during my multiple attempts to disable my Malwarebytes Pro and PC Tools Spyware with Antivirus, Internet Explorer stopped responding. I pressed CTRL ALT Delete to force a restart. After my screen appeared to be frozen in the "Logging off" mode for several minutes, my only remaining option was to remove the battery and let the computer cool down. After only being powered up for maybe half an hour, the machine felt rather warm, so I was hoping that it just needed to cool down in order to function better.

After disabling MBAM and PC Tools, I tried to close out of the window that included instructions on disabling antivirus protection. Once again, Internet Explorer froze up on me and I was forced to remove the battery in order to competely shut my computer off. I waited a while and eventually got back on to discover that my antivirus protection had to be disabled again. Though I was able to disable my antivirus protection, I wasn't actually able to open up the Internet Explorer window. I clicked on the icon several times, but got nowhere. I attempted a restart through CTRL ALT Delete. Once again, it took removing the battery to shut my machine off. I can't say for certain, since I'm not especially tech-savvy, but I suspect that this isn't terribly good for my laptop.

It's been about six hours since the first few attempts. Thankfully, at least my antivirus protection is disabled. I ran into more cycling through (my layman's term for the spinning circle which appears next to the mouse's arrow onscreen) when I clicked on the link to your instructions in the e-mail notification I received. First, I got only a blank page, then two more clicks gave me the message that there was a temporary outage at the Bleeping Computer website. Eventually, I did manage to get through. The problems began again once I went to download the Combofix tool. All three links got me nowhere. I've clicked on them each multiple times and have seen nothing but more cycling through and blank pages. I'm not sure what it's going to take and how much more time I have to wait before I'm able to download Combofix, but I am trying to follow the instructions you've provided as quickly as possible. I just need to give my laptop some time to cool down before I get back on and make another go of the Combofix scan. Hopefully, I'll have better luck the next time I make the attempt. If you don't see anything from me for a while, then I'm still having problems downloading Combofix. As it is almost 1 AM on Tuesday morning, I'll shut down after posting this and try again this afternoon.

In the meantime, I'm curious if this is a problem which may be remedied by getting a copy of Windows 7. The version I have now was only loaded onto my machine when it was being worked on last summer. If I have to completely uninstall it, I don't have a hard disk to reload my laptop with. I've run across various articles online that mention bootkit infections like this requiring a complete reboot of the operating system. The hard disk that accompanied my laptop during its purchase in 2007 was lost during a big move two years ago, so I don't even have the original Windows OS to reboot back to.

#6 Scary Carey

Scary Carey
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 24 July 2012 - 03:25 PM

At last, here's the log from the Combofix scan! I'm going to re-enable my antivirus protection so that I can safely get online, though I'll wait till I've heard back from you before I attempt to switch that CD emulation stuff back on. I'll also need tips for how to do that, since I don't have that in my notes.

As for how my laptop's doing, I'll be able to give you more feedback on that once I can spend some time with my speakers unmuted. Those random audio ads usually popped up after I'd been on for a while, so it might take me another hour or so before I'll know for certain whether or not they're completely gone. Nothing's playing so far, though. :clapping:

I really appreciate your help with this issue.

ComboFix 12-07-25.04 - Cecilia 07/24/2012 15:42:06.1.2 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2038.998 [GMT -4:00]
Running from: c:\users\Cecilia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W8W14NOU\ComboFix.exe
AV: PC Tools Spyware Doctor with AntiVirus *Disabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: PC Tools Spyware Doctor with AntiVirus *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\aaqkdaa.tmp
c:\programdata\baqkdaa.tmp
c:\programdata\beifdaa.tmp
c:\programdata\bgtxcaa.tmp
c:\programdata\bmerbaa.tmp
c:\programdata\cdikaaa.tmp
c:\programdata\czvmcaa.tmp
c:\programdata\ddikaaa.tmp
c:\programdata\djbidaa.tmp
c:\programdata\ecmdcaa.tmp
c:\programdata\glpucaa.tmp
c:\programdata\hlpucaa.tmp
c:\programdata\kfrkaaa.tmp
c:\programdata\mgqjdaa.tmp
c:\programdata\minybaa.tmp
c:\programdata\mkknaaa.tmp
c:\programdata\mwcidaa.tmp
c:\programdata\noyraaa.tmp
c:\programdata\nwcidaa.tmp
c:\programdata\obudbaa.tmp
c:\programdata\pjijaaa.tmp
c:\programdata\pnuedaa.tmp
c:\programdata\qghheaa.tmp
c:\programdata\spgkaaa.tmp
c:\programdata\tpgkaaa.tmp
c:\programdata\usurcaa.tmp
c:\programdata\vsgobaa.tmp
c:\users\Cecilia\Documents\~WRL0005.tmp
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
.
c:\windows\explorer.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy5_!Windows!explorer.exe
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
.
((((((((((((((((((((((((( Files Created from 2012-06-24 to 2012-07-24 )))))))))))))))))))))))))))))))
.
.
2012-07-24 19:57 . 2012-07-24 19:59 -------- d-----w- c:\users\Cecilia\AppData\Local\temp
2012-07-24 19:57 . 2012-07-24 19:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-21 02:19 . 2012-07-21 02:19 -------- d-----w- c:\users\Cecilia\AppData\Roaming\PCTools
2012-07-14 20:55 . 2012-07-14 20:55 -------- d-----w- c:\users\Cecilia\AppData\Local\Macromedia
2012-07-14 19:39 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 21:03 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-11 21:03 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-07-11 21:03 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-10 22:58 . 2012-02-24 13:16 574424 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2012-07-10 22:58 . 2012-02-24 13:16 54328 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2012-07-10 22:58 . 2012-02-24 13:16 35264 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2012-07-10 15:46 . 2012-02-24 14:31 107864 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2012-07-10 15:22 . 2012-07-24 18:52 -------- d-----w- c:\users\Cecilia\AppData\Roaming\Skype
2012-07-10 15:21 . 2012-07-10 15:21 -------- d-----w- c:\program files\Common Files\Skype
2012-07-10 15:21 . 2012-07-10 15:21 -------- d-----r- c:\program files\Skype
2012-07-10 15:21 . 2012-07-10 15:22 -------- d-----w- c:\programdata\Skype
2012-07-09 22:46 . 2011-12-01 20:07 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-07-09 22:46 . 2011-12-01 20:07 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-07-09 22:46 . 2012-02-24 14:31 253352 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-07-09 22:46 . 2011-11-14 19:12 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-07-09 22:46 . 2011-11-14 19:12 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-07-09 22:46 . 2012-02-24 14:36 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-07-09 22:46 . 2012-02-24 14:35 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2012-07-09 22:46 . 2012-02-24 14:37 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-07-09 22:45 . 2012-07-24 19:36 -------- d-----w- c:\program files\PC Tools Security Spyware Dr
2012-07-09 22:45 . 2012-07-10 22:58 -------- d-----w- c:\programdata\PC Tools
2012-07-09 22:45 . 2012-07-09 22:48 -------- d-----w- c:\program files\Common Files\PC Tools
2012-07-09 22:41 . 2012-07-09 22:44 -------- d-----w- c:\users\Cecilia\AppData\Roaming\GetRightToGo
2012-07-09 21:16 . 2012-07-09 21:16 -------- d-----w- c:\users\Cecilia\AppData\Local\Mozilla
2012-07-09 21:14 . 2012-07-10 16:08 -------- d-----w- c:\users\Cecilia\AppData\Local\Google
2012-07-09 21:14 . 2012-07-09 21:14 1527 ----a-w- C:\user.js
2012-07-09 21:13 . 2012-07-09 21:13 -------- d-----w- c:\programdata\Babylon
2012-07-09 21:13 . 2012-07-09 21:13 -------- d-----w- c:\users\Cecilia\AppData\Roaming\Babylon
2012-07-03 05:53 . 2012-07-03 05:53 -------- d-----w- c:\users\Cecilia\AppData\Roaming\Malwarebytes
2012-07-03 05:53 . 2012-07-03 05:53 -------- d-----w- c:\programdata\Malwarebytes
2012-07-03 05:53 . 2012-07-03 05:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-03 05:53 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 01:34 . 2012-07-03 01:34 -------- d-----w- c:\programdata\McAfee
2012-06-27 22:25 . 2012-06-27 22:25 -------- d-----w- c:\users\Cecilia\AppData\Local\Trusteer
2012-06-27 22:24 . 2012-06-27 22:24 -------- d-----w- c:\programdata\Trusteer
2012-06-26 20:42 . 2012-06-18 07:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C55A2FC-C307-4526-89FD-1CEA8A7777CA}\mpengine.dll
2012-06-26 02:19 . 2012-06-26 02:19 -------- d-----w- c:\programdata\FreeRIP
2012-06-26 02:19 . 2012-07-14 19:33 -------- d-----w- c:\program files\FreeRIP3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-14 20:54 . 2012-04-09 06:07 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-14 20:54 . 2011-06-19 18:09 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-23 05:25 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 05:25 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 05:25 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 05:25 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 05:25 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-23 05:25 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-23 05:25 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-23 05:24 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-23 05:24 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-04-28 04:41 . 2012-06-13 01:50 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-28 03:17 . 2012-06-13 01:50 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-26 04:45 . 2012-06-13 01:50 58880 ----a-w- c:\windows\system32\rdpwsx.dll
2012-04-26 04:45 . 2012-06-13 01:50 129536 ----a-w- c:\windows\system32\rdpcorekmts.dll
2012-04-26 04:41 . 2012-06-13 01:50 8192 ----a-w- c:\windows\system32\rdrmemptylst.exe
2012-06-14 22:20 . 2012-07-09 21:15 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-03 17417392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2012-04-04 3654832]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2012-04-04 70832]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe" [2012-06-22 686280]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [x]
R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security Spyware Dr\pctsAuxs.exe [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R3 ThreatFire;ThreatFire;c:\program files\PC Tools Security Spyware Dr\TFEngine\TFService.exe service [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [x]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [x]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [x]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
S0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [x]
S1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
.
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/?affID=109935&tt=010712_6&babsrc=HP_ss&mntrId=ce25c89f000000000000001cbf309694
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:e5,fb,3e,49,b4,54,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,47,2f,00,aa,ed,db,47,81,92,d2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,47,2f,00,aa,ed,db,47,81,92,d2,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\conhost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2012-07-24 16:05:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-24 20:05
.
Pre-Run: 168,387,801,088 bytes free
Post-Run: 168,270,430,208 bytes free
.
- - End Of File - - 78A0D2E0E2D736BBCB817271ACE68F7C

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 AM

Posted 24 July 2012 - 10:20 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Scary Carey

Scary Carey
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 25 July 2012 - 03:38 PM

Here's the log from the TDSS Killer Scan.

