Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Live Security Platinum to Critical Error Restart Loop


  • This topic is locked This topic is locked
33 replies to this topic

#1 surfenterprises

surfenterprises

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 29 July 2012 - 03:11 PM

Hello,

I am having trouble with a malware infection on my laptop. It is a HP HDX 16 Running Windows Vista Home Premium 64 bit.

While browsing the internet all of the sudden a dialog box popped up showing that Live Security Platinum was running a scan and detecting all sorts of malware. Realizing that I never installed a program of that name on my computer I was suspicious and tried to do a search online. Firefox wouldn't open but iexplorer would. I was able to determine that this was some sort of rogue program from the info on the internet and decided to try and run microsoft security essentials to fix it.
When i opened microsof security essential is said that it was experiencing an error of some sort and wasn't working. The whole time i was getting errors from various installed programs. I then tried to use TrojanKiller from gridinsoft, installed it and ran it and it showed various malware detected but wouldn't remove anything unless i bought it(which might have been the better choice). I decided that i would try and reinstall MSE at that point and see if that would take care of the issue. I uninstalled the current installation and reinstalled it. As soon as it finished installing my computer restarted and has been stuck in the critical restart loop since.

I have tried booting in safe mode with networking and installing MBAM but i am not fast enough because the restart still comes up and restarts the computer. It says that windows has encountered a critial error and will restart in 1 minute and to save any work now and then it restarts. It doesn't matter if I am in safe mode or not.

I have also tried running DDS and saving a log file but i am not fast enough to do that either before the restart.

I am unable to change or access any of the firewall settings, they report errors when i try.

By following some of the initial steps from other posts with the Critical Error Restart loop issue i went ahead and downloaded the FArbar Recovery Scan Tool and followed the instructions on how to use it from this posting.

http://www.bleepingcomputer.com/forums/topic458990.html

Below is the Scan report from running Farbar Recovery Scan Tool 64 bit using the repair your computer option.

Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 29-07-2012 09:43:23
Running from F:\
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1561384 2008-07-16] (Synaptics, Inc.)
HKLM\...\Run: [IAAnotif] "C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [178712 2008-04-15] (Intel Corporation)
HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [15867936 2008-07-25] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [82464 2008-07-25] (NVIDIA Corporation)
HKLM\...\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray64.exe [441344 2008-08-05] (IDT, Inc.)
HKLM\...\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey [1271168 2012-03-26] (Microsoft Corporation)
HKLM-x32\...\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start [202032 2008-08-01] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-06-16] (Hewlett-Packard)
HKLM-x32\...\Run: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [488752 2008-04-15] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-10-15] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49152 2006-12-10] (Hewlett-Packard Co.)
HKLM-x32\...\Run: [DpAgent] C:\Program Files (x86)\DigitalPersona\Bin\dpagent.exe [842816 2009-12-01] (DigitalPersona, Inc.)
HKLM-x32\...\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2011-09-27] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2011-10-09] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2011-10-24] (Apple Inc.)
HKU\Billy\...\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler [226904 2007-07-12] (Macrovision Corporation)
HKU\Billy\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2009-02-18] (Google Inc.)
HKU\Billy\...\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe [138240 2008-01-20] (Microsoft Corporation)
HKU\Billy\...\Run: [rowses] "C:\Users\Billy\AppData\Roaming\rowses.dll",Encoder [438272 2012-07-26] ()
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\navatek\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\navatek\...\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden [x]
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Lsa: [Notification Packages] scecli
DPPWDFLT
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
ShortcutTarget: Adobe Gamma Loader.exe.lnk -> C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\AutorunsDisabled ()
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\SolidWorks Background Downloader.lnk
ShortcutTarget: SolidWorks Background Downloader.lnk -> C:\Program Files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe (Dassault Systèmes SolidWorks Corp.)

==================== Services (Whitelisted) ======

2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\AESTSr64.exe [89088 2008-06-27] (Andrea Electronics Corporation)
3 Autodesk Licensing Service; "C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe" [79360 2008-12-10] (Autodesk)
2 bckwfs; C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe [2122000 2012-02-13] (Blue Coat Systems, Inc.)
2 Crypkey License; crypserv.exe [52224 2000-06-29] (Kenonic Controls Ltd.)
2 MsMpSvc; "C:\Program Files\Microsoft Security Client\MsMpEng.exe" [12600 2012-03-26] (Microsoft Corporation)
2 MSSQL$AUTODESKVAULT; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sAUTODESKVAULT [29293408 2010-12-10] (Microsoft Corporation)
3 NisSrv; "C:\Program Files\Microsoft Security Client\NisSrv.exe" [291696 2012-03-26] (Microsoft Corporation)
2 Recovery Service for Windows; C:\Windows\SMINST\BLService.exe [361808 2008-08-06] ()
3 Remote Solver for Flow Simulation 2012; C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe [114824 2012-02-07] (Mentor Graphics Corporation)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\STacSV64.exe [251904 2008-08-05] (IDT, Inc.)
2 vfsFPService; C:\Windows\system32\vfsFPService.exe [719152 2008-05-26] (Validity Sensors, Inc.)
2 vfsFPService; C:\Windows\SysWow64\vfsFPService.exe [599344 2008-05-26] (Validity Sensors, Inc.)

========================== Drivers (Whitelisted) =============

3 akshasp; C:\Windows\System32\Drivers\akshasp.sys [90240 2006-12-04] (Aladdin Knowledge Systems Ltd.)
3 aksusb; C:\Windows\System32\Drivers\aksusb.sys [18688 2006-12-04] (Aladdin Knowledge Systems Ltd.)
1 bckd; C:\Windows\System32\Drivers\bckd.sys [108304 2012-02-13] (Blue Coat Systems, Inc.)
3 MUD; C:\Windows\System32\Drivers\MUD.sys [63232 2008-02-05] (Magellan)
3 TrojanKillerDriver; C:\Windows\System32\DRIVERS\gtkdrv.sys [16640 2012-01-04] (Windows ® Win 7 DDK provider)
3 vfs101a; C:\Windows\System32\Drivers\vfs101a.sys [49968 2008-05-26] (Validity Sensors, Inc.)

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-29 11:29 - 2012-07-29 11:29 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\xhrlllfd.sys
2012-07-29 11:27 - 2012-07-29 11:00 - 00607260 ____R (Swearware) C:\Users\Billy\Desktop\dds.scr
2012-07-29 10:36 - 2012-07-29 10:36 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\adkwlvpo.sys
2012-07-29 10:35 - 2012-07-29 10:35 - 00001246 ____A C:\Users\Billy\Desktop\FixExec.txt
2012-07-29 10:34 - 2012-07-29 10:18 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\Billy\Desktop\FixExec.exe
2012-07-29 10:34 - 2012-07-29 09:36 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Billy\Desktop\mbam-setup-1.62.0.1300.exe
2012-07-29 09:42 - 2012-07-29 09:42 - 00000000 ____D C:\FRST
2012-07-28 22:05 - 2012-07-28 22:05 - 00000000 ____D C:\Program Files\Microsoft Security Client
2012-07-28 22:05 - 2012-07-28 22:05 - 00000000 ____D C:\Program Files (x86)\Microsoft Security Client
2012-07-28 21:59 - 2012-07-28 21:59 - 12621696 ____A (Microsoft Corporation) C:\Users\Billy\Desktop\mseinstall.exe
2012-07-28 21:58 - 2012-07-28 21:58 - 00509440 ____A (iS3, Inc.) C:\Users\Billy\Downloads\SZSetupAV.exe
2012-07-28 12:17 - 2012-07-28 13:08 - 00000000 ____D C:\Program Files (x86)\GridinSoft Trojan Killer
2012-07-28 12:17 - 2012-07-28 12:17 - 00000938 ____A C:\Users\Public\Desktop\Trojan Killer.lnk
2012-07-28 12:17 - 2012-07-28 12:17 - 00000938 ____A C:\Users\All Users\Desktop\Trojan Killer.lnk
2012-07-28 12:16 - 2012-07-28 12:16 - 28285912 ____A (GridinSoft LLC) C:\Users\Billy\Desktop\gtk2125-setup.exe
2012-07-28 12:13 - 2012-07-28 12:13 - 00407872 ____A C:\Users\Billy\Desktop\iexplorer.exe
2012-07-28 12:08 - 2012-07-28 12:08 - 00000000 __SHD C:\Windows\SysWOW64\%APPDATA%
2012-07-26 22:10 - 2012-07-28 22:22 - 00000000 ____D C:\Users\All Users\Application Data\0C1CFAEF0047549464C509E42F3B707C
2012-07-26 22:10 - 2012-07-28 22:22 - 00000000 ____D C:\Users\All Users\0C1CFAEF0047549464C509E42F3B707C
2012-07-26 22:09 - 2012-07-26 22:09 - 00438272 ____A () C:\Users\Billy\Application Data\rowses.dll
2012-07-26 22:09 - 2012-07-26 22:09 - 00438272 ____A () C:\Users\Billy\AppData\Roaming\rowses.dll
2012-07-26 22:09 - 2012-07-26 22:09 - 00000000 ____D C:\Users\Billy\Local Settings\Application Data\{A997FA7D-D7B1-11E1-8270-B8AC6F996F26}
2012-07-26 22:09 - 2012-07-26 22:09 - 00000000 ____D C:\Users\Billy\Local Settings\{A997FA7D-D7B1-11E1-8270-B8AC6F996F26}
2012-07-26 22:09 - 2012-07-26 22:09 - 00000000 ____D C:\Users\Billy\AppData\Local\{A997FA7D-D7B1-11E1-8270-B8AC6F996F26}
2012-07-11 22:58 - 2012-06-02 04:49 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-07-11 22:58 - 2012-06-02 04:17 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-07-11 22:58 - 2012-06-02 04:12 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-07-11 22:58 - 2012-06-02 04:05 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-07-11 22:58 - 2012-06-02 04:05 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-07-11 22:58 - 2012-06-02 04:04 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-07-11 22:58 - 2012-06-02 04:04 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-07-11 22:58 - 2012-06-02 04:03 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-07-11 22:58 - 2012-06-02 04:01 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-07-11 22:58 - 2012-06-02 04:00 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-07-11 22:58 - 2012-06-02 03:59 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-07-11 22:58 - 2012-06-02 03:57 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-07-11 22:58 - 2012-06-02 03:57 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-07-11 22:58 - 2012-06-02 03:54 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-07-11 22:58 - 2012-06-02 01:07 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-07-11 22:58 - 2012-06-02 00:43 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-07-11 22:58 - 2012-06-02 00:33 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-07-11 22:58 - 2012-06-02 00:26 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-07-11 22:58 - 2012-06-02 00:25 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-07-11 22:58 - 2012-06-02 00:25 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-07-11 22:58 - 2012-06-02 00:23 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-07-11 22:58 - 2012-06-02 00:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-07-11 22:58 - 2012-06-02 00:20 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-07-11 22:58 - 2012-06-02 00:19 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-07-11 22:58 - 2012-06-02 00:19 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-07-11 22:58 - 2012-06-02 00:17 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-07-11 22:58 - 2012-06-02 00:16 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-07-11 22:58 - 2012-06-02 00:14 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-07-11 22:57 - 2012-06-13 05:58 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-07-11 21:24 - 2012-06-08 09:59 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-07-11 21:24 - 2012-06-08 09:47 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-07-11 21:24 - 2012-06-05 08:47 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-07-11 21:24 - 2012-06-05 08:47 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-07-11 21:24 - 2012-06-05 08:22 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-07-11 21:24 - 2012-06-05 08:22 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-07-11 21:24 - 2012-06-04 07:29 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-07-11 21:24 - 2012-06-01 16:22 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-07-11 21:24 - 2012-06-01 16:22 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-07-11 21:24 - 2012-06-01 16:05 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-07-11 21:24 - 2012-06-01 16:04 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-07-11 21:24 - 2012-06-01 16:03 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll

============ 3 Months Modified Files ========================

2012-07-29 11:29 - 2012-07-29 11:29 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\xhrlllfd.sys
2012-07-29 11:25 - 2008-01-20 19:26 - 00183136 ____A C:\Windows\PFRO.log
2012-07-29 11:00 - 2012-07-29 11:27 - 00607260 ____R (Swearware) C:\Users\Billy\Desktop\dds.scr
2012-07-29 10:36 - 2012-07-29 10:36 - 00050392 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\adkwlvpo.sys
2012-07-29 10:35 - 2012-07-29 10:35 - 00001246 ____A C:\Users\Billy\Desktop\FixExec.txt
2012-07-29 10:35 - 2006-11-02 04:46 - 00779666 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-29 10:18 - 2012-07-29 10:34 - 00457632 ____A (Bleeping Computer, LLC) C:\Users\Billy\Desktop\FixExec.exe
2012-07-29 09:36 - 2012-07-29 10:34 - 10652120 ____A (Malwarebytes Corporation ) C:\Users\Billy\Desktop\mbam-setup-1.62.0.1300.exe
2012-07-28 23:21 - 2010-01-29 16:44 - 00000894 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-28 23:18 - 2008-11-03 14:13 - 00282809 ____A C:\Users\All Users\nvModes.001
2012-07-28 23:18 - 2008-11-03 14:13 - 00282809 ____A C:\Users\All Users\Application Data\nvModes.001
2012-07-28 23:17 - 2012-06-24 17:47 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-07-28 23:17 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-28 23:17 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-28 23:17 - 2006-11-02 07:22 - 00003344 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-28 22:34 - 2006-11-02 07:42 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-07-28 22:06 - 2008-10-08 02:18 - 02056652 ____A C:\Windows\WindowsUpdate.log
2012-07-28 22:05 - 2011-01-30 09:03 - 00001945 ____A C:\Windows\epplauncher.mif
2012-07-28 22:05 - 2008-12-10 14:23 - 00795006 ____A C:\Windows\SysWOW64\PerfStringBackup.INI
2012-07-28 21:59 - 2012-07-28 21:59 - 12621696 ____A (Microsoft Corporation) C:\Users\Billy\Desktop\mseinstall.exe
2012-07-28 21:58 - 2012-07-28 21:58 - 00509440 ____A (iS3, Inc.) C:\Users\Billy\Downloads\SZSetupAV.exe
2012-07-28 21:52 - 2010-01-29 16:44 - 00000898 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-28 13:29 - 2009-02-22 00:21 - 00000880 ____A C:\Windows\Tasks\Google Software Updater.job
2012-07-28 13:16 - 2012-06-24 17:47 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-28 13:16 - 2011-07-16 08:36 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-28 12:17 - 2012-07-28 12:17 - 00000938 ____A C:\Users\Public\Desktop\Trojan Killer.lnk
2012-07-28 12:17 - 2012-07-28 12:17 - 00000938 ____A C:\Users\All Users\Desktop\Trojan Killer.lnk
2012-07-28 12:16 - 2012-07-28 12:16 - 28285912 ____A (GridinSoft LLC) C:\Users\Billy\Desktop\gtk2125-setup.exe
2012-07-28 12:13 - 2012-07-28 12:13 - 00407872 ____A C:\Users\Billy\Desktop\iexplorer.exe
2012-07-27 14:08 - 2008-10-30 22:31 - 00002593 ____A C:\Users\Billy\Desktop\Word.lnk
2012-07-26 22:09 - 2012-07-26 22:09 - 00438272 ____A () C:\Users\Billy\Application Data\rowses.dll
2012-07-26 22:09 - 2012-07-26 22:09 - 00438272 ____A () C:\Users\Billy\AppData\Roaming\rowses.dll
2012-07-12 07:42 - 2006-11-02 07:21 - 00337808 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-11 23:00 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-07-11 23:00 - 2006-11-02 04:34 - 00000275 ____A C:\Windows\win.ini
2012-07-01 18:51 - 2009-09-27 16:47 - 00001890 ____A C:\Users\Public\Desktop\Skype.lnk
2012-07-01 18:51 - 2009-09-27 16:47 - 00001890 ____A C:\Users\All Users\Desktop\Skype.lnk
2012-06-20 18:32 - 2011-06-17 20:27 - 00004284 ____A C:\Windows\setupact.log
2012-06-16 10:39 - 2008-10-30 11:51 - 00096376 ____A C:\Users\Billy\Local Settings\GDIPFONTCACHEV1.DAT
2012-06-16 10:39 - 2008-10-30 11:51 - 00096376 ____A C:\Users\Billy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2012-06-16 10:39 - 2008-10-30 11:51 - 00096376 ____A C:\Users\Billy\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-16 07:04 - 2012-02-29 10:57 - 00002987 ____A C:\Users\Public\Desktop\SolidWorks Explorer 2012.lnk
2012-06-16 07:04 - 2012-02-29 10:57 - 00002987 ____A C:\Users\All Users\Desktop\SolidWorks Explorer 2012.lnk
2012-06-16 07:04 - 2012-02-29 10:57 - 00002002 ____A C:\Users\Public\Desktop\SolidWorks eDrawings 2012.lnk
2012-06-16 07:04 - 2012-02-29 10:57 - 00002002 ____A C:\Users\All Users\Desktop\SolidWorks eDrawings 2012.lnk
2012-06-16 07:02 - 2012-06-16 07:02 - 00002012 ____A C:\Users\Public\Desktop\SolidWorks eDrawings 2012 x64 Edition.lnk
2012-06-16 07:02 - 2012-06-16 07:02 - 00002012 ____A C:\Users\All Users\Desktop\SolidWorks eDrawings 2012 x64 Edition.lnk
2012-06-16 07:02 - 2012-06-16 07:02 - 00000000 ____A C:\Windows\eDrawingOfficeAutomator.INI
2012-06-16 06:55 - 2012-02-29 10:35 - 00002711 ____A C:\Users\Public\Desktop\SolidWorks 2012 x64 Edition.lnk
2012-06-16 06:55 - 2012-02-29 10:35 - 00002711 ____A C:\Users\All Users\Desktop\SolidWorks 2012 x64 Edition.lnk
2012-06-13 05:58 - 2012-07-11 22:57 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:59 - 2012-07-11 21:24 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:47 - 2012-07-11 21:24 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-06 20:09 - 2012-06-06 20:10 - 00000576 ____A C:\Users\Billy\Desktop\MultiSurf.lnk
2012-06-06 20:09 - 2012-06-06 20:09 - 00000381 ____A C:\Windows\MSURFWIN.INI
2012-06-06 20:08 - 2010-10-21 20:37 - 00000047 ____A C:\Windows\Crypkey.ini
2012-06-05 08:47 - 2012-07-11 21:24 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 08:47 - 2012-07-11 21:24 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 08:22 - 2012-07-11 21:24 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 08:22 - 2012-07-11 21:24 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 07:29 - 2012-07-11 21:24 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 17:19 - 2012-06-18 20:39 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 17:19 - 2012-06-18 20:39 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 17:15 - 2012-06-18 20:39 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 17:12 - 2012-06-18 20:39 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-02 14:19 - 2012-06-18 20:39 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-18 20:39 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-18 20:39 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-18 20:39 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-18 20:39 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-18 20:39 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-18 20:39 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-18 20:39 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-18 20:39 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-18 20:39 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 04:49 - 2012-07-11 22:58 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-11 22:58 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-11 22:58 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-11 22:58 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-11 22:58 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-11 22:58 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-11 22:58 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-11 22:58 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-11 22:58 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-11 22:58 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-11 22:58 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-11 22:58 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-11 22:58 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-11 22:58 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-11 22:58 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-11 22:58 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-11 22:58 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-11 22:58 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-11 22:58 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-11 22:58 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-11 22:58 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-11 22:58 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-11 22:58 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-11 22:58 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-11 22:58 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-11 22:58 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-11 22:58 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-11 22:58 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 16:22 - 2012-07-11 21:24 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:22 - 2012-07-11 21:24 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 16:05 - 2012-07-11 21:24 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 16:04 - 2012-07-11 21:24 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 16:03 - 2012-07-11 21:24 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll
2012-05-01 06:29 - 2012-06-13 19:35 - 00209920 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\rdpwd.sys


ZeroAccess:
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\00000004.@
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L\201d3dde
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000008.@

ZeroAccess:
C:\Users\Billy\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\Billy\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
C:\Users\Billy\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\L
C:\Users\Billy\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe
[2009-09-19 15:06] - [2009-04-10 23:10] - 0381952 ____A (Microsoft Corporation) B8844F93D2C5F1DCDB179AAA9AF134B7

C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 17%
Total physical RAM: 4092.25 MB
Available physical RAM: 3362.97 MB
Total Pagefile: 3767.6 MB
Available Pagefile: 3341.8 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:288 GB) (Free:68.63 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (RECOVERY) (Fixed) (Total:10.09 GB) (Free:0.68 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: (WWP) (CDROM) (Total:0.64 GB) (Free:0 GB) CDFS
4 Drive f: () (Removable) (Total:7.47 GB) (Free:7.28 GB) FAT32
5 Drive g: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 Online 7658 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 288 GB 32 KB
Partition 2 Primary 10 GB 288 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 288 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D RECOVERY NTFS Partition 10 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7656 MB 22 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F FAT32 Removable 7656 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-07-28 21:59

======================= End Of Log ==========================




If it is any help, i also followed the next step shown in the thread


http://www.bleepingcomputer.com/forums/topic458990.html

regarding scanning using FRST64 for services.exe and that scan log is below.

Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-29 09:57:42
Running from F:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2009-09-19 15:05] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2009-09-19 15:06] - [2009-04-10 23:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2009-09-19 15:05] - [2009-04-10 22:27] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\System32\services.exe
[2009-09-19 15:06] - [2009-04-10 23:10] - 0381952 ____A (Microsoft Corporation) B8844F93D2C5F1DCDB179AAA9AF134B7

====== End Of Search ======



Thanks In advance!!!

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:29 PM

Posted 30 July 2012 - 12:50 AM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.



Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt



Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe C:\Windows\System32\services.exe
C:\WINDOWS\assembly\GAC\Desktop.ini
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
C:\Users\Billy\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} 


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 surfenterprises

surfenterprises
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 30 July 2012 - 09:20 PM

Hi,

Here is the fixlog

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SYSTEM at 2012-07-30 16:17:55 Run:1
Running from F:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\Windows\System32\services.exe
C:\WINDOWS\assembly\GAC\Desktop.ini not found.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\Installer\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.
C:\Users\Billy\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888} moved successfully.

==== End of Fixlog ====

Thanks

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:29 PM

Posted 30 July 2012 - 10:41 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 surfenterprises

surfenterprises
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 31 July 2012 - 01:16 AM

Hi,

I ran combofix on the machine after following the instructions on how to turn off microsoft security essentials. However, when i started running it it popped up a dialogue box saying that MSE was still running. At that point I uninstalled MSE and continued with running combofix.

It restarted the computer once and then generated a log on the c:\ as well as opening a log, not sure if they are the same thing but here they both are, one after the other.


ComboFix 12-07-30.01 - Billy 07/30/2012 19:20:05.1.2 - x64
MicrosoftÆ Windows Vistaô Home Premium 6.0.6002.2.1252.1.1033.18.4092.2604 [GMT -10:00]
Running from: c:\users\Billy\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
c:\users\Billy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\Billy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
c:\users\Billy\AppData\Roaming\rowses.dll
c:\users\Billy\Documents\~WRL0731.tmp
c:\users\Billy\Documents\~WRL2295.tmp
c:\windows\Downloaded Program Files\IDropPTB.dll
c:\windows\iun6002.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-31 )))))))))))))))))))))))))))))))
.
.
2012-07-31 05:27 . 2012-07-31 05:37 -------- d-----w- c:\users\Billy\AppData\Local\temp
2012-07-31 05:27 . 2012-07-31 05:27 -------- d-----w- c:\users\navatek\AppData\Local\temp
2012-07-31 05:27 . 2012-07-31 05:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-31 05:09 . 2012-07-31 05:09 5742 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-07-29 18:36 . 2012-07-29 18:36 50392 ----a-w- c:\windows\system32\drivers\adkwlvpo.sys
2012-07-29 17:42 . 2012-07-29 17:42 -------- d-----w- C:\FRST
2012-07-28 20:17 . 2012-07-31 05:09 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer
2012-07-28 20:08 . 2012-07-28 20:08 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-27 06:10 . 2012-07-29 06:22 -------- d-----w- c:\programdata\0C1CFAEF0047549464C509E42F3B707C
2012-07-27 06:09 . 2012-07-27 06:09 -------- d-----w- c:\users\Billy\AppData\Local\{A997FA7D-D7B1-11E1-8270-B8AC6F996F26}
2012-07-12 06:57 . 2012-06-13 13:58 2769408 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 02:51 . 2012-07-02 02:51 -------- d-----w- c:\program files (x86)\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-28 21:16 . 2012-06-25 01:47 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-28 21:16 . 2011-07-16 16:36 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 07:00 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-03 01:19 . 2012-06-19 04:39 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-03 01:19 . 2012-06-19 04:39 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-03 01:15 . 2012-06-19 04:39 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-03 01:12 . 2012-06-19 04:39 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-02 22:19 . 2012-06-19 04:39 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 04:39 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-19 04:39 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 04:39 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 04:39 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-19 04:39 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 04:39 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-19 04:39 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-19 04:39 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-19 04:39 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}"= "c:\program files (x86)\Miniclip\prxtbMini.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\Miniclip\prxtbMini.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}"= "c:\program files (x86)\Miniclip\prxtbMini.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-07-12 226904]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-18 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"DpAgent"="c:\program files (x86)\DigitalPersona\Bin\dpagent.exe" [2009-12-01 842816]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-28 59240]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-25 421888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
SolidWorks Background Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2012-6-16 1855048]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
SolidWorks Background Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2012-6-16 1855048]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\F:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-28 250056]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\AESTSr64.exe [2008-06-27 89088]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 21:16]
.
2012-07-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-31 17:41]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 00:43]
.
2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 00:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-17 1561384]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-25 15867936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-25 82464]
"combofix"="c:\combofix\CF1008.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Billy\AppData\Roaming\Mozilla\Firefox\Profiles\20elyxkw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3067892&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKCU-Run-rowses - c:\users\Billy\AppData\Roaming\rowses.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{1C68C940-1B2F-46EB-BD8C-2E1612FF6A58} - (no file)
HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\adobe\SHOCKW~1\UNWISE.EXE
AddRemove-Adobe SVG Viewer - c:\windows\System32\Adobe\SVG Viewer\Uninst.isu
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1130133561-2601091404-1853074284-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:08,9d,51,49,8b,a0,fa,32,de,b5,1f,75,47,0f,7a,b2,2f,c1,1c,0d,8e,6b,c9,
a1,70,ec,d6,ff,b0,0d,db,a3,48,bf,cb,24,2f,50,8a,57,e2,01,f8,13,06,dd,35,9a,\
"??"=hex:31,0f,de,ab,49,4c,df,c0,ff,8d,32,ca,1a,d1,e6,6a
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\DigitalPersona\Bin\DpHostW.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\SMINST\BLService.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-07-30 19:40:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-31 05:40
.
Pre-Run: 69,257,592,832 bytes free
Post-Run: 70,764,953,600 bytes free
.
- - End Of File - - 5134FD142047AFED465A2D08E1125F1B