16:25:10.0138 3480 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
16:25:10.0781 3480 ============================================================
16:25:10.0782 3480 Current date / time: 2012/07/25 16:25:10.0781
16:25:10.0782 3480 SystemInfo:
16:25:10.0782 3480
16:25:10.0782 3480 OS Version: 6.1.7601 ServicePack: 1.0
16:25:10.0782 3480 Product type: Workstation
16:25:10.0782 3480 ComputerName: CECILIA-PC
16:25:10.0783 3480 UserName: Cecilia
16:25:10.0783 3480 Windows directory: C:\Windows
16:25:10.0783 3480 System windows directory: C:\Windows
16:25:10.0783 3480 Processor architecture: Intel x86
16:25:10.0783 3480 Number of processors: 2
16:25:10.0783 3480 Page size: 0x1000
16:25:10.0783 3480 Boot type: Normal boot
16:25:10.0783 3480 ============================================================
16:25:13.0075 3480 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
16:25:13.0080 3480 ============================================================
16:25:13.0080 3480 \Device\Harddisk0\DR0:
16:25:13.0080 3480 MBR partitions:
16:25:13.0080 3480 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
16:25:13.0080 3480 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x1D192800
16:25:13.0080 3480 ============================================================
16:25:13.0109 3480 C: <-> \Device\Harddisk0\DR0\Partition1
16:25:13.0110 3480 ============================================================
16:25:13.0110 3480 Initialize success
16:25:13.0110 3480 ============================================================
16:25:15.0317 5176 ============================================================
16:25:15.0317 5176 Scan started
16:25:15.0317 5176 Mode: Manual;
16:25:15.0317 5176 ============================================================
16:25:18.0447 5176 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
16:25:18.0453 5176 1394ohci - ok
16:25:18.0494 5176 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
16:25:18.0501 5176 ACPI - ok
16:25:18.0568 5176 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
16:25:18.0571 5176 AcpiPmi - ok
16:25:18.0683 5176 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
16:25:18.0685 5176 AdobeARMservice - ok
16:25:18.0756 5176 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
16:25:18.0771 5176 adp94xx - ok
16:25:18.0813 5176 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
16:25:18.0823 5176 adpahci - ok
16:25:18.0859 5176 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
16:25:18.0865 5176 adpu320 - ok
16:25:18.0908 5176 AeLookupSvc (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
16:25:18.0910 5176 AeLookupSvc - ok
16:25:18.0962 5176 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
16:25:18.0971 5176 AFD - ok
16:25:19.0013 5176 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
16:25:19.0017 5176 agp440 - ok
16:25:19.0056 5176 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
16:25:19.0060 5176 aic78xx - ok
16:25:19.0102 5176 ALG (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
16:25:19.0106 5176 ALG - ok
16:25:19.0127 5176 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
16:25:19.0129 5176 aliide - ok
16:25:19.0150 5176 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
16:25:19.0153 5176 amdagp - ok
16:25:19.0171 5176 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
16:25:19.0174 5176 amdide - ok
16:25:19.0234 5176 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
16:25:19.0238 5176 AmdK8 - ok
16:25:19.0250 5176 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
16:25:19.0254 5176 AmdPPM - ok
16:25:19.0306 5176 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
16:25:19.0310 5176 amdsata - ok
16:25:19.0365 5176 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
16:25:19.0371 5176 amdsbs - ok
16:25:19.0395 5176 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
16:25:19.0398 5176 amdxata - ok
16:25:19.0456 5176 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
16:25:19.0460 5176 AppID - ok
16:25:19.0524 5176 AppIDSvc (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
16:25:19.0527 5176 AppIDSvc - ok
16:25:19.0595 5176 Appinfo (fb1959012294d6ad43e5304df65e3c26) C:\Windows\System32\appinfo.dll
16:25:19.0597 5176 Appinfo - ok
16:25:19.0708 5176 Apple Mobile Device (f401929ee0cc92bfe7f15161ca535383) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
16:25:19.0711 5176 Apple Mobile Device - ok
16:25:19.0776 5176 AppMgmt (a45d184df6a8803da13a0b329517a64a) C:\Windows\System32\appmgmts.dll
16:25:19.0782 5176 AppMgmt - ok
16:25:19.0836 5176 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
16:25:19.0841 5176 arc - ok
16:25:19.0871 5176 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
16:25:19.0875 5176 arcsas - ok
16:25:19.0919 5176 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
16:25:19.0921 5176 AsyncMac - ok
16:25:19.0989 5176 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
16:25:19.0990 5176 atapi - ok
16:25:20.0074 5176 AudioEndpointBuilder (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
16:25:20.0084 5176 AudioEndpointBuilder - ok
16:25:20.0102 5176 Audiosrv (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
16:25:20.0108 5176 Audiosrv - ok
16:25:20.0174 5176 AxInstSV (6e30d02aac9cac84f421622e3a2f6178) C:\Windows\System32\AxInstSV.dll
16:25:20.0179 5176 AxInstSV - ok
16:25:20.0241 5176 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
16:25:20.0255 5176 b06bdrv - ok
16:25:20.0307 5176 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
16:25:20.0321 5176 b57nd60x - ok
16:25:20.0377 5176 BDESVC (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
16:25:20.0382 5176 BDESVC - ok
16:25:20.0402 5176 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
16:25:20.0404 5176 Beep - ok
16:25:20.0491 5176 BFE (1e2bac209d184bb851e1a187d8a29136) C:\Windows\System32\bfe.dll
16:25:20.0501 5176 BFE - ok
16:25:20.0577 5176 BITS (e585445d5021971fae10393f0f1c3961) C:\Windows\system32\qmgr.dll
16:25:20.0607 5176 BITS - ok
16:25:20.0634 5176 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
16:25:20.0637 5176 blbdrive - ok
16:25:20.0761 5176 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
16:25:20.0769 5176 Bonjour Service - ok
16:25:20.0822 5176 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
16:25:20.0825 5176 bowser - ok
16:25:20.0858 5176 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
16:25:20.0861 5176 BrFiltLo - ok
16:25:20.0878 5176 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
16:25:20.0881 5176 BrFiltUp - ok
16:25:20.0947 5176 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
16:25:20.0951 5176 BridgeMP - ok
16:25:21.0004 5176 Browser (6e11f33d14d020f58d5e02e4d67dfa19) C:\Windows\System32\browser.dll
16:25:21.0008 5176 Browser - ok
16:25:21.0055 5176 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
16:25:21.0070 5176 Brserid - ok
16:25:21.0088 5176 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
16:25:21.0092 5176 BrSerWdm - ok
16:25:21.0118 5176 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
16:25:21.0127 5176 BrUsbMdm - ok
16:25:21.0143 5176 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
16:25:21.0145 5176 BrUsbSer - ok
16:25:21.0163 5176 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
16:25:21.0166 5176 BTHMODEM - ok
16:25:21.0214 5176 bthserv (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
16:25:21.0218 5176 bthserv - ok
16:25:21.0255 5176 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
16:25:21.0260 5176 cdfs - ok
16:25:21.0326 5176 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
16:25:21.0330 5176 cdrom - ok
16:25:21.0401 5176 CertPropSvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
16:25:21.0404 5176 CertPropSvc - ok
16:25:21.0444 5176 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
16:25:21.0447 5176 circlass - ok
16:25:21.0495 5176 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
16:25:21.0501 5176 CLFS - ok
16:25:21.0633 5176 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
16:25:21.0639 5176 clr_optimization_v2.0.50727_32 - ok
16:25:21.0727 5176 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
16:25:21.0731 5176 clr_optimization_v4.0.30319_32 - ok
16:25:21.0753 5176 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
16:25:21.0755 5176 CmBatt - ok
16:25:21.0805 5176 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
16:25:21.0807 5176 cmdide - ok
16:25:21.0892 5176 CNG (247b4ce2dab1160cd422d532d5241e1f) C:\Windows\system32\Drivers\cng.sys
16:25:21.0904 5176 CNG - ok
16:25:21.0957 5176 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
16:25:21.0959 5176 Compbatt - ok
16:25:22.0050 5176 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
16:25:22.0052 5176 CompositeBus - ok
16:25:22.0106 5176 COMSysApp - ok
16:25:22.0130 5176 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
16:25:22.0133 5176 crcdisk - ok
16:25:22.0207 5176 CryptSvc (06e771aa596b8761107ab57e99f128d7) C:\Windows\system32\cryptsvc.dll
16:25:22.0213 5176 CryptSvc - ok
16:25:22.0282 5176 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys
16:25:22.0294 5176 CSC - ok
16:25:22.0354 5176 CscService (15f93b37f6801943360d9eb42485d5d3) C:\Windows\System32\cscsvc.dll
16:25:22.0366 5176 CscService - ok
16:25:22.0429 5176 DcomLaunch (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
16:25:22.0440 5176 DcomLaunch - ok
16:25:22.0489 5176 defragsvc (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
16:25:22.0495 5176 defragsvc - ok
16:25:22.0610 5176 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
16:25:22.0614 5176 DfsC - ok
16:25:22.0702 5176 Dhcp (e9e01eb683c132f7fa27cd607b8a2b63) C:\Windows\system32\dhcpcore.dll
16:25:22.0708 5176 Dhcp - ok
16:25:22.0755 5176 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
16:25:22.0758 5176 discache - ok
16:25:22.0845 5176 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
16:25:22.0849 5176 Disk - ok
16:25:22.0885 5176 Dnscache (33ef4861f19a0736b11314aad9ae28d0) C:\Windows\System32\dnsrslvr.dll
16:25:22.0890 5176 Dnscache - ok
16:25:22.0950 5176 dot3svc (366ba8fb4b7bb7435e3b9eacb3843f67) C:\Windows\System32\dot3svc.dll
16:25:22.0957 5176 dot3svc - ok
16:25:23.0003 5176 DPS (8ec04ca86f1d68da9e11952eb85973d6) C:\Windows\system32\dps.dll
16:25:23.0008 5176 DPS - ok
16:25:23.0052 5176 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
16:25:23.0054 5176 drmkaud - ok
16:25:23.0141 5176 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
16:25:23.0165 5176 DXGKrnl - ok
16:25:23.0211 5176 EapHost (8600142fa91c1b96367d3300ad0f3f3a) C:\Windows\System32\eapsvc.dll
16:25:23.0215 5176 EapHost - ok
16:25:23.0664 5176 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
16:25:23.0758 5176 ebdrv - ok
16:25:23.0906 5176 EFS (81951f51e318aecc2d68559e47485cc4) C:\Windows\System32\lsass.exe
16:25:23.0910 5176 EFS - ok
16:25:24.0009 5176 ehRecvr (a8c362018efc87beb013ee28f29c0863) C:\Windows\ehome\ehRecvr.exe
16:25:24.0023 5176 ehRecvr - ok
16:25:24.0070 5176 ehSched (d389bff34f80caede417bf9d1507996a) C:\Windows\ehome\ehsched.exe
16:25:24.0080 5176 ehSched - ok
16:25:24.0175 5176 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
16:25:24.0191 5176 elxstor - ok
16:25:24.0232 5176 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
16:25:24.0234 5176 ErrDev - ok
16:25:24.0320 5176 EventSystem (f6916efc29d9953d5d0df06882ae8e16) C:\Windows\system32\es.dll
16:25:24.0332 5176 EventSystem - ok
16:25:24.0374 5176 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
16:25:24.0381 5176 exfat - ok
16:25:24.0422 5176 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
16:25:24.0428 5176 fastfat - ok
16:25:24.0533 5176 Fax (967ea5b213e9984cbe270205df37755b) C:\Windows\system32\fxssvc.exe
16:25:24.0545 5176 Fax - ok
16:25:24.0579 5176 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
16:25:24.0582 5176 fdc - ok
16:25:24.0629 5176 fdPHost (f3222c893bd2f5821a0179e5c71e88fb) C:\Windows\system32\fdPHost.dll
16:25:24.0631 5176 fdPHost - ok
16:25:24.0655 5176 FDResPub (7dbe8cbfe79efbdeb98c9fb08d3a9a5b) C:\Windows\system32\fdrespub.dll
16:25:24.0658 5176 FDResPub - ok
16:25:24.0678 5176 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
16:25:24.0682 5176 FileInfo - ok
16:25:24.0709 5176 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
16:25:24.0712 5176 Filetrace - ok
16:25:24.0733 5176 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
16:25:24.0736 5176 flpydisk - ok
16:25:24.0777 5176 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
16:25:24.0784 5176 FltMgr - ok
16:25:24.0872 5176 FontCache (b3a5ec6b6b6673db7e87c2bcdbddc074) C:\Windows\system32\FntCache.dll
16:25:24.0889 5176 FontCache - ok
16:25:24.0975 5176 FontCache3.0.0.0 (e56f39f6b7fda0ac77a79b0fd3de1a2f) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
16:25:24.0980 5176 FontCache3.0.0.0 - ok
16:25:25.0025 5176 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
16:25:25.0028 5176 FsDepends - ok
16:25:25.0066 5176 Fs_Rec (7dae5ebcc80e45d3253f4923dc424d05) C:\Windows\system32\drivers\Fs_Rec.sys
16:25:25.0068 5176 Fs_Rec - ok
16:25:25.0146 5176 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
16:25:25.0152 5176 fvevol - ok
16:25:25.0190 5176 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
16:25:25.0194 5176 gagp30kx - ok
16:25:25.0243 5176 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
16:25:25.0245 5176 GEARAspiWDM - ok
16:25:25.0336 5176 gpsvc (e897eaf5ed6ba41e081060c9b447a673) C:\Windows\System32\gpsvc.dll
16:25:25.0349 5176 gpsvc - ok
16:25:25.0394 5176 HBtnKey (c172f0d0329e46513b09e1fc60a27b9d) C:\Windows\system32\DRIVERS\cpqbttn.sys
16:25:25.0396 5176 HBtnKey - ok
16:25:25.0437 5176 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
16:25:25.0440 5176 hcw85cir - ok
16:25:25.0530 5176 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys
16:25:25.0540 5176 HdAudAddService - ok
16:25:25.0585 5176 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
16:25:25.0588 5176 HDAudBus - ok
16:25:25.0605 5176 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
16:25:25.0608 5176 HidBatt - ok
16:25:25.0628 5176 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
16:25:25.0632 5176 HidBth - ok
16:25:25.0683 5176 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
16:25:25.0686 5176 HidIr - ok
16:25:25.0732 5176 hidserv (2bc6f6a1992b3a77f5f41432ca6b3b6b) C:\Windows\System32\hidserv.dll
16:25:25.0736 5176 hidserv - ok
16:25:25.0782 5176 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
16:25:25.0785 5176 HidUsb - ok
16:25:25.0839 5176 hkmsvc (196b4e3f4cccc24af836ce58facbb699) C:\Windows\system32\kmsvc.dll
16:25:25.0846 5176 hkmsvc - ok
16:25:25.0877 5176 HomeGroupListener (6658f4404de03d75fe3ba09f7aba6a30) C:\Windows\system32\ListSvc.dll
16:25:25.0884 5176 HomeGroupListener - ok
16:25:25.0940 5176 HomeGroupProvider (dbc02d918fff1cad628acbe0c0eaa8e8) C:\Windows\system32\provsvc.dll
16:25:25.0948 5176 HomeGroupProvider - ok
16:25:26.0026 5176 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
16:25:26.0030 5176 HpSAMD - ok
16:25:26.0176 5176 HSF_DPV (1882827f41dee51c70e24c567c35bfb5) C:\Windows\system32\DRIVERS\HSX_DPV.sys
16:25:26.0205 5176 HSF_DPV - ok
16:25:26.0246 5176 HSXHWAZL (a44ddf3ba83e4664bf4de9220097578c) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
16:25:26.0254 5176 HSXHWAZL - ok
16:25:26.0348 5176 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
16:25:26.0361 5176 HTTP - ok
16:25:26.0393 5176 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
16:25:26.0395 5176 hwpolicy - ok
16:25:26.0458 5176 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
16:25:26.0463 5176 i8042prt - ok
16:25:26.0558 5176 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
16:25:26.0570 5176 iaStorV - ok
16:25:26.0711 5176 idsvc (c521d7eb6497bb1af6afa89e322fb43c) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
16:25:26.0740 5176 idsvc - ok
16:25:27.0082 5176 igfx (9467514ea189475a6e7fdc5d7bde9d3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
16:25:27.0230 5176 igfx - ok
16:25:27.0400 5176 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
16:25:27.0404 5176 iirsp - ok
16:25:27.0507 5176 IKEEXT (f95622f161474511b8d80d6b093aa610) C:\Windows\System32\ikeext.dll
16:25:27.0524 5176 IKEEXT - ok
16:25:27.0582 5176 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
16:25:27.0585 5176 intelide - ok
16:25:27.0629 5176 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
16:25:27.0632 5176 intelppm - ok
16:25:27.0667 5176 IPBusEnum (acb364b9075a45c0736e5c47be5cae19) C:\Windows\system32\ipbusenum.dll
16:25:27.0672 5176 IPBusEnum - ok
16:25:27.0706 5176 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
16:25:27.0711 5176 IpFilterDriver - ok
16:25:27.0803 5176 iphlpsvc (4d65a07b795d6674312f879d09aa7663) C:\Windows\System32\iphlpsvc.dll
16:25:27.0815 5176 iphlpsvc - ok
16:25:27.0856 5176 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
16:25:27.0860 5176 IPMIDRV - ok
16:25:27.0901 5176 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
16:25:27.0905 5176 IPNAT - ok
16:25:28.0059 5176 iPod Service (e6be7a41a28d8f2db174957454d32448) C:\Program Files\iPod\bin\iPodService.exe
16:25:28.0082 5176 iPod Service - ok
16:25:28.0143 5176 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
16:25:28.0145 5176 IRENUM - ok
16:25:28.0187 5176 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
16:25:28.0190 5176 isapnp - ok
16:25:28.0225 5176 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
16:25:28.0233 5176 iScsiPrt - ok
16:25:28.0277 5176 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\drivers\kbdclass.sys
16:25:28.0281 5176 kbdclass - ok
16:25:28.0300 5176 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\drivers\kbdhid.sys
16:25:28.0303 5176 kbdhid - ok
16:25:28.0339 5176 KeyIso (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:25:28.0342 5176 KeyIso - ok
16:25:28.0376 5176 KSecDD (b7895b4182c0d16f6efadeb8081e8d36) C:\Windows\system32\Drivers\ksecdd.sys
16:25:28.0380 5176 KSecDD - ok
16:25:28.0430 5176 KSecPkg (d30159ac9237519fbc62c6ec247d2d46) C:\Windows\system32\Drivers\ksecpkg.sys
16:25:28.0436 5176 KSecPkg - ok
16:25:28.0561 5176 KtmRm (89a7b9cc98d0d80c6f31b91c0a310fcd) C:\Windows\system32\msdtckrm.dll
16:25:28.0578 5176 KtmRm - ok
16:25:28.0804 5176 LanmanServer (d64af876d53eca3668bb97b51b4e70ab) C:\Windows\System32\srvsvc.dll
16:25:28.0811 5176 LanmanServer - ok
16:25:28.0860 5176 LanmanWorkstation (58405e4f68ba8e4057c6e914f326aba2) C:\Windows\System32\wkssvc.dll
16:25:28.0867 5176 LanmanWorkstation - ok
16:25:28.0936 5176 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
16:25:28.0940 5176 lltdio - ok
16:25:28.0997 5176 lltdsvc (5700673e13a2117fa3b9020c852c01e2) C:\Windows\System32\lltdsvc.dll
16:25:29.0007 5176 lltdsvc - ok
16:25:29.0036 5176 lmhosts (55ca01ba19d0006c8f2639b6c045e08b) C:\Windows\System32\lmhsvc.dll
16:25:29.0039 5176 lmhosts - ok
16:25:29.0091 5176 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
16:25:29.0097 5176 LSI_FC - ok
16:25:29.0132 5176 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
16:25:29.0137 5176 LSI_SAS - ok
16:25:29.0176 5176 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
16:25:29.0180 5176 LSI_SAS2 - ok
16:25:29.0217 5176 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
16:25:29.0222 5176 LSI_SCSI - ok
16:25:29.0251 5176 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
16:25:29.0256 5176 luafv - ok
16:25:29.0352 5176 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\Windows\system32\drivers\mbam.sys
16:25:29.0356 5176 MBAMProtector - ok
16:25:29.0486 5176 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
16:25:29.0501 5176 MBAMService - ok
16:25:29.0547 5176 Mcx2Svc (bfb9ee8ee977efe85d1a3105abef6dd1) C:\Windows\system32\Mcx2Svc.dll
16:25:29.0553 5176 Mcx2Svc - ok
16:25:29.0602 5176 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
16:25:29.0604 5176 mdmxsdk - ok
16:25:29.0646 5176 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
16:25:29.0649 5176 megasas - ok
16:25:29.0704 5176 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
16:25:29.0712 5176 MegaSR - ok
16:25:29.0803 5176 Microsoft SharePoint Workspace Audit Service - ok
16:25:29.0856 5176 MMCSS (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
16:25:29.0860 5176 MMCSS - ok
16:25:29.0886 5176 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
16:25:29.0890 5176 Modem - ok
16:25:29.0932 5176 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
16:25:29.0933 5176 monitor - ok
16:25:30.0018 5176 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
16:25:30.0021 5176 mouclass - ok