LOG NUMBER 2 LOG NUMBER 2 LOG NUMBER 2------------------------------------------------------------------------------------------------------------------



ComboFix 12-07-30.01 - Billy 07/30/2012 19:20:05.1.2 - x64
MicrosoftÆ Windows Vistaô Home Premium 6.0.6002.2.1252.1.1033.18.4092.2604 [GMT -10:00]
Running from: c:\users\Billy\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
c:\users\Billy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\users\Billy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum\Live Security Platinum.lnk
c:\users\Billy\AppData\Roaming\rowses.dll
c:\users\Billy\Documents\~WRL0731.tmp
c:\users\Billy\Documents\~WRL2295.tmp
c:\windows\Downloaded Program Files\IDropPTB.dll
c:\windows\iun6002.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-06-28 to 2012-07-31 )))))))))))))))))))))))))))))))
.
.
2012-07-31 05:27 . 2012-07-31 05:37 -------- d-----w- c:\users\Billy\AppData\Local\temp
2012-07-31 05:27 . 2012-07-31 05:27 -------- d-----w- c:\users\navatek\AppData\Local\temp
2012-07-31 05:27 . 2012-07-31 05:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-31 05:09 . 2012-07-31 05:09 5742 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2012-07-29 18:36 . 2012-07-29 18:36 50392 ----a-w- c:\windows\system32\drivers\adkwlvpo.sys
2012-07-29 17:42 . 2012-07-29 17:42 -------- d-----w- C:\FRST
2012-07-28 20:17 . 2012-07-31 05:09 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer
2012-07-28 20:08 . 2012-07-28 20:08 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-27 06:10 . 2012-07-29 06:22 -------- d-----w- c:\programdata\0C1CFAEF0047549464C509E42F3B707C
2012-07-27 06:09 . 2012-07-27 06:09 -------- d-----w- c:\users\Billy\AppData\Local\{A997FA7D-D7B1-11E1-8270-B8AC6F996F26}
2012-07-12 06:57 . 2012-06-13 13:58 2769408 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 02:51 . 2012-07-02 02:51 -------- d-----w- c:\program files (x86)\Common Files\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-28 21:16 . 2012-06-25 01:47 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-28 21:16 . 2011-07-16 16:36 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 07:00 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-03 01:19 . 2012-06-19 04:39 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-03 01:19 . 2012-06-19 04:39 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-03 01:15 . 2012-06-19 04:39 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-03 01:12 . 2012-06-19 04:39 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-02 22:19 . 2012-06-19 04:39 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 04:39 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-19 04:39 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 04:39 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 04:39 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-19 04:39 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 04:39 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-19 04:39 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-19 04:39 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-19 04:39 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}"= "c:\program files (x86)\Miniclip\prxtbMini.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\Miniclip\prxtbMini.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}"= "c:\program files (x86)\Miniclip\prxtbMini.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-07-12 226904]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-18 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"DpAgent"="c:\program files (x86)\DigitalPersona\Bin\dpagent.exe" [2009-12-01 842816]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-28 59240]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-25 421888]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
SolidWorks Background Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2012-6-16 1855048]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
SolidWorks Background Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2012-6-16 1855048]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\F:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-28 250056]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\AESTSr64.exe [2008-06-27 89088]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-31 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 21:16]
.
2012-07-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-31 17:41]
.
2012-07-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 00:43]
.
2012-07-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 00:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-17 1561384]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-25 15867936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-25 82464]
"combofix"="c:\combofix\CF1008.3XE" [2008-01-21 363008]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Billy\AppData\Roaming\Mozilla\Firefox\Profiles\20elyxkw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3067892&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
Wow6432Node-HKCU-Run-rowses - c:\users\Billy\AppData\Roaming\rowses.dll
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{1C68C940-1B2F-46EB-BD8C-2E1612FF6A58} - (no file)
HKLM-Run-SysTrayApp - c:\program files (x86)\IDT\WDM\sttray64.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\adobe\SHOCKW~1\UNWISE.EXE
AddRemove-Adobe SVG Viewer - c:\windows\System32\Adobe\SVG Viewer\Uninst.isu
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1130133561-2601091404-1853074284-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:08,9d,51,49,8b,a0,fa,32,de,b5,1f,75,47,0f,7a,b2,2f,c1,1c,0d,8e,6b,c9,
a1,70,ec,d6,ff,b0,0d,db,a3,48,bf,cb,24,2f,50,8a,57,e2,01,f8,13,06,dd,35,9a,\
"??"=hex:31,0f,de,ab,49,4c,df,c0,ff,8d,32,ca,1a,d1,e6,6a
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\DigitalPersona\Bin\DpHostW.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\SMINST\BLService.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
.
**************************************************************************
.
Completion time: 2012-07-30 19:40:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-31 05:40
.
Pre-Run: 69,257,592,832 bytes free
Post-Run: 70,764,953,600 bytes free
.
- - End Of File - - 5134FD142047AFED465A2D08E1125F1B


After running combofix, i installed AVAST and then restarted the computer. It seems to be working ok although the boot time is longer than usual.

Looks like things are getting better...

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:29 PM

Posted 31 July 2012 - 01:19 AM

Greetings

the one on the C:/ driver is a copy

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 surfenterprises

surfenterprises
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 31 July 2012 - 03:16 AM

Gringo,

I hope i didn't screw something up. in the excitement of being able to use my computer again i decided that i would run a scan using Malwarebytes Anti-Malware. I started it and then about an hour in saw that you had replied already to my previous post. It had detected 2 issues at that point but i decided to stop it so i could follow your instructions. I realized at that point that i probably should have not done that and hoped that the computer would still work. It had detected 2 threats after an hour of scanning and so i had it remove them. MBAM Log file is below.


Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.31.04

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Billy :: SURFENTERPRISES [administrator]

Protection: Enabled

7/30/2012 8:03:40 PM
mbam-log-2012-07-30 (20-03-40).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 193319
Time elapsed: 1 hour(s), 8 minute(s), 42 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\FRST\Quarantine\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Users\Billy\Desktop\AutoCAD 2009\AutoCAD 2009\xf-acad9-64-BITS.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

(end)


After removing those files the computer restarted and it took a looooooonng time to get on to windows. i thought i had broken it and felt really dumb. When i got on i made sure that i backed up all files again and then proceeded with your instructions. Below is the log file from TDSSkiller