16:25:30.0094 5176 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
16:25:30.0098 5176 mouhid - ok
16:25:30.0158 5176 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
16:25:30.0161 5176 mountmgr - ok
16:25:30.0220 5176 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
16:25:30.0226 5176 mpio - ok
16:25:30.0272 5176 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
16:25:30.0276 5176 mpsdrv - ok
16:25:30.0352 5176 MpsSvc (9835584e999d25004e1ee8e5f3e3b881) C:\Windows\system32\mpssvc.dll
16:25:30.0366 5176 MpsSvc - ok
16:25:30.0412 5176 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
16:25:30.0418 5176 MRxDAV - ok
16:25:30.0464 5176 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
16:25:30.0470 5176 mrxsmb - ok
16:25:30.0528 5176 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
16:25:30.0536 5176 mrxsmb10 - ok
16:25:30.0566 5176 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
16:25:30.0570 5176 mrxsmb20 - ok
16:25:30.0601 5176 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
16:25:30.0604 5176 msahci - ok
16:25:30.0650 5176 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
16:25:30.0655 5176 msdsm - ok
16:25:30.0705 5176 MSDTC (e1bce74a3bd9902b72599c0192a07e27) C:\Windows\System32\msdtc.exe
16:25:30.0716 5176 MSDTC - ok
16:25:30.0766 5176 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
16:25:30.0769 5176 Msfs - ok
16:25:30.0789 5176 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
16:25:30.0792 5176 mshidkmdf - ok
16:25:30.0813 5176 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
16:25:30.0816 5176 msisadrv - ok
16:25:30.0876 5176 MSiSCSI (90f7d9e6b6f27e1a707d4a297f077828) C:\Windows\system32\iscsiexe.dll
16:25:30.0885 5176 MSiSCSI - ok
16:25:30.0902 5176 msiserver - ok
16:25:30.0952 5176 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
16:25:30.0955 5176 MSKSSRV - ok
16:25:30.0986 5176 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
16:25:30.0989 5176 MSPCLOCK - ok
16:25:31.0049 5176 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
16:25:31.0051 5176 MSPQM - ok
16:25:31.0098 5176 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
16:25:31.0105 5176 MsRPC - ok
16:25:31.0160 5176 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
16:25:31.0162 5176 mssmbios - ok
16:25:31.0205 5176 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
16:25:31.0208 5176 MSTEE - ok
16:25:31.0238 5176 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
16:25:31.0240 5176 MTConfig - ok
16:25:31.0279 5176 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
16:25:31.0283 5176 Mup - ok
16:25:31.0359 5176 napagent (61d57a5d7c6d9afe10e77dae6e1b445e) C:\Windows\system32\qagentRT.dll
16:25:31.0370 5176 napagent - ok
16:25:31.0445 5176 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
16:25:31.0454 5176 NativeWifiP - ok
16:25:31.0526 5176 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
16:25:31.0542 5176 NDIS - ok
16:25:31.0588 5176 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
16:25:31.0598 5176 NdisCap - ok
16:25:31.0647 5176 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
16:25:31.0649 5176 NdisTapi - ok
16:25:31.0705 5176 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
16:25:31.0708 5176 Ndisuio - ok
16:25:31.0763 5176 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
16:25:31.0769 5176 NdisWan - ok
16:25:31.0799 5176 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
16:25:31.0803 5176 NDProxy - ok
16:25:31.0855 5176 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
16:25:31.0858 5176 NetBIOS - ok
16:25:31.0920 5176 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
16:25:31.0925 5176 NetBT - ok
16:25:31.0973 5176 Netlogon (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:25:31.0976 5176 Netlogon - ok
16:25:32.0035 5176 Netman (7cccfca7510684768da22092d1fa4db2) C:\Windows\System32\netman.dll
16:25:32.0044 5176 Netman - ok
16:25:32.0081 5176 netprofm (8c338238c16777a802d6a9211eb2ba50) C:\Windows\System32\netprofm.dll
16:25:32.0099 5176 netprofm - ok
16:25:32.0185 5176 NetTcpPortSharing (f476ec40033cdb91efbe73eb99b8362d) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
16:25:32.0191 5176 NetTcpPortSharing - ok
16:25:32.0500 5176 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
16:25:32.0634 5176 netw5v32 - ok
16:25:32.0792 5176 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
16:25:32.0796 5176 nfrd960 - ok
16:25:32.0852 5176 NlaSvc (912084381d30d8b89ec4e293053f4710) C:\Windows\System32\nlasvc.dll
16:25:32.0860 5176 NlaSvc - ok
16:25:32.0887 5176 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
16:25:32.0890 5176 Npfs - ok
16:25:32.0922 5176 nsi (ba387e955e890c8a88306d9b8d06bf17) C:\Windows\system32\nsisvc.dll
16:25:32.0926 5176 nsi - ok
16:25:32.0969 5176 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
16:25:32.0972 5176 nsiproxy - ok
16:25:33.0101 5176 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
16:25:33.0139 5176 Ntfs - ok
16:25:33.0183 5176 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
16:25:33.0186 5176 Null - ok
16:25:33.0230 5176 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
16:25:33.0235 5176 nvraid - ok
16:25:33.0275 5176 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
16:25:33.0282 5176 nvstor - ok
16:25:33.0337 5176 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
16:25:33.0343 5176 nv_agp - ok
16:25:33.0382 5176 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
16:25:33.0386 5176 ohci1394 - ok
16:25:33.0489 5176 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
16:25:33.0496 5176 ose - ok
16:25:34.0009 5176 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
16:25:34.0162 5176 osppsvc - ok
16:25:34.0358 5176 p2pimsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
16:25:34.0367 5176 p2pimsvc - ok
16:25:34.0418 5176 p2psvc (59c3ddd501e39e006dac31bf55150d91) C:\Windows\system32\p2psvc.dll
16:25:34.0428 5176 p2psvc - ok
16:25:34.0478 5176 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
16:25:34.0483 5176 Parport - ok
16:25:34.0538 5176 partmgr (3f34a1b4c5f6475f320c275e63afce9b) C:\Windows\system32\drivers\partmgr.sys
16:25:34.0542 5176 partmgr - ok
16:25:34.0572 5176 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
16:25:34.0575 5176 Parvdm - ok
16:25:34.0616 5176 PcaSvc (358ab7956d3160000726574083dfc8a6) C:\Windows\System32\pcasvc.dll
16:25:34.0624 5176 PcaSvc - ok
16:25:34.0678 5176 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
16:25:34.0684 5176 pci - ok
16:25:34.0717 5176 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
16:25:34.0720 5176 pciide - ok
16:25:34.0772 5176 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
16:25:34.0780 5176 pcmcia - ok
16:25:34.0865 5176 PCTCore (0edb74bd0d52d6d94cf862322e48b94e) C:\Windows\system32\drivers\PCTCore.sys
16:25:34.0873 5176 PCTCore - ok
16:25:34.0944 5176 pctDS (8734f7346b39a710491e0ddb136da2a3) C:\Windows\system32\drivers\pctDS.sys
16:25:34.0956 5176 pctDS - ok
16:25:35.0037 5176 pctEFA (653d8079cc000ec454789740a07b84a8) C:\Windows\system32\drivers\pctEFA.sys
16:25:35.0065 5176 pctEFA - ok
16:25:35.0152 5176 pctgntdi (cee55a1df92cb30f87280b6a04aadce8) C:\Windows\System32\drivers\pctgntdi.sys
16:25:35.0159 5176 pctgntdi - ok
16:25:35.0215 5176 pctplsg (061b86fd64a61ad187efc788d6c408b0) C:\Windows\System32\drivers\pctplsg.sys
16:25:35.0219 5176 pctplsg - ok
16:25:35.0257 5176 PCTSD (eb98f7514dcf1b922b318e6182d836b1) C:\Windows\system32\Drivers\PCTSD.sys
16:25:35.0262 5176 PCTSD - ok
16:25:35.0306 5176 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
16:25:35.0310 5176 pcw - ok
16:25:35.0369 5176 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
16:25:35.0389 5176 PEAUTH - ok
16:25:35.0485 5176 PeerDistSvc (af4d64d2a57b9772cf3801950b8058a6) C:\Windows\system32\peerdistsvc.dll
16:25:35.0511 5176 PeerDistSvc - ok
16:25:35.0696 5176 pla (414bba67a3ded1d28437eb66aeb8a720) C:\Windows\system32\pla.dll
16:25:35.0733 5176 pla - ok
16:25:35.0907 5176 PlugPlay (ec7bc28d207da09e79b3e9faf8b232ca) C:\Windows\system32\umpnpmgr.dll
16:25:35.0921 5176 PlugPlay - ok
16:25:35.0975 5176 PNRPAutoReg (63ff8572611249931eb16bb8eed6afc8) C:\Windows\system32\pnrpauto.dll
16:25:35.0981 5176 PNRPAutoReg - ok
16:25:36.0031 5176 PNRPsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
16:25:36.0038 5176 PNRPsvc - ok
16:25:36.0124 5176 PolicyAgent (53946b69ba0836bd95b03759530c81ec) C:\Windows\System32\ipsecsvc.dll
16:25:36.0140 5176 PolicyAgent - ok
16:25:36.0205 5176 Power (f87d30e72e03d579a5199ccb3831d6ea) C:\Windows\system32\umpo.dll
16:25:36.0213 5176 Power - ok
16:25:36.0283 5176 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
16:25:36.0286 5176 PptpMiniport - ok
16:25:36.0316 5176 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
16:25:36.0321 5176 Processor - ok
16:25:36.0380 5176 ProfSvc (43ca4ccc22d52fb58e8988f0198851d0) C:\Windows\system32\profsvc.dll
16:25:36.0387 5176 ProfSvc - ok
16:25:36.0429 5176 ProtectedStorage (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:25:36.0432 5176 ProtectedStorage - ok
16:25:36.0485 5176 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
16:25:36.0489 5176 Psched - ok
16:25:36.0620 5176 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
16:25:36.0660 5176 ql2300 - ok
16:25:36.0811 5176 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
16:25:36.0816 5176 ql40xx - ok
16:25:36.0866 5176 QWAVE (31ac809e7707eb580b2bdb760390765a) C:\Windows\system32\qwave.dll
16:25:36.0876 5176 QWAVE - ok
16:25:36.0898 5176 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
16:25:36.0901 5176 QWAVEdrv - ok
16:25:37.0117 5176 RapportIaso (1f0381f7f4ff40e0df12fd49d2d80fcd) c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys
16:25:37.0122 5176 RapportIaso - ok
16:25:37.0157 5176 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
16:25:37.0160 5176 RasAcd - ok
16:25:37.0199 5176 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
16:25:37.0203 5176 RasAgileVpn - ok
16:25:37.0243 5176 RasAuto (a60f1839849c0c00739787fd5ec03f13) C:\Windows\System32\rasauto.dll
16:25:37.0250 5176 RasAuto - ok
16:25:37.0288 5176 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
16:25:37.0292 5176 Rasl2tp - ok
16:25:37.0374 5176 RasMan (cb9e04dc05eacf5b9a36ca276d475006) C:\Windows\System32\rasmans.dll