21:57:01.0372 5952 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
21:57:02.0152 5952 ============================================================
21:57:02.0152 5952 Current date / time: 2012/07/30 21:57:02.0152
21:57:02.0152 5952 SystemInfo:
21:57:02.0152 5952
21:57:02.0152 5952 OS Version: 6.0.6002 ServicePack: 2.0
21:57:02.0152 5952 Product type: Workstation
21:57:02.0152 5952 ComputerName: SURFENTERPRISES
21:57:02.0152 5952 UserName: Billy
21:57:02.0152 5952 Windows directory: C:\Windows
21:57:02.0152 5952 System windows directory: C:\Windows
21:57:02.0152 5952 Running under WOW64
21:57:02.0152 5952 Processor architecture: Intel x64
21:57:02.0152 5952 Number of processors: 2
21:57:02.0152 5952 Page size: 0x1000
21:57:02.0152 5952 Boot type: Normal boot
21:57:02.0152 5952 ============================================================
21:57:03.0946 5952 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
21:57:03.0977 5952 ============================================================
21:57:03.0977 5952 \Device\Harddisk0\DR0:
21:57:03.0993 5952 MBR partitions:
21:57:03.0993 5952 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x23FFE7C1
21:57:03.0993 5952 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x23FFE800, BlocksNum 0x142E800
21:57:03.0993 5952 ============================================================
21:57:04.0040 5952 C: <-> \Device\Harddisk0\DR0\Partition0
21:57:04.0118 5952 D: <-> \Device\Harddisk0\DR0\Partition1
21:57:04.0118 5952 ============================================================
21:57:04.0118 5952 Initialize success
21:57:04.0118 5952 ============================================================
21:57:27.0752 6128 ============================================================
21:57:27.0752 6128 Scan started
21:57:27.0752 6128 Mode: Manual;
21:57:27.0752 6128 ============================================================
21:57:28.0578 6128 Accelerometer (70bbe6a93a6bb26b42b03c7d08646d4e) C:\Windows\system32\DRIVERS\Accelerometer.sys
21:57:28.0578 6128 Accelerometer - ok
21:57:28.0703 6128 ACPI (1965aaffab07e3fb03c77f81beba3547) C:\Windows\system32\drivers\acpi.sys
21:57:28.0734 6128 ACPI - ok
21:57:28.0968 6128 AdobeFlashPlayerUpdateSvc (6c40d5ed8951ab7b90d08af655224ee4) C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
21:57:28.0984 6128 AdobeFlashPlayerUpdateSvc - ok
21:57:29.0249 6128 adp94xx (f14215e37cf124104575073f782111d2) C:\Windows\system32\drivers\adp94xx.sys
21:57:29.0280 6128 adp94xx - ok
21:57:29.0390 6128 adpahci (7d05a75e3066861a6610f7ee04ff085c) C:\Windows\system32\drivers\adpahci.sys
21:57:29.0405 6128 adpahci - ok
21:57:29.0436 6128 adpu160m (820a201fe08a0c345b3bedbc30e1a77c) C:\Windows\system32\drivers\adpu160m.sys
21:57:29.0436 6128 adpu160m - ok
21:57:29.0468 6128 adpu320 (9b4ab6854559dc168fbb4c24fc52e794) C:\Windows\system32\drivers\adpu320.sys
21:57:29.0468 6128 adpu320 - ok
21:57:29.0530 6128 AeLookupSvc (0f421175574bfe0bf2f4d8e910a253bb) C:\Windows\System32\aelupsvc.dll
21:57:29.0530 6128 AeLookupSvc - ok
21:57:29.0655 6128 AESTFilters (7f66523a27754afcfecae2f5eb643a4a) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\AESTSr64.exe
21:57:29.0655 6128 AESTFilters - ok
21:57:29.0873 6128 AFD (c4f6ce6087760ad70960c9eb130e7943) C:\Windows\system32\drivers\afd.sys
21:57:29.0904 6128 AFD - ok
21:57:30.0014 6128 agp440 (f6f6793b7f17b550ecfdbd3b229173f7) C:\Windows\system32\drivers\agp440.sys
21:57:30.0014 6128 agp440 - ok
21:57:30.0138 6128 aic78xx (222cb641b4b8a1d1126f8033f9fd6a00) C:\Windows\system32\drivers\djsvs.sys
21:57:30.0138 6128 aic78xx - ok
21:57:30.0248 6128 aksdf (bc569a6c209d94f6643ee35710aec1f6) C:\Windows\system32\DRIVERS\aksdf.sys
21:57:30.0263 6128 aksdf - ok
21:57:30.0357 6128 akshasp (0b51c78fa897482730f226e833873f7a) C:\Windows\system32\DRIVERS\akshasp.sys
21:57:30.0357 6128 akshasp - ok
21:57:30.0388 6128 aksusb (884503ead99e5c16bf99c91ea7f2071d) C:\Windows\system32\DRIVERS\aksusb.sys
21:57:30.0388 6128 aksusb - ok
21:57:30.0450 6128 ALG (5922f4f59b7868f3d74bbbbeb7b825a3) C:\Windows\System32\alg.exe
21:57:30.0450 6128 ALG - ok
21:57:30.0497 6128 aliide (157d0898d4b73f075ce9fa26b482df98) C:\Windows\system32\drivers\aliide.sys
21:57:30.0497 6128 aliide - ok
21:57:30.0528 6128 amdide (970fa5059e61e30d25307b99903e991e) C:\Windows\system32\drivers\amdide.sys
21:57:30.0528 6128 amdide - ok
21:57:30.0560 6128 AmdK8 (cdc3632a3a5ea4dbb83e46076a3165a1) C:\Windows\system32\drivers\amdk8.sys
21:57:30.0575 6128 AmdK8 - ok
21:57:30.0653 6128 Appinfo (9c37b3fd5615477cb9a0cd116cf43f5c) C:\Windows\System32\appinfo.dll
21:57:30.0653 6128 Appinfo - ok
21:57:30.0825 6128 Apple Mobile Device (d8e18021f91ad79ca8491cb5a5da22d4) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
21:57:30.0840 6128 Apple Mobile Device - ok
21:57:30.0965 6128 arc (ba8417d4765f3988ff921f30f630e303) C:\Windows\system32\drivers\arc.sys
21:57:30.0965 6128 arc - ok
21:57:31.0043 6128 arcsas (9d41c435619733b34cc16a511e644b11) C:\Windows\system32\drivers\arcsas.sys
21:57:31.0059 6128 arcsas - ok
21:57:31.0137 6128 aswFsBlk (df59b8e8df0bd2e0e303778a3806a17d) C:\Windows\system32\drivers\aswFsBlk.sys
21:57:31.0137 6128 aswFsBlk - ok
21:57:31.0262 6128 aswMonFlt (f8e6ab4f876feff69250f2e0c29ef004) C:\Windows\system32\drivers\aswMonFlt.sys
21:57:31.0277 6128 aswMonFlt - ok
21:57:31.0371 6128 AswRdr (8047968ed077344c10b3bb81643f4c79) C:\Windows\system32\drivers\AswRdr.sys
21:57:31.0371 6128 AswRdr - ok
21:57:31.0698 6128 aswSnx (f06e230e1e8ca9437a6474b7b551cd37) C:\Windows\system32\drivers\aswSnx.sys
21:57:31.0730 6128 aswSnx - ok
21:57:31.0776 6128 aswSP (3610ca74a69e380424f0452dec5c1317) C:\Windows\system32\drivers\aswSP.sys
21:57:31.0776 6128 aswSP - ok
21:57:31.0823 6128 aswTdi (87de3e31cb0091d22351349869324065) C:\Windows\system32\drivers\aswTdi.sys
21:57:31.0823 6128 aswTdi - ok
21:57:31.0886 6128 AsyncMac (22d13ff3dafec2a80634752b1eaa2de6) C:\Windows\system32\DRIVERS\asyncmac.sys
21:57:31.0886 6128 AsyncMac - ok
21:57:31.0917 6128 atapi (e68d9b3a3905619732f7fe039466a623) C:\Windows\system32\drivers\atapi.sys
21:57:31.0917 6128 atapi - ok
21:57:32.0010 6128 AudioEndpointBuilder (79318c744693ec983d20e9337a2f8196) C:\Windows\System32\Audiosrv.dll
21:57:32.0026 6128 AudioEndpointBuilder - ok
21:57:32.0042 6128 AudioSrv (79318c744693ec983d20e9337a2f8196) C:\Windows\System32\Audiosrv.dll
21:57:32.0042 6128 AudioSrv - ok
21:57:32.0166 6128 Autodesk Licensing Service (4961850fb000896d6a6b90868dc91a98) C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
21:57:32.0182 6128 Autodesk Licensing Service - ok
21:57:32.0307 6128 avast! Antivirus (2f7c0f3e39c45e0127fb78b2f18a41f3) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
21:57:32.0307 6128 avast! Antivirus - ok
21:57:32.0369 6128 bckd (b9b123dd438e0fa190be10a77adcf38e) C:\Windows\system32\drivers\bckd.sys
21:57:32.0369 6128 bckd - ok
21:57:32.0588 6128 bckwfs (00bf725bfd0fe84eb196e9f45dac091b) C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
21:57:32.0619 6128 bckwfs - ok
21:57:33.0087 6128 Beep - ok
21:57:33.0492 6128 BFE (ffb96c2589ffa60473ead78b39fbde29) C:\Windows\System32\bfe.dll
21:57:33.0539 6128 BFE - ok
21:57:33.0726 6128 blbdrive (79feeb40056683f8f61398d81dda65d2) C:\Windows\system32\drivers\blbdrive.sys
21:57:33.0726 6128 blbdrive - ok
21:57:33.0836 6128 Bonjour Service (ebbcd5dfbb1de70e8f4af8fa59e401fd) C:\Program Files\Bonjour\mDNSResponder.exe
21:57:33.0851 6128 Bonjour Service - ok
21:57:33.0914 6128 bowser (2348447a80920b2493a9b582a23e81e1) C:\Windows\system32\DRIVERS\bowser.sys
21:57:33.0914 6128 bowser - ok
21:57:33.0976 6128 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\brfiltlo.sys
21:57:33.0976 6128 BrFiltLo - ok
21:57:34.0007 6128 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\brfiltup.sys
21:57:34.0007 6128 BrFiltUp - ok
21:57:34.0038 6128 Browser (a1b39de453433b115b4ea69ee0343816) C:\Windows\System32\browser.dll
21:57:34.0038 6128 Browser - ok
21:57:34.0054 6128 Brserid (f0f0ba4d815be446aa6a4583ca3bca9b) C:\Windows\system32\drivers\brserid.sys
21:57:34.0070 6128 Brserid - ok
21:57:34.0085 6128 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\system32\drivers\brserwdm.sys
21:57:34.0085 6128 BrSerWdm - ok
21:57:34.0116 6128 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\system32\drivers\brusbmdm.sys
21:57:34.0116 6128 BrUsbMdm - ok
21:57:34.0132 6128 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\system32\drivers\brusbser.sys
21:57:34.0132 6128 BrUsbSer - ok
21:57:34.0163 6128 BTHMODEM (e0777b34e05f8a82a21856efc900c29f) C:\Windows\system32\drivers\bthmodem.sys
21:57:34.0163 6128 BTHMODEM - ok
21:57:34.0194 6128 catchme - ok
21:57:34.0226 6128 cdfs (b4d787db8d30793a4d4df9feed18f136) C:\Windows\system32\DRIVERS\cdfs.sys
21:57:34.0226 6128 cdfs - ok
21:57:34.0272 6128 cdrom (c025aa69be3d0d25c7a2e746ef6f94fc) C:\Windows\system32\DRIVERS\cdrom.sys
21:57:34.0272 6128 cdrom - ok
21:57:34.0366 6128 CertPropSvc (5a268127633c7ee2a7fb87f39d748d56) C:\Windows\System32\certprop.dll
21:57:34.0366 6128 CertPropSvc - ok
21:57:34.0397 6128 circlass (02ea568d498bbdd4ba55bf3fce34d456) C:\Windows\system32\DRIVERS\circlass.sys
21:57:34.0397 6128 circlass - ok
21:57:34.0475 6128 CLFS (3dca9a18b204939cfb24bea53e31eb48) C:\Windows\system32\CLFS.sys
21:57:34.0491 6128 CLFS - ok
21:57:34.0569 6128 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:57:34.0569 6128 clr_optimization_v2.0.50727_32 - ok
21:57:34.0678 6128 clr_optimization_v2.0.50727_64 (ce07a466201096f021cd09d631b21540) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
21:57:34.0678 6128 clr_optimization_v2.0.50727_64 - ok
21:57:34.0818 6128 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
21:57:34.0818 6128 clr_optimization_v4.0.30319_32 - ok
21:57:34.0850 6128 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
21:57:34.0850 6128 clr_optimization_v4.0.30319_64 - ok
21:57:34.0896 6128 CmBatt (b52d9a14ce4101577900a364ba86f3df) C:\Windows\system32\DRIVERS\CmBatt.sys
21:57:34.0896 6128 CmBatt - ok
21:57:34.0912 6128 cmdide (e5d5499a1c50a54b5161296b6afe6192) C:\Windows\system32\drivers\cmdide.sys
21:57:34.0912 6128 cmdide - ok
21:57:35.0021 6128 Com4QLBEx (7795f8cebc284a426b53f541e538695f) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
21:57:35.0021 6128 Com4QLBEx - ok
21:57:35.0037 6128 Compbatt (7fb8ad01db0eabe60c8a861531a8f431) C:\Windows\system32\DRIVERS\compbatt.sys
21:57:35.0037 6128 Compbatt - ok
21:57:35.0052 6128 COMSysApp - ok
21:57:35.0255 6128 CoordinatorServiceHost (ef8b07cee03c49174b8fdb57e04396e1) C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
21:57:35.0255 6128 CoordinatorServiceHost - ok
21:57:35.0271 6128 crcdisk (a8585b6412253803ce8efcbd6d6dc15c) C:\Windows\system32\drivers\crcdisk.sys
21:57:35.0271 6128 crcdisk - ok
21:57:35.0302 6128 Crypkey License - ok
21:57:35.0349 6128 CryptSvc (62740b9d2a137e8ced41a9e4239a7a31) C:\Windows\system32\cryptsvc.dll
21:57:35.0364 6128 CryptSvc - ok
21:57:35.0442 6128 DcomLaunch (cf8b9a3a5e7dc57724a89d0c3e8cf9ef) C:\Windows\system32\rpcss.dll
21:57:35.0458 6128 DcomLaunch - ok
21:57:35.0520 6128 DfsC (8b722ba35205c71e7951cdc4cdbade19) C:\Windows\system32\Drivers\dfsc.sys
21:57:35.0520 6128 DfsC - ok
21:57:35.0942 6128 DFSR (c647f468f7de343df8c143655c5557d4) C:\Windows\system32\DFSR.exe
21:57:36.0035 6128 DFSR - ok
21:57:36.0285 6128 Dhcp (3ed0321127ce70acdaabbf77e157c2a7) C:\Windows\System32\dhcpcsvc.dll
21:57:36.0300 6128 Dhcp - ok
21:57:36.0394 6128 disk (b0107e40ecdb5fa692ebf832f295d905) C:\Windows\system32\drivers\disk.sys
21:57:36.0410 6128 disk - ok
21:57:36.0566 6128 Dnscache (06230f1b721494a6df8d47fd395bb1b0) C:\Windows\System32\dnsrslvr.dll
21:57:36.0566 6128 Dnscache - ok
21:57:36.0628 6128 dot3svc (1a7156dd1e850e9914e5e991e3225b94) C:\Windows\System32\dot3svc.dll
21:57:36.0628 6128 dot3svc - ok
21:57:36.0690 6128 Dot4 (74c02b1717740c3b8039539e23e4b53f) C:\Windows\system32\DRIVERS\Dot4.sys
21:57:36.0706 6128 Dot4 - ok
21:57:36.0784 6128 Dot4Print (08321d1860235bf42cf2854234337aea) C:\Windows\system32\DRIVERS\Dot4Prt.sys
21:57:36.0800 6128 Dot4Print - ok
21:57:36.0815 6128 dot4usb (4adccf0124f2b6911d3786a5d0e779e5) C:\Windows\system32\DRIVERS\dot4usb.sys
21:57:36.0815 6128 dot4usb - ok
21:57:37.0049 6128 DpHost (5bc1d876dfd53c31c5fc65d2e9614015) C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe
21:57:37.0080 6128 DpHost - ok
21:57:37.0174 6128 DPS (1583b39790db3eaec7edb0cb0140c708) C:\Windows\system32\dps.dll
21:57:37.0174 6128 DPS - ok
21:57:37.0205 6128 drmkaud (f1a78a98cfc2ee02144c6bec945447e6) C:\Windows\system32\drivers\drmkaud.sys
21:57:37.0205 6128 drmkaud - ok
21:57:37.0377 6128 DXGKrnl (b8e554e502d5123bc111f99d6a2181b4) C:\Windows\System32\drivers\dxgkrnl.sys
21:57:37.0392 6128 DXGKrnl - ok
21:57:37.0424 6128 E1G60 (264cee7b031a9d6c827f3d0cb031f2fe) C:\Windows\system32\DRIVERS\E1G6032E.sys
21:57:37.0424 6128 E1G60 - ok
21:57:37.0470 6128 EapHost (c2303883fd9be49dc36a6400643002ea) C:\Windows\System32\eapsvc.dll
21:57:37.0470 6128 EapHost - ok
21:57:37.0533 6128 Ecache (5f94962be5a62db6e447ff6470c4f48a) C:\Windows\system32\drivers\ecache.sys
21:57:37.0533 6128 Ecache - ok
21:57:37.0626 6128 ehRecvr (14ce384d2e27b64c256bda4dc39c312d) C:\Windows\ehome\ehRecvr.exe
21:57:37.0704 6128 ehRecvr - ok
21:57:37.0736 6128 ehSched (b93159c1313d66fdfbbe876f5189cd52) C:\Windows\ehome\ehsched.exe
21:57:37.0736 6128 ehSched - ok
21:57:37.0767 6128 ehstart (f5ee2527d74449868e3c3227a59bcd28) C:\Windows\ehome\ehstart.dll
21:57:37.0782 6128 ehstart - ok
21:57:37.0829 6128 elxstor (c4636d6e10469404ab5308d9fd45ed07) C:\Windows\system32\drivers\elxstor.sys
21:57:37.0845 6128 elxstor - ok
21:57:38.0016 6128 EMDMgmt (a9b18b63a4fd6baab83326706d857fab) C:\Windows\system32\emdmgmt.dll
21:57:38.0032 6128 EMDMgmt - ok
21:57:38.0094 6128 enecir (0e3f3301052673cf16813e65d5de98ad) C:\Windows\system32\DRIVERS\enecir.sys
21:57:38.0110 6128 enecir - ok
21:57:38.0157 6128 ErrDev (bc3a58e938bb277e46bf4b3003b01abd) C:\Windows\system32\drivers\errdev.sys
21:57:38.0157 6128 ErrDev - ok
21:57:38.0235 6128 EventSystem (e12f22b73f153dece721cd45ec05b4af) C:\Windows\system32\es.dll
21:57:38.0250 6128 EventSystem - ok
21:57:38.0313 6128 exfat (486844f47b6636044a42454614ed4523) C:\Windows\system32\drivers\exfat.sys
21:57:38.0313 6128 exfat - ok
21:57:38.0406 6128 fastfat (1a4bee34277784619ddaf0422c0c6e23) C:\Windows\system32\drivers\fastfat.sys
21:57:38.0406 6128 fastfat - ok
21:57:38.0438 6128 fdc (81b79b6df71fa1d2c6d688d830616e39) C:\Windows\system32\DRIVERS\fdc.sys
21:57:38.0453 6128 fdc - ok
21:57:38.0469 6128 fdPHost (bb9267acacd8b7533dd936c34a0cba5e) C:\Windows\system32\fdPHost.dll
21:57:38.0484 6128 fdPHost - ok
21:57:38.0484 6128 FDResPub (300c80931eabbe1db7591c516efe8d0f) C:\Windows\system32\fdrespub.dll
21:57:38.0500 6128 FDResPub - ok
21:57:38.0531 6128 FileInfo (457b7d1d533e4bd62a99aed9c7bb4c59) C:\Windows\system32\drivers\fileinfo.sys
21:57:38.0547 6128 FileInfo - ok
21:57:38.0578 6128 Filetrace (d421327fd6efccaf884a54c58e1b0d7f) C:\Windows\system32\drivers\filetrace.sys
21:57:38.0594 6128 Filetrace - ok
21:57:39.0062 6128 FLEXnet Licensing Service (73081cf28f0ae20a52ca4f67cee6e6b0) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
21:57:39.0077 6128 FLEXnet Licensing Service - ok
21:57:39.0202 6128 FLEXnet Licensing Service 64 (5cee6cd43ae5844c49300ea0b1e557ee) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
21:57:39.0249 6128 FLEXnet Licensing Service 64 - ok
21:57:39.0342 6128 flpydisk (230923ea2b80f79b0f88d90f87b87ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
21:57:39.0358 6128 flpydisk - ok
21:57:39.0389 6128 FltMgr (e3041bc26d6930d61f42aedb79c91720) C:\Windows\system32\drivers\fltmgr.sys
21:57:39.0389 6128 FltMgr - ok
21:57:39.0530 6128 FontCache (be1c5bd1ca7ed015bc6fa1ae67e592c8) C:\Windows\system32\FntCache.dll
21:57:39.0561 6128 FontCache - ok
21:57:39.0686 6128 FontCache3.0.0.0 (bc5b0be5af3510b0fd8c140ee42c6d3e) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
21:57:39.0686 6128 FontCache3.0.0.0 - ok
21:57:39.0717 6128 Fs_Rec (5779b86cd8b32519fbecb136394d946a) C:\Windows\system32\drivers\Fs_Rec.sys
21:57:39.0717 6128 Fs_Rec - ok
21:57:39.0748 6128 gagp30kx (c8e416668d3dc2be3d4fe4c79224997f) C:\Windows\system32\drivers\gagp30kx.sys
21:57:39.0764 6128 gagp30kx - ok
21:57:39.0795 6128 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
21:57:39.0795 6128 GEARAspiWDM - ok
21:57:39.0951 6128 gpsvc (a0e1b575ba8f504968cd40c0faeb2384) C:\Windows\System32\gpsvc.dll
21:57:39.0966 6128 gpsvc - ok
21:57:40.0044 6128 grmnusb (2ed7ff3e1ada4092632393781518b3a7) C:\Windows\system32\drivers\grmnusb.sys
21:57:40.0044 6128 grmnusb - ok
21:57:40.0216 6128 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
21:57:40.0216 6128 gupdate - ok
21:57:40.0247 6128 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
21:57:40.0247 6128 gupdatem - ok
21:57:40.0294 6128 gusvc (408ddd80eede47175f6844817b90213e) C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
21:57:40.0294 6128 gusvc - ok
21:57:40.0372 6128 Hardlock (d8bf3c594bd17a37960362e6c6739b90) C:\Windows\system32\drivers\hardlock.sys
21:57:40.0388 6128 Hardlock - ok
21:57:40.0434 6128 HdAudAddService (68e732382b32417ff61fd663259b4b09) C:\Windows\system32\drivers\HdAudio.sys
21:57:40.0450 6128 HdAudAddService - ok
21:57:40.0622 6128 HDAudBus (f942c5820205f2fb453243edfec82a3d) C:\Windows\system32\DRIVERS\HDAudBus.sys
21:57:40.0653 6128 HDAudBus - ok
21:57:40.0684 6128 HidBth (b4881c84a180e75b8c25dc1d726c375f) C:\Windows\system32\drivers\hidbth.sys
21:57:40.0684 6128 HidBth - ok
21:57:40.0746 6128 HidIr (5f47839455d01ff6403b008d481a6f5b) C:\Windows\system32\DRIVERS\hidir.sys
21:57:40.0746 6128 HidIr - ok
21:57:40.0793 6128 hidserv (59361d38a297755d46a540e450202b2a) C:\Windows\System32\hidserv.dll
21:57:40.0809 6128 hidserv - ok
21:57:40.0840 6128 HidUsb (443bdd2d30bb4f00795c797e2cf99edf) C:\Windows\system32\DRIVERS\hidusb.sys
21:57:40.0840 6128 HidUsb - ok
21:57:40.0871 6128 hkmsvc (b12f367ea39c0795fd57e31242ce1a5a) C:\Windows\system32\kmsvc.dll
21:57:40.0871 6128 hkmsvc - ok
21:57:41.0058 6128 HP Health Check Service (89f9e1984c1cd9e5f4fe39642d886e11) c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
21:57:41.0058 6128 HP Health Check Service - ok
21:57:41.0121 6128 HpCISSs (d7109a1e6bd2dfdbcba72a6bc626a13b) C:\Windows\system32\drivers\hpcisss.sys
21:57:41.0121 6128 HpCISSs - ok
21:57:41.0136 6128 hpdskflt (2f396ef793acf48ad9d2e1f885fc2752) C:\Windows\system32\DRIVERS\hpdskflt.sys
21:57:41.0152 6128 hpdskflt - ok
21:57:41.0261 6128 hpqcxs08 (682358f730b84b63e09c6b4edc1de7ae) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll
21:57:41.0277 6128 hpqcxs08 - ok
21:57:41.0308 6128 hpqddsvc (2e7bee4aa776cf1c37836b26d1d29403) C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll
21:57:41.0308 6128 hpqddsvc - ok
21:57:41.0339 6128 HpqKbFiltr (0ecc54fd34d6a089c300846b011e81d6) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
21:57:41.0339 6128 HpqKbFiltr - ok
21:57:41.0370 6128 hpqwmiex (1665c7121a026df10c903db9bc5e9d43) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
21:57:41.0370 6128 hpqwmiex - ok
21:57:41.0386 6128 hpsrv (9edbf245161654724c8d0aaf2b477809) C:\Windows\system32\Hpservice.exe
21:57:41.0386 6128 hpsrv - ok
21:57:41.0542 6128 HTTP (098f1e4e5c9cb5b0063a959063631610) C:\Windows\system32\drivers\HTTP.sys
21:57:41.0573 6128 HTTP - ok
21:57:41.0589 6128 i2omp (da94c854cea5fac549d4e1f6e88349e8) C:\Windows\system32\drivers\i2omp.sys