16:25:37.0383 5176 RasMan - ok
16:25:37.0420 5176 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
16:25:37.0424 5176 RasPppoe - ok
16:25:37.0459 5176 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
16:25:37.0462 5176 RasSstp - ok
16:25:37.0506 5176 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
16:25:37.0517 5176 rdbss - ok
16:25:37.0550 5176 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
16:25:37.0553 5176 rdpbus - ok
16:25:37.0592 5176 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
16:25:37.0594 5176 RDPCDD - ok
16:25:37.0657 5176 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys
16:25:37.0663 5176 RDPDR - ok
16:25:37.0716 5176 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
16:25:37.0719 5176 RDPENCDD - ok
16:25:37.0750 5176 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
16:25:37.0753 5176 RDPREFMP - ok
16:25:37.0860 5176 RdpVideoMiniport (68a0387f58e226deee23d9715955572a) C:\Windows\system32\drivers\rdpvideominiport.sys
16:25:37.0863 5176 RdpVideoMiniport - ok
16:25:37.0919 5176 RDPWD (f031683e6d1fea157abb2ff260b51e61) C:\Windows\system32\drivers\RDPWD.sys
16:25:37.0926 5176 RDPWD - ok
16:25:37.0982 5176 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
16:25:37.0988 5176 rdyboost - ok
16:25:38.0031 5176 RemoteAccess (7b5e1419717fac363a31cc302895217a) C:\Windows\System32\mprdim.dll
16:25:38.0036 5176 RemoteAccess - ok
16:25:38.0084 5176 RemoteRegistry (cb9a8683f4ef2bf99e123d79950d7935) C:\Windows\system32\regsvc.dll
16:25:38.0091 5176 RemoteRegistry - ok
16:25:38.0154 5176 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
16:25:38.0158 5176 rismxdp - ok
16:25:38.0200 5176 RpcEptMapper (78d072f35bc45d9e4e1b61895c152234) C:\Windows\System32\RpcEpMap.dll
16:25:38.0205 5176 RpcEptMapper - ok
16:25:38.0245 5176 RpcLocator (94d36c0e44677dd26981d2bfeef2a29d) C:\Windows\system32\locator.exe
16:25:38.0249 5176 RpcLocator - ok
16:25:38.0320 5176 RpcSs (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
16:25:38.0329 5176 RpcSs - ok
16:25:38.0391 5176 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
16:25:38.0395 5176 rspndr - ok
16:25:38.0446 5176 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys
16:25:38.0449 5176 s3cap - ok
16:25:38.0497 5176 SamSs (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:25:38.0500 5176 SamSs - ok
16:25:38.0535 5176 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
16:25:38.0539 5176 sbp2port - ok
16:25:38.0583 5176 SCardSvr (8fc518ffe9519c2631d37515a68009c4) C:\Windows\System32\SCardSvr.dll
16:25:38.0591 5176 SCardSvr - ok
16:25:38.0642 5176 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
16:25:38.0645 5176 scfilter - ok
16:25:38.0739 5176 Schedule (a04bb13f8a72f8b6e8b4071723e4e336) C:\Windows\system32\schedsvc.dll
16:25:38.0758 5176 Schedule - ok
16:25:38.0814 5176 SCPolicySvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
16:25:38.0816 5176 SCPolicySvc - ok
16:25:39.0230 5176 sdAuxService (17d6a03103586d7954ba74c2219ce1bb) C:\Program Files\PC Tools Security Spyware Dr\pctsAuxs.exe
16:25:39.0236 5176 sdAuxService - ok
16:25:39.0312 5176 sdbus (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\drivers\sdbus.sys
16:25:39.0317 5176 sdbus - ok
16:25:39.0422 5176 sdCoreService (d2b30a5a8f57c00b0fa84a8880e9ec5b) C:\Program Files\PC Tools Security Spyware Dr\pctsSvc.exe
16:25:39.0435 5176 sdCoreService - ok
16:25:39.0490 5176 SDRSVC (08236c4bce5edd0a0318a438af28e0f7) C:\Windows\System32\SDRSVC.dll
16:25:39.0497 5176 SDRSVC - ok
16:25:39.0561 5176 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
16:25:39.0564 5176 secdrv - ok
16:25:39.0606 5176 seclogon (a59b3a4442c52060cc7a85293aa3546f) C:\Windows\system32\seclogon.dll
16:25:39.0610 5176 seclogon - ok
16:25:39.0647 5176 SENS (dcb7fcdcc97f87360f75d77425b81737) C:\Windows\system32\sens.dll
16:25:39.0652 5176 SENS - ok
16:25:39.0688 5176 SensrSvc (50087fe1ee447009c9cc2997b90de53f) C:\Windows\system32\sensrsvc.dll
16:25:39.0694 5176 SensrSvc - ok
16:25:39.0727 5176 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
16:25:39.0735 5176 Serenum - ok
16:25:39.0764 5176 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
16:25:39.0786 5176 Serial - ok
16:25:39.0842 5176 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
16:25:39.0845 5176 sermouse - ok
16:25:39.0922 5176 SessionEnv (4ae380f39a0032eab7dd953030b26d28) C:\Windows\system32\sessenv.dll
16:25:39.0929 5176 SessionEnv - ok
16:25:39.0983 5176 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
16:25:39.0986 5176 sffdisk - ok
16:25:40.0023 5176 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
16:25:40.0026 5176 sffp_mmc - ok
16:25:40.0053 5176 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
16:25:40.0055 5176 sffp_sd - ok
16:25:40.0099 5176 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
16:25:40.0109 5176 sfloppy - ok
16:25:40.0162 5176 SharedAccess (d1a079a0de2ea524513b6930c24527a2) C:\Windows\System32\ipnathlp.dll
16:25:40.0171 5176 SharedAccess - ok
16:25:40.0242 5176 ShellHWDetection (414da952a35bf5d50192e28263b40577) C:\Windows\System32\shsvcs.dll
16:25:40.0254 5176 ShellHWDetection - ok
16:25:40.0309 5176 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
16:25:40.0313 5176 sisagp - ok
16:25:40.0370 5176 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
16:25:40.0374 5176 SiSRaid2 - ok
16:25:40.0411 5176 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
16:25:40.0416 5176 SiSRaid4 - ok
16:25:40.0499 5176 SkypeUpdate (ea396139541706b4b433641d62ea53ce) C:\Program Files\Skype\Updater\Updater.exe
16:25:40.0505 5176 SkypeUpdate - ok
16:25:40.0554 5176 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
16:25:40.0559 5176 Smb - ok
16:25:40.0636 5176 SNMPTRAP (6a984831644eca1a33ffeae4126f4f37) C:\Windows\System32\snmptrap.exe
16:25:40.0641 5176 SNMPTRAP - ok
16:25:40.0686 5176 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
16:25:40.0689 5176 spldr - ok
16:25:40.0767 5176 Spooler (866a43013535dc8587c258e43579c764) C:\Windows\System32\spoolsv.exe
16:25:40.0778 5176 Spooler - ok
16:25:41.0024 5176 sppsvc (cf87a1de791347e75b98885214ced2b8) C:\Windows\system32\sppsvc.exe
16:25:41.0090 5176 sppsvc - ok
16:25:41.0232 5176 sppuinotify (b0180b20b065d89232a78a40fe56eaa6) C:\Windows\system32\sppuinotify.dll
16:25:41.0237 5176 sppuinotify - ok
16:25:41.0316 5176 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
16:25:41.0327 5176 srv - ok
16:25:41.0372 5176 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
16:25:41.0382 5176 srv2 - ok
16:25:41.0443 5176 SrvHsfHDA (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
16:25:41.0450 5176 SrvHsfHDA - ok
16:25:41.0535 5176 SrvHsfV92 (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
16:25:41.0565 5176 SrvHsfV92 - ok
16:25:41.0642 5176 SrvHsfWinac (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
16:25:41.0663 5176 SrvHsfWinac - ok
16:25:41.0717 5176 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
16:25:41.0722 5176 srvnet - ok
16:25:41.0764 5176 SSDPSRV (d887c9fd02ac9fa880f6e5027a43e118) C:\Windows\System32\ssdpsrv.dll
16:25:41.0772 5176 SSDPSRV - ok
16:25:41.0805 5176 SstpSvc (d318f23be45d5e3a107469eb64815b50) C:\Windows\system32\sstpsvc.dll
16:25:41.0811 5176 SstpSvc - ok
16:25:41.0859 5176 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
16:25:41.0862 5176 stexstor - ok
16:25:41.0936 5176 StiSvc (e1fb3706030fb4578a0d72c2fc3689e4) C:\Windows\System32\wiaservc.dll
16:25:41.0949 5176 StiSvc - ok
16:25:41.0993 5176 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys
16:25:41.0997 5176 storflt - ok
16:25:42.0035 5176 StorSvc (0bf669f0a910beda4a32258d363af2a5) C:\Windows\system32\storsvc.dll
16:25:42.0041 5176 StorSvc - ok
16:25:42.0072 5176 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys
16:25:42.0075 5176 storvsc - ok
16:25:42.0109 5176 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
16:25:42.0111 5176 swenum - ok
16:25:42.0161 5176 swprv (a28bd92df340e57b024ba433165d34d7) C:\Windows\System32\swprv.dll
16:25:42.0172 5176 swprv - ok
16:25:42.0199 5176 Synth3dVsc - ok
16:25:42.0313 5176 SysMain (36650d618ca34c9d357dfd3d89b2c56f) C:\Windows\system32\sysmain.dll
16:25:42.0340 5176 SysMain - ok
16:25:42.0388 5176 TabletInputService (763fecdc3d30c815fe72dd57936c6cd1) C:\Windows\System32\TabSvc.dll
16:25:42.0396 5176 TabletInputService - ok
16:25:42.0464 5176 TapiSrv (613bf4820361543956909043a265c6ac) C:\Windows\System32\tapisrv.dll
16:25:42.0474 5176 TapiSrv - ok
16:25:42.0515 5176 TBS (b799d9fdb26111737f58288d8dc172d9) C:\Windows\System32\tbssvc.dll
16:25:42.0522 5176 TBS - ok
16:25:42.0683 5176 Tcpip (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\drivers\tcpip.sys
16:25:42.0724 5176 Tcpip - ok
16:25:42.0773 5176 TCPIP6 (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\DRIVERS\tcpip.sys
16:25:42.0789 5176 TCPIP6 - ok
16:25:42.0849 5176 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
16:25:42.0860 5176 tcpipreg - ok
16:25:42.0917 5176 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
16:25:42.0920 5176 TDPIPE - ok
16:25:42.0971 5176 TDTCP (2c2c5afe7ee4f620d69c23c0617651a8) C:\Windows\system32\drivers\tdtcp.sys
16:25:42.0976 5176 TDTCP - ok
16:25:43.0029 5176 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
16:25:43.0033 5176 tdx - ok
16:25:43.0086 5176 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
16:25:43.0090 5176 TermDD - ok
16:25:43.0181 5176 TermService (382c804c92811be57829d8e550a900e2) C:\Windows\System32\termsrv.dll
16:25:43.0195 5176 TermService - ok
16:25:43.0243 5176 TfFsMon (754f8fd78ea7fa2b9a0cb8a69e0f0822) C:\Windows\system32\drivers\TfFsMon.sys
16:25:43.0275 5176 TfFsMon - ok
16:25:43.0371 5176 TfNetMon (697f66899b4f0c2d8ae3e7473b4b6244) C:\Windows\system32\drivers\TfNetMon.sys
16:25:43.0405 5176 TfNetMon - ok
16:25:43.0475 5176 TFSysMon (e02f47b841be86bfdf4d7269ed0b95e4) C:\Windows\system32\drivers\TfSysMon.sys
16:25:43.0514 5176 TFSysMon - ok
16:25:43.0564 5176 Themes (42fb6afd6b79d9fe07381609172e7ca4) C:\Windows\system32\themeservice.dll
16:25:43.0570 5176 Themes - ok
16:25:43.0602 5176 THREADORDER (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
16:25:43.0611 5176 THREADORDER - ok
16:25:43.0821 5176 ThreatFire - ok