21:57:41.0589 6128 i2omp - ok
21:57:41.0651 6128 i8042prt (cbb597659a2713ce0c9cc20c88c7591f) C:\Windows\system32\DRIVERS\i8042prt.sys
21:57:41.0651 6128 i8042prt - ok
21:57:41.0854 6128 IAANTMON (cb686f44bf955ea02520710a56874fa4) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
21:57:41.0870 6128 IAANTMON - ok
21:57:41.0916 6128 iaStor (8d58627fef3f8767665d9f4dc91cbd97) C:\Windows\system32\DRIVERS\iaStor.sys
21:57:41.0916 6128 iaStor - ok
21:57:41.0963 6128 iaStorV (3e3bf3627d886736d0b4e90054f929f6) C:\Windows\system32\drivers\iastorv.sys
21:57:41.0994 6128 iaStorV - ok
21:57:42.0135 6128 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
21:57:42.0150 6128 IDriverT - ok
21:57:42.0338 6128 idsvc (749f5f8cedca70f2a512945325fc489d) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
21:57:42.0369 6128 idsvc - ok
21:57:42.0384 6128 iirsp (8c3951ad2fe886ef76c7b5027c3125d3) C:\Windows\system32\drivers\iirsp.sys
21:57:42.0384 6128 iirsp - ok
21:57:42.0431 6128 IKEEXT (0c9ea6e654e7b0471741e343a6c671af) C:\Windows\System32\ikeext.dll
21:57:42.0462 6128 IKEEXT - ok
21:57:42.0525 6128 intelide (df797a12176f11b2d301c5b234bb200e) C:\Windows\system32\drivers\intelide.sys
21:57:42.0525 6128 intelide - ok
21:57:42.0587 6128 intelppm (bfd84af32fa1bad6231c4585cb469630) C:\Windows\system32\DRIVERS\intelppm.sys
21:57:42.0603 6128 intelppm - ok
21:57:42.0759 6128 IntuitUpdateService (1a263bd87c082fa7ab38093014c8fc79) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
21:57:42.0759 6128 IntuitUpdateService - ok
21:57:42.0790 6128 IPBusEnum (5624bc1bc5eeb49c0ab76a8114f05ea3) C:\Windows\system32\ipbusenum.dll
21:57:42.0806 6128 IPBusEnum - ok
21:57:42.0837 6128 IpFilterDriver (d8aabc341311e4780d6fce8c73c0ad81) C:\Windows\system32\DRIVERS\ipfltdrv.sys
21:57:42.0837 6128 IpFilterDriver - ok
21:57:42.0993 6128 iphlpsvc (bf0dbfa9792c5c14fa00f61c75116c1b) C:\Windows\System32\iphlpsvc.dll
21:57:43.0024 6128 iphlpsvc - ok
21:57:43.0086 6128 IPMIDRV (9c2ee2e6e5a7203bfae15c299475ec67) C:\Windows\system32\drivers\ipmidrv.sys
21:57:43.0086 6128 IPMIDRV - ok
21:57:43.0133 6128 IPNAT (b7e6212f581ea5f6ab0c3a6ceeeb89be) C:\Windows\system32\DRIVERS\ipnat.sys
21:57:43.0133 6128 IPNAT - ok
21:57:43.0305 6128 iPod Service (3c0d4b3e80fc4854ca325dd123cc4ded) C:\Program Files\iPod\bin\iPodService.exe
21:57:43.0305 6128 iPod Service - ok
21:57:43.0352 6128 IRENUM (8c42ca155343a2f11d29feca67faa88d) C:\Windows\system32\drivers\irenum.sys
21:57:43.0352 6128 IRENUM - ok
21:57:43.0414 6128 isapnp (0672bfcedc6fc468a2b0500d81437f4f) C:\Windows\system32\drivers\isapnp.sys
21:57:43.0430 6128 isapnp - ok
21:57:43.0461 6128 iScsiPrt (e4fdf99599f27ec25d2cf6d754243520) C:\Windows\system32\DRIVERS\msiscsi.sys
21:57:43.0461 6128 iScsiPrt - ok
21:57:43.0476 6128 iteatapi (63c766cdc609ff8206cb447a65abba4a) C:\Windows\system32\drivers\iteatapi.sys
21:57:43.0476 6128 iteatapi - ok
21:57:43.0476 6128 iteraid (1281fe73b17664631d12f643cbea3f59) C:\Windows\system32\drivers\iteraid.sys
21:57:43.0492 6128 iteraid - ok
21:57:43.0539 6128 JMCR (b0d2c287c3d65036d927016959142517) C:\Windows\system32\DRIVERS\jmcr.sys
21:57:43.0539 6128 JMCR - ok
21:57:43.0554 6128 kbdclass (423696f3ba6472dd17699209b933bc26) C:\Windows\system32\DRIVERS\kbdclass.sys
21:57:43.0570 6128 kbdclass - ok
21:57:43.0601 6128 kbdhid (dbdf75d51464fbc47d0104ec3d572c05) C:\Windows\system32\DRIVERS\kbdhid.sys
21:57:43.0601 6128 kbdhid - ok
21:57:43.0632 6128 KeyIso (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
21:57:43.0632 6128 KeyIso - ok
21:57:43.0726 6128 KSecDD (88956ad9fa510848ad176777a6c6c1f5) C:\Windows\system32\Drivers\ksecdd.sys
21:57:43.0742 6128 KSecDD - ok
21:57:43.0788 6128 ksthunk (1d419cf43db29396ecd7113d129d94eb) C:\Windows\system32\drivers\ksthunk.sys
21:57:43.0804 6128 ksthunk - ok
21:57:43.0882 6128 KtmRm (1faf6926f3416d3da05c5b265491bdae) C:\Windows\system32\msdtckrm.dll
21:57:43.0929 6128 KtmRm - ok
21:57:43.0976 6128 LanmanServer (50c7a3cb427e9bb5ed0708a669956ab5) C:\Windows\System32\srvsvc.dll
21:57:43.0991 6128 LanmanServer - ok
21:57:44.0100 6128 LanmanWorkstation (caf86fc1388be1e470f1a7b43e348adb) C:\Windows\System32\wkssvc.dll
21:57:44.0116 6128 LanmanWorkstation - ok
21:57:44.0147 6128 lltdio (96ece2659b6654c10a0c310ae3a6d02c) C:\Windows\system32\DRIVERS\lltdio.sys
21:57:44.0163 6128 lltdio - ok
21:57:44.0225 6128 lltdsvc (961ccbd0b1ccb5675d64976fae37d092) C:\Windows\System32\lltdsvc.dll
21:57:44.0225 6128 lltdsvc - ok
21:57:44.0272 6128 lmhosts (a47f8080cacc23c91fe823ad19aa5612) C:\Windows\System32\lmhsvc.dll
21:57:44.0288 6128 lmhosts - ok
21:57:44.0334 6128 LSI_FC (acbe1af32d3123e330a07bfbc5ec4a9b) C:\Windows\system32\drivers\lsi_fc.sys
21:57:44.0334 6128 LSI_FC - ok
21:57:44.0397 6128 LSI_SAS (799ffb2fc4729fa46d2157c0065b3525) C:\Windows\system32\drivers\lsi_sas.sys
21:57:44.0397 6128 LSI_SAS - ok
21:57:44.0475 6128 LSI_SCSI (f445ff1daad8a226366bfaf42551226b) C:\Windows\system32\drivers\lsi_scsi.sys
21:57:44.0475 6128 LSI_SCSI - ok
21:57:44.0490 6128 luafv (52f87b9cc8932c2a7375c3b2a9be5e3e) C:\Windows\system32\drivers\luafv.sys
21:57:44.0490 6128 luafv - ok
21:57:44.0568 6128 MBAMProtector (dc8490812a3b72811ae534f423b4c206) C:\Windows\system32\drivers\mbam.sys
21:57:44.0568 6128 MBAMProtector - ok
21:57:44.0756 6128 MBAMService (43683e970f008c93c9429ef428147a54) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
21:57:44.0756 6128 MBAMService - ok
21:57:44.0802 6128 Mcx2Svc (76a58df02bd4ea29f189b82d0bef17f8) C:\Windows\system32\Mcx2Svc.dll
21:57:44.0818 6128 Mcx2Svc - ok
21:57:44.0990 6128 megasas (5c5cd6aaced32fb26c3fb34b3dcf972f) C:\Windows\system32\drivers\megasas.sys
21:57:45.0021 6128 megasas - ok
21:57:45.0894 6128 MegaSR (859bc2436b076c77c159ed694acfe8f8) C:\Windows\system32\drivers\megasr.sys
21:57:45.0926 6128 MegaSR - ok
21:57:45.0957 6128 MMCSS (3cbe4995e80e13ccfbc42e5dcf3ac81a) C:\Windows\system32\mmcss.dll
21:57:45.0957 6128 MMCSS - ok
21:57:45.0988 6128 Modem (59848d5cc74606f0ee7557983bb73c2e) C:\Windows\system32\drivers\modem.sys
21:57:46.0004 6128 Modem - ok
21:57:46.0035 6128 monitor (c247cc2a57e0a0c8c6dccf7807b3e9e5) C:\Windows\system32\DRIVERS\monitor.sys
21:57:46.0035 6128 monitor - ok
21:57:46.0050 6128 mouclass (9367304e5e412b120cf5f4ea14e4e4f1) C:\Windows\system32\DRIVERS\mouclass.sys
21:57:46.0066 6128 mouclass - ok
21:57:46.0097 6128 mouhid (c2c2bd5c5ce5aaf786ddd74b75d2ac69) C:\Windows\system32\DRIVERS\mouhid.sys
21:57:46.0097 6128 mouhid - ok
21:57:46.0113 6128 MountMgr (11bc9b1e8801b01f7f6adb9ead30019b) C:\Windows\system32\drivers\mountmgr.sys
21:57:46.0113 6128 MountMgr - ok
21:57:46.0238 6128 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
21:57:46.0238 6128 MozillaMaintenance - ok
21:57:46.0284 6128 mpio (f8276eb8698142884498a528dfea8478) C:\Windows\system32\drivers\mpio.sys
21:57:46.0284 6128 mpio - ok
21:57:46.0316 6128 mpsdrv (c92b9abdb65a5991e00c28f13491dba2) C:\Windows\system32\drivers\mpsdrv.sys
21:57:46.0316 6128 mpsdrv - ok
21:57:46.0425 6128 MpsSvc (897e3baf68ba406a61682ae39c83900c) C:\Windows\system32\mpssvc.dll
21:57:46.0440 6128 MpsSvc - ok
21:57:46.0456 6128 Mraid35x (3c200630a89ef2c0864d515b7a75802e) C:\Windows\system32\drivers\mraid35x.sys
21:57:46.0456 6128 Mraid35x - ok
21:57:46.0518 6128 MRxDAV (7c1de4aa96dc0c071611f9e7de02a68d) C:\Windows\system32\drivers\mrxdav.sys
21:57:46.0518 6128 MRxDAV - ok
21:57:46.0581 6128 mrxsmb (1485811b320ff8c7edad1caebb1c6c2b) C:\Windows\system32\DRIVERS\mrxsmb.sys
21:57:46.0581 6128 mrxsmb - ok
21:57:46.0940 6128 mrxsmb10 (3b929a60c833fc615fd97fba82bc7632) C:\Windows\system32\DRIVERS\mrxsmb10.sys
21:57:46.0955 6128 mrxsmb10 - ok
21:57:46.0986 6128 mrxsmb20 (c64ab3e1f53b4f5b5bb6d796b2d7bec3) C:\Windows\system32\DRIVERS\mrxsmb20.sys
21:57:46.0986 6128 mrxsmb20 - ok
21:57:47.0033 6128 msahci (1ac860612b85d8e85ee257d372e39f4d) C:\Windows\system32\drivers\msahci.sys
21:57:47.0049 6128 msahci - ok
21:57:47.0080 6128 msdsm (264bbb4aaf312a485f0e44b65a6b7202) C:\Windows\system32\drivers\msdsm.sys
21:57:47.0096 6128 msdsm - ok
21:57:47.0127 6128 MSDTC (7ec02ce772f068ed0beafa3da341a9bc) C:\Windows\System32\msdtc.exe
21:57:47.0127 6128 MSDTC - ok
21:57:47.0158 6128 Msfs (704f59bfc4512d2bb0146aec31b10a7c) C:\Windows\system32\drivers\Msfs.sys
21:57:47.0158 6128 Msfs - ok
21:57:47.0205 6128 msisadrv (00ebc952961664780d43dca157e79b27) C:\Windows\system32\drivers\msisadrv.sys
21:57:47.0205 6128 msisadrv - ok
21:57:47.0236 6128 MSiSCSI (366b0c1f4478b519c181e37d43dcda32) C:\Windows\system32\iscsiexe.dll
21:57:47.0236 6128 MSiSCSI - ok
21:57:47.0236 6128 msiserver - ok
21:57:47.0252 6128 MSKSSRV (0ea73e498f53b96d83dbfca074ad4cf8) C:\Windows\system32\drivers\MSKSSRV.sys
21:57:47.0252 6128 MSKSSRV - ok
21:57:47.0283 6128 MSPCLOCK (52e59b7e992a58e740aa63f57edbae8b) C:\Windows\system32\drivers\MSPCLOCK.sys
21:57:47.0283 6128 MSPCLOCK - ok
21:57:47.0330 6128 MSPQM (49084a75bae043ae02d5b44d02991bb2) C:\Windows\system32\drivers\MSPQM.sys
21:57:47.0330 6128 MSPQM - ok
21:57:47.0470 6128 MsRPC (dc6ccf440cdede4293db41c37a5060a5) C:\Windows\system32\drivers\MsRPC.sys
21:57:47.0486 6128 MsRPC - ok
21:57:47.0501 6128 mssmbios (855796e59df77ea93af46f20155bf55b) C:\Windows\system32\DRIVERS\mssmbios.sys
21:57:47.0517 6128 mssmbios - ok
21:57:47.0626 6128 MSSQL$AUTODESKVAULT - ok
21:57:47.0751 6128 MSSQLServerADHelper (1d89eb4e2a99cabd4e81225f4f4c4b25) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqladhlp90.exe
21:57:47.0751 6128 MSSQLServerADHelper - ok
21:57:47.0813 6128 MSTEE (86d632d75d05d5b7c7c043fa3564ae86) C:\Windows\system32\drivers\MSTEE.sys
21:57:47.0813 6128 MSTEE - ok
21:57:47.0969 6128 MUD (3172d8d5855c5c564f70c0e3e19cc974) C:\Windows\system32\DRIVERS\MUD.sys
21:57:47.0969 6128 MUD - ok
21:57:48.0016 6128 Mup (0cc49f78d8aca0877d885f149084e543) C:\Windows\system32\Drivers\mup.sys
21:57:48.0016 6128 Mup - ok
21:57:48.0078 6128 napagent (a5b10c845e7538c60c0f5d87a57cb3f5) C:\Windows\system32\qagentRT.dll
21:57:48.0094 6128 napagent - ok
21:57:48.0172 6128 NativeWifiP (2007b826c4acd94ae32232b41f0842b9) C:\Windows\system32\DRIVERS\nwifi.sys
21:57:48.0172 6128 NativeWifiP - ok
21:57:48.0297 6128 NDIS (65950e07329fcee8e6516b17c8d0abb6) C:\Windows\system32\drivers\ndis.sys
21:57:48.0312 6128 NDIS - ok
21:57:48.0328 6128 NdisTapi (64df698a425478e321981431ac171334) C:\Windows\system32\DRIVERS\ndistapi.sys
21:57:48.0344 6128 NdisTapi - ok
21:57:48.0359 6128 Ndisuio (8baa43196d7b5bb972c9a6b2bbf61a19) C:\Windows\system32\DRIVERS\ndisuio.sys
21:57:48.0359 6128 Ndisuio - ok
21:57:48.0406 6128 NdisWan (f8158771905260982ce724076419ef19) C:\Windows\system32\DRIVERS\ndiswan.sys
21:57:48.0406 6128 NdisWan - ok
21:57:48.0578 6128 NDProxy (9cb77ed7cb72850253e973a2d6afdf49) C:\Windows\system32\drivers\NDProxy.sys
21:57:48.0593 6128 NDProxy - ok
21:57:48.0702 6128 Net Driver HPZ12 (bd94210175c488f18add3e189ee9304c) C:\Windows\system32\HPZinw12.dll
21:57:48.0718 6128 Net Driver HPZ12 - ok
21:57:48.0734 6128 NetBIOS (a499294f5029a7862adc115bda7371ce) C:\Windows\system32\DRIVERS\netbios.sys
21:57:48.0734 6128 NetBIOS - ok
21:57:48.0796 6128 netbt (fc2c792ebddc8e28df939d6a92c83d61) C:\Windows\system32\DRIVERS\netbt.sys
21:57:48.0796 6128 netbt - ok
21:57:48.0905 6128 Netlogon (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
21:57:48.0905 6128 Netlogon - ok
21:57:49.0092 6128 Netman (9b63b29defc0f3115a559d2597bf5d75) C:\Windows\System32\netman.dll
21:57:49.0124 6128 Netman - ok
21:57:49.0155 6128 netprofm (7846d0136cc2b264926a73047ba7688a) C:\Windows\System32\netprofm.dll
21:57:49.0170 6128 netprofm - ok
21:57:49.0280 6128 NetTcpPortSharing (74751dda198165947fd7454d83f49825) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
21:57:49.0280 6128 NetTcpPortSharing - ok
21:57:50.0403 6128 NETw3v64 (c86984aee87900c1eeb6942ede3bf4b6) C:\Windows\system32\DRIVERS\NETw3v64.sys
21:57:50.0496 6128 NETw3v64 - ok
21:57:51.0401 6128 NETw5v64 (2bdcb7b7917380794c9d87ac2153ce33) C:\Windows\system32\DRIVERS\NETw5v64.sys
21:57:51.0510 6128 NETw5v64 - ok
21:57:51.0885 6128 nfrd960 (4ac08bd6af2df42e0c3196d826c8aea7) C:\Windows\system32\drivers\nfrd960.sys
21:57:51.0885 6128 nfrd960 - ok
21:57:51.0947 6128 NlaSvc (f145bf4c4668e7e312069f81ef847cfc) C:\Windows\System32\nlasvc.dll
21:57:51.0963 6128 NlaSvc - ok
21:57:52.0010 6128 Npfs (b298874f8e0ea93f06ec40aa8d146478) C:\Windows\system32\drivers\Npfs.sys
21:57:52.0010 6128 Npfs - ok
21:57:52.0025 6128 nsi (acb62baa1c319b17752553df3026eeeb) C:\Windows\system32\nsisvc.dll
21:57:52.0041 6128 nsi - ok
21:57:52.0150 6128 nsiproxy (1523af19ee8b030ba682f7a53537eaeb) C:\Windows\system32\drivers\nsiproxy.sys
21:57:52.0150 6128 nsiproxy - ok
21:57:52.0368 6128 Ntfs (bac869dfb98e499ba4d9bb1fb43270e1) C:\Windows\system32\drivers\Ntfs.sys
21:57:52.0415 6128 Ntfs - ok
21:57:52.0587 6128 Null (dd5d684975352b85b52e3fd5347c20cb) C:\Windows\system32\drivers\Null.sys
21:57:52.0587 6128 Null - ok
21:57:52.0618 6128 NVHDA (29a70ad61fb913b4e6c587924b23b62c) C:\Windows\system32\drivers\nvhda64v.sys
21:57:52.0618 6128 NVHDA - ok
21:57:53.0663 6128 nvlddmkm (45ace5d0f8ca2685e1fada8f90eb048f) C:\Windows\system32\DRIVERS\nvlddmkm.sys
21:57:53.0897 6128 nvlddmkm - ok
21:57:54.0084 6128 nvraid (2c040b7ada5b06f6facadac8514aa034) C:\Windows\system32\drivers\nvraid.sys
21:57:54.0100 6128 nvraid - ok
21:57:54.0116 6128 nvstor (f7ea0fe82842d05eda3efdd376dbfdba) C:\Windows\system32\drivers\nvstor.sys
21:57:54.0116 6128 nvstor - ok
21:57:54.0147 6128 nvsvc (eb2d4f9591c39f70015728442e0ab8cb) C:\Windows\system32\nvvsvc.exe
21:57:54.0162 6128 nvsvc - ok
21:57:54.0194 6128 nv_agp (19067ca93075ef4823e3938a686f532f) C:\Windows\system32\drivers\nv_agp.sys
21:57:54.0194 6128 nv_agp - ok
21:57:54.0256 6128 ohci1394 (b5b1ce65ac15bbd11c0619e3ef7cfc28) C:\Windows\system32\DRIVERS\ohci1394.sys
21:57:54.0256 6128 ohci1394 - ok
21:57:54.0396 6128 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:57:54.0396 6128 ose - ok
21:57:54.0911 6128 p2pimsvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
21:57:54.0942 6128 p2pimsvc - ok
21:57:54.0958 6128 p2psvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
21:57:54.0974 6128 p2psvc - ok
21:57:55.0114 6128 Parport (aecd57f94c887f58919f307c35498ea0) C:\Windows\system32\drivers\parport.sys
21:57:55.0161 6128 Parport - ok
21:57:55.0208 6128 partmgr (b43751085e2abe389da466bc62a4b987) C:\Windows\system32\drivers\partmgr.sys
21:57:55.0208 6128 partmgr - ok
21:57:55.0317 6128 PcaSvc (9ab157b374192ff276c1628fbdba2b0e) C:\Windows\System32\pcasvc.dll
21:57:55.0348 6128 PcaSvc - ok
21:57:55.0395 6128 pci (47ab1e0fc9d0e12bb53ba246e3a0906d) C:\Windows\system32\drivers\pci.sys
21:57:55.0395 6128 pci - ok
21:57:55.0426 6128 pciide (8d618c829034479985a9ed56106cc732) C:\Windows\system32\drivers\pciide.sys
21:57:55.0426 6128 pciide - ok
21:57:55.0457 6128 pcmcia (037661f3d7c507c9993b7010ceee6288) C:\Windows\system32\drivers\pcmcia.sys
21:57:55.0473 6128 pcmcia - ok
21:57:55.0551 6128 PEAUTH (58865916f53592a61549b04941bfd80d) C:\Windows\system32\drivers\peauth.sys
21:57:55.0566 6128 PEAUTH - ok
21:57:55.0629 6128 PerfHost (0ed8727ea0172860f47258456c06caea) C:\Windows\SysWow64\perfhost.exe
21:57:55.0644 6128 PerfHost - ok
21:57:55.0878 6128 pla (e9e68c1a0f25cf4a7ac966eea74ee89e) C:\Windows\system32\pla.dll
21:57:55.0925 6128 pla - ok
21:57:55.0972 6128 PlugPlay (fe6b0f59215c9fd9f9d26539c58c8b82) C:\Windows\system32\umpnpmgr.dll
21:57:55.0988 6128 PlugPlay - ok
21:57:56.0066 6128 Pml Driver HPZ12 (7fe2afb17d91cf39843d6766ea31cfc7) C:\Windows\system32\HPZipm12.dll
21:57:56.0066 6128 Pml Driver HPZ12 - ok
21:57:56.0378 6128 PNRPAutoReg (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
21:57:56.0378 6128 PNRPAutoReg - ok
21:57:56.0393 6128 PNRPsvc (9ae31d2e1d15c10d91318e0ec149ceac) C:\Windows\system32\p2psvc.dll
21:57:56.0409 6128 PNRPsvc - ok
21:57:56.0580 6128 PolicyAgent (89a5560671c2d8b4a4b51f3e1aa069d8) C:\Windows\System32\ipsecsvc.dll
21:57:56.0612 6128 PolicyAgent - ok
21:57:56.0752 6128 PptpMiniport (23386e9952025f5f21c368971e2e7301) C:\Windows\system32\DRIVERS\raspptp.sys
21:57:56.0752 6128 PptpMiniport - ok
21:57:56.0799 6128 Processor (5080e59ecee0bc923f14018803aa7a01) C:\Windows\system32\drivers\processr.sys
21:57:56.0799 6128 Processor - ok
21:57:56.0892 6128 ProfSvc (e058ce4fc2449d8bfa14739c83b7ff2a) C:\Windows\system32\profsvc.dll
21:57:56.0908 6128 ProfSvc - ok
21:57:56.0955 6128 ProtectedStorage (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
21:57:56.0955 6128 ProtectedStorage - ok
21:57:57.0033 6128 PSched (c5ab7f0809392d0da027f4a2a81bfa31) C:\Windows\system32\DRIVERS\pacer.sys
21:57:57.0033 6128 PSched - ok
21:57:57.0189 6128 ql2300 (0b83f4e681062f3839be2ec1d98fd94a) C:\Windows\system32\drivers\ql2300.sys
21:57:57.0220 6128 ql2300 - ok
21:57:57.0251 6128 ql40xx (e1c80f8d4d1e39ef9595809c1369bf2a) C:\Windows\system32\drivers\ql40xx.sys
21:57:57.0251 6128 ql40xx - ok
21:57:57.0454 6128 QWAVE (90574842c3da781e279061a3eff91f07) C:\Windows\system32\qwave.dll
21:57:57.0470 6128 QWAVE - ok
21:57:57.0485 6128 QWAVEdrv (e8d76edab77ec9c634c27b8eac33adc5) C:\Windows\system32\drivers\qwavedrv.sys
21:57:57.0485 6128 QWAVEdrv - ok
21:57:57.0501 6128 RasAcd (1013b3b663a56d3ddd784f581c1bd005) C:\Windows\system32\DRIVERS\rasacd.sys
21:57:57.0501 6128 RasAcd - ok
21:57:57.0548 6128 RasAuto (b2ae18f847d07f0044404ddf7cb04497) C:\Windows\System32\rasauto.dll
21:57:57.0563 6128 RasAuto - ok
21:57:57.0594 6128 Rasl2tp (ac7bc4d42a7e558718dfdec599bbfc2c) C:\Windows\system32\DRIVERS\rasl2tp.sys
21:57:57.0594 6128 Rasl2tp - ok
21:57:57.0657 6128 RasMan (3ad83e4046c43be510de681588acb8af) C:\Windows\System32\rasmans.dll
21:57:57.0672 6128 RasMan - ok
21:57:57.0704 6128 RasPppoe (4517fbf8b42524afe4ede1de102aae3e) C:\Windows\system32\DRIVERS\raspppoe.sys
21:57:57.0704 6128 RasPppoe - ok
21:57:57.0735 6128 RasSstp (c6a593b51f34c33e5474539544072527) C:\Windows\system32\DRIVERS\rassstp.sys
21:57:57.0735 6128 RasSstp - ok
21:57:57.0797 6128 rdbss (322db5c6b55e8d8ee8d6f358b2aaabb1) C:\Windows\system32\DRIVERS\rdbss.sys
21:57:57.0797 6128 rdbss - ok
21:57:57.0813 6128 RDPCDD (603900cc05f6be65ccbf373800af3716) C:\Windows\system32\DRIVERS\RDPCDD.sys
21:57:57.0813 6128 RDPCDD - ok
21:57:57.0844 6128 rdpdr (c045d1fb111c28df0d1be8d4bda22c06) C:\Windows\system32\drivers\rdpdr.sys
21:57:57.0844 6128 rdpdr - ok
21:57:57.0860 6128 RDPENCDD (cab9421daf3d97b33d0d055858e2c3ab) C:\Windows\system32\drivers\rdpencdd.sys
21:57:57.0860 6128 RDPENCDD - ok
21:57:57.0984 6128 RDPWD (ae4bd9e1c33d351d8e607fc81f15160c) C:\Windows\system32\drivers\RDPWD.sys
21:57:57.0984 6128 RDPWD - ok
21:57:58.0140 6128 Recovery Service for Windows (7196d5e5005f5da73cce36f4ffe96a9b) C:\Windows\SMINST\BLService.exe
21:57:58.0140 6128 Recovery Service for Windows - ok
21:57:58.0484 6128 Remote Solver for Flow Simulation 2012 (79d23802e65f997362d87f693b565eb5) C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
21:57:58.0499 6128 Remote Solver for Flow Simulation 2012 - ok
21:57:58.0546 6128 RemoteAccess (c612b9557da73f70d41f8a6fbc8e5344) C:\Windows\System32\mprdim.dll
21:57:58.0562 6128 RemoteAccess - ok
21:57:58.0608 6128 RemoteRegistry (44b9d8ec2f3ef3a0efb00857af70d861) C:\Windows\system32\regsvc.dll
21:57:58.0624 6128 RemoteRegistry - ok
21:57:58.0640 6128 RpcLocator (f46c457840d4b7a4daafee739ce04102) C:\Windows\system32\locator.exe
21:57:58.0655 6128 RpcLocator - ok
21:57:58.0764 6128 RpcSs (cf8b9a3a5e7dc57724a89d0c3e8cf9ef) C:\Windows\system32\rpcss.dll