16:25:43.0875 5176 TrkWks (4792c0378db99a9bc2ae2de6cfff0c3a) C:\Windows\System32\trkwks.dll
16:25:43.0881 5176 TrkWks - ok
16:25:43.0947 5176 TrustedInstaller (2c49b175aee1d4364b91b531417fe583) C:\Windows\servicing\TrustedInstaller.exe
16:25:43.0953 5176 TrustedInstaller - ok
16:25:43.0995 5176 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
16:25:43.0998 5176 tssecsrv - ok
16:25:44.0048 5176 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
16:25:44.0052 5176 TsUsbFlt - ok
16:25:44.0070 5176 tsusbhub - ok
16:25:44.0149 5176 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
16:25:44.0153 5176 tunnel - ok
16:25:44.0197 5176 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
16:25:44.0201 5176 uagp35 - ok
16:25:44.0298 5176 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
16:25:44.0306 5176 udfs - ok
16:25:44.0368 5176 UI0Detect (8344fd4fce927880aa1aa7681d4927e5) C:\Windows\system32\UI0Detect.exe
16:25:44.0375 5176 UI0Detect - ok
16:25:44.0433 5176 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
16:25:44.0436 5176 uliagpkx - ok
16:25:44.0468 5176 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\DRIVERS\umbus.sys
16:25:44.0471 5176 umbus - ok
16:25:44.0509 5176 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
16:25:44.0512 5176 UmPass - ok
16:25:44.0571 5176 UmRdpService (409994a8eaceee4e328749c0353527a0) C:\Windows\System32\umrdp.dll
16:25:44.0580 5176 UmRdpService - ok
16:25:44.0635 5176 upnphost (833fbb672460efce8011d262175fad33) C:\Windows\System32\upnphost.dll
16:25:44.0645 5176 upnphost - ok
16:25:44.0704 5176 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
16:25:44.0709 5176 usbccgp - ok
16:25:44.0761 5176 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
16:25:44.0766 5176 usbcir - ok
16:25:44.0800 5176 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\DRIVERS\usbehci.sys
16:25:44.0803 5176 usbehci - ok
16:25:44.0859 5176 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
16:25:44.0875 5176 usbhub - ok
16:25:44.0905 5176 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
16:25:44.0909 5176 usbohci - ok
16:25:44.0949 5176 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
16:25:44.0953 5176 usbprint - ok
16:25:45.0000 5176 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\DRIVERS\USBSTOR.SYS
16:25:45.0004 5176 USBSTOR - ok
16:25:45.0035 5176 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\DRIVERS\usbuhci.sys
16:25:45.0038 5176 usbuhci - ok
16:25:45.0093 5176 usbvideo (45f4e7bf43db40a6c6b4d92c76cbc3f2) C:\Windows\System32\Drivers\usbvideo.sys
16:25:45.0099 5176 usbvideo - ok
16:25:45.0142 5176 UxSms (081e6e1c91aec36758902a9f727cd23c) C:\Windows\System32\uxsms.dll
16:25:45.0147 5176 UxSms - ok
16:25:45.0196 5176 VaultSvc (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
16:25:45.0199 5176 VaultSvc - ok
16:25:45.0238 5176 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
16:25:45.0242 5176 vdrvroot - ok
16:25:45.0317 5176 vds (c3cd30495687c2a2f66a65ca6fd89be9) C:\Windows\System32\vds.exe
16:25:45.0334 5176 vds - ok
16:25:45.0380 5176 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
16:25:45.0383 5176 vga - ok
16:25:45.0413 5176 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
16:25:45.0416 5176 VgaSave - ok
16:25:45.0445 5176 VGPU - ok
16:25:45.0497 5176 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
16:25:45.0504 5176 vhdmp - ok
16:25:45.0544 5176 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
16:25:45.0548 5176 viaagp - ok
16:25:45.0589 5176 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
16:25:45.0593 5176 ViaC7 - ok
16:25:45.0618 5176 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
16:25:45.0621 5176 viaide - ok
16:25:45.0660 5176 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys
16:25:45.0668 5176 vmbus - ok
16:25:45.0704 5176 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys
16:25:45.0718 5176 VMBusHID - ok
16:25:45.0745 5176 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
16:25:45.0749 5176 volmgr - ok
16:25:45.0795 5176 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
16:25:45.0803 5176 volmgrx - ok
16:25:45.0849 5176 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
16:25:45.0859 5176 volsnap - ok
16:25:45.0924 5176 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
16:25:45.0931 5176 vsmraid - ok
16:25:46.0064 5176 VSS (209a3b1901b83aeb8527ed211cce9e4c) C:\Windows\system32\vssvc.exe
16:25:46.0090 5176 VSS - ok
16:25:46.0137 5176 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
16:25:46.0140 5176 vwifibus - ok
16:25:46.0201 5176 W32Time (55187fd710e27d5095d10a472c8baf1c) C:\Windows\system32\w32time.dll
16:25:46.0212 5176 W32Time - ok
16:25:46.0259 5176 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
16:25:46.0263 5176 WacomPen - ok
16:25:46.0326 5176 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
16:25:46.0333 5176 WANARP - ok
16:25:46.0350 5176 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
16:25:46.0352 5176 Wanarpv6 - ok
16:25:46.0501 5176 WatAdminSvc (353a04c273ec58475d8633e75ccd5604) C:\Windows\system32\Wat\WatAdminSvc.exe
16:25:46.0542 5176 WatAdminSvc - ok
16:25:46.0680 5176 wbengine (691e3285e53dca558e1a84667f13e15a) C:\Windows\system32\wbengine.exe
16:25:46.0722 5176 wbengine - ok
16:25:46.0776 5176 WbioSrvc (9614b5d29dc76ac3c29f6d2d3aa70e67) C:\Windows\System32\wbiosrvc.dll
16:25:46.0785 5176 WbioSrvc - ok
16:25:46.0840 5176 wcncsvc (34eee0dfaadb4f691d6d5308a51315dc) C:\Windows\System32\wcncsvc.dll
16:25:46.0853 5176 wcncsvc - ok
16:25:46.0887 5176 WcsPlugInService (5d930b6357a6d2af4d7653bdabbf352f) C:\Windows\System32\WcsPlugInService.dll
16:25:46.0894 5176 WcsPlugInService - ok
16:25:46.0953 5176 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
16:25:46.0956 5176 Wd - ok
16:25:47.0010 5176 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
16:25:47.0025 5176 Wdf01000 - ok
16:25:47.0059 5176 WdiServiceHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
16:25:47.0067 5176 WdiServiceHost - ok
16:25:47.0083 5176 WdiSystemHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
16:25:47.0088 5176 WdiSystemHost - ok
16:25:47.0152 5176 WebClient (a9d880f97530d5b8fee278923349929d) C:\Windows\System32\webclnt.dll
16:25:47.0163 5176 WebClient - ok
16:25:47.0206 5176 Wecsvc (760f0afe937a77cff27153206534f275) C:\Windows\system32\wecsvc.dll
16:25:47.0214 5176 Wecsvc - ok
16:25:47.0243 5176 wercplsupport (ac804569bb2364fb6017370258a4091b) C:\Windows\System32\wercplsupport.dll
16:25:47.0249 5176 wercplsupport - ok
16:25:47.0286 5176 WerSvc (08e420d873e4fd85241ee2421b02c4a4) C:\Windows\System32\WerSvc.dll
16:25:47.0292 5176 WerSvc - ok
16:25:47.0346 5176 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
16:25:47.0349 5176 WfpLwf - ok
16:25:47.0384 5176 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
16:25:47.0387 5176 WIMMount - ok
16:25:47.0476 5176 winachsf (e096ffb754f1e45ae1bddac1275ae2c5) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
16:25:47.0496 5176 winachsf - ok
16:25:47.0589 5176 WinDefend (3fae8f94296001c32eab62cd7d82e0fd) C:\Program Files\Windows Defender\mpsvc.dll
16:25:47.0612 5176 WinDefend - ok
16:25:47.0643 5176 WinHttpAutoProxySvc - ok
16:25:47.0803 5176 Winmgmt (f62e510b6ad4c21eb9fe8668ed251826) C:\Windows\system32\wbem\WMIsvc.dll
16:25:47.0807 5176 Winmgmt - ok
16:25:47.0937 5176 WinRM (1b91cd34ea3a90ab6a4ef0550174f4cc) C:\Windows\system32\WsmSvc.dll
16:25:47.0965 5176 WinRM - ok
16:25:48.0058 5176 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys
16:25:48.0061 5176 WinUsb - ok
16:25:48.0158 5176 Wlansvc (16935c98ff639d185086a3529b1f2067) C:\Windows\System32\wlansvc.dll
16:25:48.0180 5176 Wlansvc - ok
16:25:48.0234 5176 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
16:25:48.0235 5176 WmiAcpi - ok
16:25:48.0318 5176 wmiApSrv (6eb6b66517b048d87dc1856ddf1f4c3f) C:\Windows\system32\wbem\WmiApSrv.exe
16:25:48.0324 5176 wmiApSrv - ok
16:25:48.0482 5176 WMPNetworkSvc (3b40d3a61aa8c21b88ae57c58ab3122e) C:\Program Files\Windows Media Player\wmpnetwk.exe
16:25:48.0506 5176 WMPNetworkSvc - ok
16:25:48.0539 5176 WPCSvc (a2f0ec770a92f2b3f9de6d518e11409c) C:\Windows\System32\wpcsvc.dll
16:25:48.0545 5176 WPCSvc - ok
16:25:48.0597 5176 WPDBusEnum (aa53356d60af47eacc85bc617a4f3f66) C:\Windows\system32\wpdbusenum.dll
16:25:48.0605 5176 WPDBusEnum - ok
16:25:48.0673 5176 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
16:25:48.0675 5176 ws2ifsl - ok
16:25:48.0709 5176 wscsvc (6f5d49efe0e7164e03ae773a3fe25340) C:\Windows\system32\wscsvc.dll
16:25:48.0716 5176 wscsvc - ok
16:25:48.0736 5176 WSearch - ok
16:25:48.0910 5176 wuauserv (fc3ec24fce372c89423e015a2ac1a31e) C:\Windows\system32\wuaueng.dll
16:25:48.0956 5176 wuauserv - ok
16:25:49.0129 5176 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
16:25:49.0133 5176 WudfPf - ok
16:25:49.0185 5176 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
16:25:49.0191 5176 WUDFRd - ok
16:25:49.0260 5176 wudfsvc (8d1e1e529a2c9e9b6a85b55a345f7629) C:\Windows\System32\WUDFSvc.dll
16:25:49.0266 5176 wudfsvc - ok
16:25:49.0475 5176 WwanSvc (ff2d745b560f7c71b31f30f4d49f73d2) C:\Windows\System32\wwansvc.dll
16:25:49.0485 5176 WwanSvc - ok
16:25:49.0522 5176 XAudio (19e7c173b6242ad7521e537ae54768bf) C:\Windows\system32\DRIVERS\xaudio.sys
16:25:49.0524 5176 XAudio - ok
16:25:49.0575 5176 XAudioService (cda0bc78672b50c43649ff34e1fd0ff8) C:\Windows\system32\DRIVERS\xaudio.exe
16:25:49.0583 5176 XAudioService - ok
16:25:49.0663 5176 yukonw7 (30b73eb97218a16cbc6de535782a1b35) C:\Windows\system32\DRIVERS\yk62x86.sys
16:25:49.0671 5176 yukonw7 - ok
16:25:49.0711 5176 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
16:25:49.0948 5176 \Device\Harddisk0\DR0 - ok
16:25:49.0959 5176 Boot (0x1200) (883ff4935c3bc306c27b36ebf1fbe351) \Device\Harddisk0\DR0\Partition0
16:25:49.0962 5176 \Device\Harddisk0\DR0\Partition0 - ok
16:25:49.0988 5176 Boot (0x1200) (5627802e7e45e44d13331e8178c25b9a) \Device\Harddisk0\DR0\Partition1
16:25:49.0991 5176 \Device\Harddisk0\DR0\Partition1 - ok
16:25:49.0997 5176 ============================================================
16:25:49.0997 5176 Scan finished
16:25:49.0997 5176 ============================================================
16:25:50.0016 4400 Detected object count: 0
16:25:50.0016 4400 Actual detected object count: 0


And here's the log from the aswMBR scan.

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-25 16:33:12
-----------------------------
16:33:12.052 OS Version: Windows 6.1.7601 Service Pack 1
16:33:12.052 Number of processors: 2 586 0xF0D
16:33:12.059 ComputerName: CECILIA-PC UserName: Cecilia
16:33:14.716 Initialize success
16:33:24.896 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
16:33:24.900 Disk 0 Vendor: Hitachi_HTS542525K9SA00 BBFOC32P Size: 238475MB BusType: 11
16:33:24.919 Disk 0 MBR read successfully
16:33:24.924 Disk 0 MBR scan
16:33:24.930 Disk 0 Windows 7 default MBR code
16:33:24.938 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
16:33:24.951 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 238373 MB offset 206848
16:33:24.960 Disk 0 scanning sectors +488394752
16:33:25.045 Disk 0 scanning C:\Windows\system32\drivers
16:33:34.001 Service scanning
16:34:03.753 Modules scanning
16:34:27.074 Disk 0 trace - called modules:
16:34:27.118 ntkrnlpa.exe CLASSPNP.SYS disk.sys PCTCore.sys ataport.SYS halmacpi.dll PCIIDEX.SYS msahci.sys
16:34:27.128 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85888490]
16:34:27.488 3 CLASSPNP.SYS[8924f59e] -> nt!IofCallDriver -> [0x85888cc0]
16:34:27.500 5 PCTCore.sys[88aa7407] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x85782908]
16:34:27.513 Scan finished successfully
16:34:54.080 Disk 0 MBR has been saved successfully to "C:\Users\Cecilia\Desktop\MBR.dat"
16:34:54.093 The log file has been saved successfully to "C:\Users\Cecilia\Desktop\aswMBR.txt"


Since I ran the Combofix scan yesterday, I've experienced no further issues with my laptop. No random audio ads have popped up and I haven't had my computer freeze up on me when I try to open multiple windows. :thumbup2:

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 AM

Posted 25 July 2012 - 03:48 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\programdata\Babylon
c:\users\Cecilia\AppData\Roaming\Babylon

DDS::
uStart Page = hxxp://search.babylon.com/?affID=109935&tt=010712_6&babsrc=HP_ss&mntrId=ce25c89f000000000000001cbf309694

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Scary Carey

Scary Carey
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 25 July 2012 - 05:01 PM

Here's the logfile from the second Combofix scan.

ComboFix 12-07-26.04 - Cecilia 07/25/2012 17:24:25.2.2 - x86
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2038.1165 [GMT -4:00]
Running from: c:\users\Cecilia\Downloads\ComboFix.exe
Command switches used :: c:\users\Cecilia\Desktop\CFScript.txt
AV: PC Tools Spyware Doctor with AntiVirus *Enabled/Updated* {2F668A56-D5E0-2DF1-A0AE-CB1284F42AB2}
SP: PC Tools Spyware Doctor with AntiVirus *Disabled/Updated* {94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Babylon
c:\users\Cecilia\AppData\Roaming\Babylon
c:\users\Cecilia\AppData\Roaming\Babylon\log_file.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-06-25 to 2012-07-25 )))))))))))))))))))))))))))))))
.
.
2012-07-25 21:49 . 2012-07-25 21:50 -------- d-----w- c:\users\Cecilia\AppData\Local\temp
2012-07-25 21:49 . 2012-07-25 21:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-24 20:38 . 2012-07-24 20:38 -------- d-----w- c:\program files\iPod
2012-07-24 20:38 . 2012-07-24 20:39 -------- d-----w- c:\program files\iTunes
2012-07-21 02:19 . 2012-07-21 02:19 -------- d-----w- c:\users\Cecilia\AppData\Roaming\PCTools
2012-07-14 20:55 . 2012-07-14 20:55 -------- d-----w- c:\users\Cecilia\AppData\Local\Macromedia
2012-07-14 19:39 . 2012-06-12 02:40 2345984 ----a-w- c:\windows\system32\win32k.sys
2012-07-11 21:03 . 2012-04-24 04:36 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2012-07-11 21:03 . 2012-04-24 04:36 1158656 ----a-w- c:\windows\system32\crypt32.dll
2012-07-11 21:03 . 2012-04-24 04:36 103936 ----a-w- c:\windows\system32\cryptnet.dll
2012-07-10 22:58 . 2012-02-24 13:16 574424 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2012-07-10 22:58 . 2012-02-24 13:16 54328 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2012-07-10 22:58 . 2012-02-24 13:16 35264 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2012-07-10 15:46 . 2012-02-24 14:31 107864 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2012-07-10 15:22 . 2012-07-25 19:49 -------- d-----w- c:\users\Cecilia\AppData\Roaming\Skype
2012-07-10 15:21 . 2012-07-10 15:21 -------- d-----w- c:\program files\Common Files\Skype
2012-07-10 15:21 . 2012-07-10 15:21 -------- d-----r- c:\program files\Skype
2012-07-10 15:21 . 2012-07-10 15:22 -------- d-----w- c:\programdata\Skype
2012-07-09 22:46 . 2011-12-01 20:07 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-07-09 22:46 . 2011-12-01 20:07 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-07-09 22:46 . 2012-02-24 14:31 253352 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-07-09 22:46 . 2011-11-14 19:12 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-07-09 22:46 . 2011-11-14 19:12 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-07-09 22:46 . 2012-02-24 14:36 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-07-09 22:46 . 2012-02-24 14:35 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2012-07-09 22:46 . 2012-02-24 14:37 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-07-09 22:45 . 2012-07-25 21:21 -------- d-----w- c:\program files\PC Tools Security Spyware Dr
2012-07-09 22:45 . 2012-07-10 22:58 -------- d-----w- c:\programdata\PC Tools
2012-07-09 22:45 . 2012-07-09 22:48 -------- d-----w- c:\program files\Common Files\PC Tools
2012-07-09 22:41 . 2012-07-09 22:44 -------- d-----w- c:\users\Cecilia\AppData\Roaming\GetRightToGo
2012-07-09 21:16 . 2012-07-09 21:16 -------- d-----w- c:\users\Cecilia\AppData\Local\Mozilla
2012-07-09 21:14 . 2012-07-10 16:08 -------- d-----w- c:\users\Cecilia\AppData\Local\Google
2012-07-09 21:14 . 2012-07-09 21:14 1527 ----a-w- C:\user.js
2012-07-03 05:53 . 2012-07-03 05:53 -------- d-----w- c:\users\Cecilia\AppData\Roaming\Malwarebytes
2012-07-03 05:53 . 2012-07-03 05:53 -------- d-----w- c:\programdata\Malwarebytes
2012-07-03 05:53 . 2012-07-03 05:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-03 05:53 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 01:34 . 2012-07-03 01:34 -------- d-----w- c:\programdata\McAfee
2012-06-27 22:25 . 2012-06-27 22:25 -------- d-----w- c:\users\Cecilia\AppData\Local\Trusteer
2012-06-27 22:24 . 2012-06-27 22:24 -------- d-----w- c:\programdata\Trusteer
2012-06-26 20:42 . 2012-06-18 07:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5C55A2FC-C307-4526-89FD-1CEA8A7777CA}\mpengine.dll
2012-06-26 02:19 . 2012-06-26 02:19 -------- d-----w- c:\programdata\FreeRIP
2012-06-26 02:19 . 2012-07-14 19:33 -------- d-----w- c:\program files\FreeRIP3
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-14 20:54 . 2012-04-09 06:07 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-14 20:54 . 2011-06-19 18:09 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 22:19 . 2012-06-23 05:25 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-23 05:25 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-23 05:25 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-23 05:25 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-23 05:25 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-23 05:25 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-23 05:25 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-23 05:24 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:12 . 2012-06-23 05:24 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-04-28 04:41 . 2012-06-13 01:50 919040 ----a-w- c:\windows\system32\rdpcorets.dll
2012-04-28 03:17 . 2012-06-13 01:50 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-06-14 22:20 . 2012-07-09 21:15 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2012-07-03 17417392]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-09-23 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-09-23 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-09-23 150552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2012-04-04 3654832]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2012-04-04 70832]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe" [2012-06-22 686280]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [x]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [x]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [x]
R3 RapportIaso;RapportIaso;c:\programdata\trusteer\rapport\store\exts\rapportms\baseline\rapportiaso.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [x]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security Spyware Dr\pctsAuxs.exe [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL3.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV3.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT3.SYS [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 ThreatFire;ThreatFire;c:\program files\PC Tools Security Spyware Dr\TFEngine\TFService.exe service [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [x]
S0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [x]
S0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [x]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
S0 TFSysMon;TFSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [x]
S1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\Drivers\PCTSD.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [x]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 22090764
*Deregistered* - 22090764
*Deregistered* - aswMBR
*Deregistered* - PCTSDInjDriver32
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 192.168.1.1 71.252.0.12
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}"=hex:51,66,7a,6c,4c,1d,38,12,0f,32,96,
76,f7,7e,4c,08,c8,ef,48,fc,18,66,e7,6a
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}"=hex:51,66,7a,6c,4c,1d,38,12,8f,19,47,
2e,c4,15,0b,03,d7,b5,8c,e9,62,70,06,85
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:e5,fb,3e,49,b4,54,cd,01
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,47,2f,00,aa,ed,db,47,81,92,d2,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,47,2f,00,aa,ed,db,47,81,92,d2,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-25 17:54:32
ComboFix-quarantined-files.txt 2012-07-25 21:54
ComboFix2.txt 2012-07-24 20:05
.
Pre-Run: 168,661,458,944 bytes free
Post-Run: 168,481,157,120 bytes free
.
- - End Of File - - 203DC78000C2FA8658644F01BC4D919B


In the logfile, I noticed that the Babylon search engine came up. That's interesting. Now, my homepage is MSN. Overall, the computer seems to be running fine. I didn't have any problems running the scans, either.

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 AM

Posted 25 July 2012 - 05:21 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java™ 6 Update 30
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Scary Carey

Scary Carey
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 27 July 2012 - 03:49 PM

Here's the log from my recent Malwarebytes scan.

Malwarebytes Anti-Malware (PRO) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.27.10

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Cecilia :: CECILIA-PC [administrator]

Protection: Disabled

7/27/2012 4:33:58 PM
mbam-log-2012-07-27 (16-33-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 188767
Time elapsed: 6 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Here's the logfile from the Hijack This scan.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:45:49 PM, on 7/27/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BOINC\boinc.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\slui.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe
C:\ProgramData\BOINC\projects\setiathome.berkeley.edu\setiathome_6.03_windows_intelx86.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Cecilia\Desktop\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\Windows\is-QCVCF.exe" /REG /REGSVRMODE
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /minimized /regrun
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe -update activex (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe -update activex (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Security Spyware Dr\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Security Spyware Dr\pctsSvc.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Security Spyware Dr\TFEngine\TFService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6552 bytes


I experienced no problems in performing the recommended actions. The computer is running smoothly.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 AM

Posted 27 July 2012 - 04:47 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
      O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\Windows\is-QCVCF.exe" /REG /REGSVRMODE
      O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe -update activex (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil32_11_3_300_257_ActiveX.exe -update activex (User 'Default user')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Scary Carey

Scary Carey
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:36 AM

Posted 28 July 2012 - 12:57 AM

Here's the report from the ESET Scan.

C:\Qoobox\Quarantine\C\Windows\explorer.exe.vir Win32/Patched.NBG.Gen trojan
C:\Qoobox\Quarantine\C\Windows\System32\svchost.exe.vir Win32/Patched.NBG.Gen trojan
C:\Qoobox\Quarantine\C\Windows\System32\winlogon.exe.vir Win32/Patched.NBG.Gen trojan
C:\Users\Cecilia\Downloads\mozilla-firefox.exe a variant of Win32/InstallCore.X application
C:\Windows\System32\sysprep\cryptbase.dll Win32/Patched.NBG.Gen trojan

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:36 AM

Posted 28 July 2012 - 01:02 AM

Greetings

There are somethings in the online scan I want to remove so run this scrript for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
C:\Users\Cecilia\Downloads\mozilla-firefox.exe 
C:\Windows\System32\sysprep\cryptbase.dll


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer



"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users