21:57:58.0780 6128 RpcSs - ok
21:57:58.0889 6128 rspndr (22a9cb08b1a6707c1550c6bf099aae73) C:\Windows\system32\DRIVERS\rspndr.sys
21:57:58.0905 6128 rspndr - ok
21:57:58.0998 6128 RTL8169 (af7074e1d6a8a66204067ee8b2a8327a) C:\Windows\system32\DRIVERS\Rtlh64.sys
21:57:59.0014 6128 RTL8169 - ok
21:57:59.0123 6128 SamSs (260bf9c43ee12c6898a9f5aab0fb0e5d) C:\Windows\system32\lsass.exe
21:57:59.0123 6128 SamSs - ok
21:57:59.0154 6128 sbp2port (cd9c693589c60ad59bbbcfb0e524e01b) C:\Windows\system32\drivers\sbp2port.sys
21:57:59.0170 6128 sbp2port - ok
21:57:59.0217 6128 SCardSvr (fd1cdcf108d5ef3366f00d18b70fb89b) C:\Windows\System32\SCardSvr.dll
21:57:59.0232 6128 SCardSvr - ok
21:57:59.0404 6128 Schedule (0f838c811ad295d2a4489b9993096c63) C:\Windows\system32\schedsvc.dll
21:57:59.0544 6128 Schedule - ok
21:57:59.0576 6128 SCPolicySvc (5a268127633c7ee2a7fb87f39d748d56) C:\Windows\System32\certprop.dll
21:57:59.0576 6128 SCPolicySvc - ok
21:57:59.0607 6128 sdbus (b42ee50f7d24f837f925332eb349eca5) C:\Windows\system32\DRIVERS\sdbus.sys
21:57:59.0607 6128 sdbus - ok
21:57:59.0654 6128 SDRSVC (4ff71b076a7760fe75ea5ae2d0ee0018) C:\Windows\System32\SDRSVC.dll
21:57:59.0669 6128 SDRSVC - ok
21:57:59.0732 6128 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
21:57:59.0732 6128 secdrv - ok
21:57:59.0763 6128 seclogon (5acdcbc67fcf894a1815b9f96d704490) C:\Windows\system32\seclogon.dll
21:57:59.0763 6128 seclogon - ok
21:57:59.0794 6128 SENS (90973a64b96cd647ff81c79443618eed) C:\Windows\system32\sens.dll
21:57:59.0794 6128 SENS - ok
21:57:59.0825 6128 Serenum (f71bfe7ac6c52273b7c82cbf1bb2a222) C:\Windows\system32\drivers\serenum.sys
21:57:59.0825 6128 Serenum - ok
21:57:59.0856 6128 Serial (e62fac91ee288db29a9696a9d279929c) C:\Windows\system32\drivers\serial.sys
21:57:59.0856 6128 Serial - ok
21:57:59.0872 6128 sermouse (a842f04833684bceea7336211be478df) C:\Windows\system32\drivers\sermouse.sys
21:57:59.0872 6128 sermouse - ok
21:57:59.0903 6128 SessionEnv (a8e4a4407a09f35dccc3771af590b0c4) C:\Windows\system32\sessenv.dll
21:57:59.0903 6128 SessionEnv - ok
21:57:59.0919 6128 sffdisk (14d4b4465193a87c127933978e8c4106) C:\Windows\system32\drivers\sffdisk.sys
21:57:59.0919 6128 sffdisk - ok
21:57:59.0997 6128 sffp_mmc (7073aee3f82f3d598e3825962aa98ab2) C:\Windows\system32\drivers\sffp_mmc.sys
21:57:59.0997 6128 sffp_mmc - ok
21:58:00.0012 6128 sffp_sd (35e59ebe4a01a0532ed67975161c7b82) C:\Windows\system32\drivers\sffp_sd.sys
21:58:00.0012 6128 sffp_sd - ok
21:58:00.0044 6128 sfloppy (6b7838c94135768bd455cbdc23e39e5f) C:\Windows\system32\drivers\sfloppy.sys
21:58:00.0044 6128 sfloppy - ok
21:58:00.0137 6128 SharedAccess (4c5aee179da7e1ee9a9ccb9da289af34) C:\Windows\System32\ipnathlp.dll
21:58:00.0153 6128 SharedAccess - ok
21:58:00.0215 6128 ShellHWDetection (56793271ecdedd350c5add305603e963) C:\Windows\System32\shsvcs.dll
21:58:00.0215 6128 ShellHWDetection - ok
21:58:00.0231 6128 SiSRaid2 (7a5de502aeb719d4594c6471060a78b3) C:\Windows\system32\drivers\sisraid2.sys
21:58:00.0231 6128 SiSRaid2 - ok
21:58:00.0246 6128 SiSRaid4 (3a2f769fab9582bc720e11ea1dfb184d) C:\Windows\system32\drivers\sisraid4.sys
21:58:00.0246 6128 SiSRaid4 - ok
21:58:00.0387 6128 SkypeUpdate (c70aebd3608ed9fcea2a1bae83567ffc) C:\Program Files (x86)\Skype\Updater\Updater.exe
21:58:00.0418 6128 SkypeUpdate - ok
21:58:00.0730 6128 slsvc (a9a27a8e257b45a604fdad4f26fe7241) C:\Windows\system32\SLsvc.exe
21:58:00.0808 6128 slsvc - ok
21:58:00.0980 6128 SLUINotify (fd74b4b7c2088e390a30c85a896fc3af) C:\Windows\system32\SLUINotify.dll
21:58:00.0980 6128 SLUINotify - ok
21:58:01.0026 6128 Smb (290b6f6a0ec4fcdfc90f5cb6d7020473) C:\Windows\system32\DRIVERS\smb.sys
21:58:01.0042 6128 Smb - ok
21:58:01.0104 6128 SNMPTRAP (f8f47f38909823b1af28d60b96340cff) C:\Windows\System32\snmptrap.exe
21:58:01.0104 6128 SNMPTRAP - ok
21:58:01.0323 6128 SolidWorks Licensing Service (4945020bc094c322571184a6e8056b3a) C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
21:58:01.0338 6128 SolidWorks Licensing Service - ok
21:58:01.0401 6128 spldr (386c3c63f00a7040c7ec5e384217e89d) C:\Windows\system32\drivers\spldr.sys
21:58:01.0401 6128 spldr - ok
21:58:01.0448 6128 Spooler (f66ff751e7efc816d266977939ef5dc3) C:\Windows\System32\spoolsv.exe
21:58:01.0479 6128 Spooler - ok
21:58:01.0557 6128 SQLBrowser (86ebd8b1f23e743aad21f4d5b4d40985) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
21:58:01.0557 6128 SQLBrowser - ok
21:58:01.0713 6128 SQLWriter (3c432a96363097870995e2a3c8b66abd) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
21:58:01.0713 6128 SQLWriter - ok
21:58:01.0775 6128 srv (880a57fccb571ebd063d4dd50e93e46d) C:\Windows\system32\DRIVERS\srv.sys
21:58:01.0791 6128 srv - ok
21:58:01.0838 6128 srv2 (a1ad14a6d7a37891fffeca35ebbb0730) C:\Windows\system32\DRIVERS\srv2.sys
21:58:01.0853 6128 srv2 - ok
21:58:01.0869 6128 srvnet (4bed62f4fa4d8300973f1151f4c4d8a7) C:\Windows\system32\DRIVERS\srvnet.sys
21:58:01.0869 6128 srvnet - ok
21:58:01.0900 6128 SSDPSRV (192c74646ec5725aef3f80d19ff75f6a) C:\Windows\System32\ssdpsrv.dll
21:58:01.0916 6128 SSDPSRV - ok
21:58:01.0994 6128 SstpSvc (2ee3fa0308e6185ba64a9a7f2e74332b) C:\Windows\system32\sstpsvc.dll
21:58:01.0994 6128 SstpSvc - ok
21:58:02.0165 6128 STacSV (067722983b1d6658e3e7fe2f6f2c70d7) C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\STacSV64.exe
21:58:02.0165 6128 STacSV - ok
21:58:02.0243 6128 STHDA (88f75081295a2411d8cb9339b092cc70) C:\Windows\system32\DRIVERS\stwrt64.sys
21:58:02.0274 6128 STHDA - ok
21:58:02.0321 6128 stisvc (15825c1fbfb8779992cb65087f316af5) C:\Windows\System32\wiaservc.dll
21:58:02.0337 6128 stisvc - ok
21:58:02.0368 6128 swenum (8a851ca908b8b974f89c50d2e18d4f0c) C:\Windows\system32\DRIVERS\swenum.sys
21:58:02.0368 6128 swenum - ok
21:58:02.0430 6128 swprv (6de37f4de19d4efd9c48c43addbc949a) C:\Windows\System32\swprv.dll
21:58:02.0446 6128 swprv - ok
21:58:02.0462 6128 Symc8xx (2f26a2c6fc96b29beff5d8ed74e6625b) C:\Windows\system32\drivers\symc8xx.sys
21:58:02.0462 6128 Symc8xx - ok
21:58:02.0462 6128 Sym_hi (a909667976d3bccd1df813fed517d837) C:\Windows\system32\drivers\sym_hi.sys
21:58:02.0462 6128 Sym_hi - ok
21:58:02.0477 6128 Sym_u3 (36887b56ec2d98b9c362f6ae4de5b7b0) C:\Windows\system32\drivers\sym_u3.sys
21:58:02.0477 6128 Sym_u3 - ok
21:58:02.0524 6128 SynTP (f1e453df1ccb8ac217b6efcc77466d65) C:\Windows\system32\DRIVERS\SynTP.sys
21:58:02.0524 6128 SynTP - ok
21:58:02.0618 6128 SysMain (92d7a8b0f87b036f17d25885937897a6) C:\Windows\system32\sysmain.dll
21:58:02.0649 6128 SysMain - ok
21:58:02.0680 6128 TabletInputService (005ce42567f9113a3bccb3b20073b029) C:\Windows\System32\TabSvc.dll
21:58:02.0696 6128 TabletInputService - ok
21:58:02.0727 6128 TapiSrv (cc2562b4d55e0b6a4758c65407f63b79) C:\Windows\System32\tapisrv.dll
21:58:02.0742 6128 TapiSrv - ok
21:58:02.0774 6128 TBS (cdbe8d7c1e201b911cdc346d06617fb5) C:\Windows\System32\tbssvc.dll
21:58:02.0774 6128 TBS - ok
21:58:03.0226 6128 Tcpip (ac8d5728e6ad6a7c4819d9a67008337a) C:\Windows\system32\drivers\tcpip.sys
21:58:03.0257 6128 Tcpip - ok
21:58:03.0273 6128 Tcpip6 (ac8d5728e6ad6a7c4819d9a67008337a) C:\Windows\system32\DRIVERS\tcpip.sys
21:58:03.0288 6128 Tcpip6 - ok
21:58:03.0366 6128 tcpipreg (fd8fde859e38e40a20085ebb0c22b416) C:\Windows\system32\drivers\tcpipreg.sys
21:58:03.0366 6128 tcpipreg - ok
21:58:03.0398 6128 TDPIPE (1d8bf4aaa5fb7a2761475781dc1195bc) C:\Windows\system32\drivers\tdpipe.sys
21:58:03.0398 6128 TDPIPE - ok
21:58:03.0413 6128 TDTCP (7f7e00cdf609df657f4cda02dd1c9bb1) C:\Windows\system32\drivers\tdtcp.sys
21:58:03.0429 6128 TDTCP - ok
21:58:03.0522 6128 tdx (458919c8c42e398dc4802178d5ffee27) C:\Windows\system32\DRIVERS\tdx.sys
21:58:03.0522 6128 tdx - ok
21:58:03.0569 6128 TermDD (8c19678d22649ec002ef2282eae92f98) C:\Windows\system32\DRIVERS\termdd.sys
21:58:03.0569 6128 TermDD - ok
21:58:03.0647 6128 TermService (5cdd30bc217082dac71a9878d9bfd566) C:\Windows\System32\termsrv.dll
21:58:03.0678 6128 TermService - ok
21:58:03.0725 6128 Themes (56793271ecdedd350c5add305603e963) C:\Windows\system32\shsvcs.dll
21:58:03.0725 6128 Themes - ok
21:58:03.0772 6128 THREADORDER (3cbe4995e80e13ccfbc42e5dcf3ac81a) C:\Windows\system32\mmcss.dll
21:58:03.0788 6128 THREADORDER - ok
21:58:03.0866 6128 TrkWks (f4689f05af472a651a7b1b7b02d200e7) C:\Windows\System32\trkwks.dll
21:58:03.0866 6128 TrkWks - ok
21:58:03.0912 6128 TrustedInstaller (66328b08ef5a9305d8ede36b93930369) C:\Windows\servicing\TrustedInstaller.exe
21:58:03.0912 6128 TrustedInstaller - ok
21:58:03.0944 6128 tssecsrv (9e5409cd17c8bef193aad498f3bc2cb8) C:\Windows\system32\DRIVERS\tssecsrv.sys
21:58:03.0944 6128 tssecsrv - ok
21:58:03.0959 6128 tunmp (89ec74a9e602d16a75a4170511029b3c) C:\Windows\system32\DRIVERS\tunmp.sys
21:58:03.0959 6128 tunmp - ok
21:58:04.0037 6128 tunnel (30a9b3f45ad081bffc3bcaa9c812b609) C:\Windows\system32\DRIVERS\tunnel.sys
21:58:04.0037 6128 tunnel - ok
21:58:04.0068 6128 uagp35 (fec266ef401966311744bd0f359f7f56) C:\Windows\system32\drivers\uagp35.sys
21:58:04.0068 6128 uagp35 - ok
21:58:04.0302 6128 udfs (faf2640a2a76ed03d449e443194c4c34) C:\Windows\system32\DRIVERS\udfs.sys
21:58:04.0334 6128 udfs - ok
21:58:04.0396 6128 UI0Detect (060507c4113391394478f6953a79eedc) C:\Windows\system32\UI0Detect.exe
21:58:04.0396 6128 UI0Detect - ok
21:58:04.0474 6128 uliagpkx (4ec9447ac3ab462647f60e547208ca00) C:\Windows\system32\drivers\uliagpkx.sys
21:58:04.0490 6128 uliagpkx - ok
21:58:04.0521 6128 uliahci (697f0446134cdc8f99e69306184fbbb4) C:\Windows\system32\drivers\uliahci.sys
21:58:04.0521 6128 uliahci - ok
21:58:04.0552 6128 UlSata (31707f09846056651ea2c37858f5ddb0) C:\Windows\system32\drivers\ulsata.sys
21:58:04.0568 6128 UlSata - ok
21:58:04.0583 6128 ulsata2 (85e5e43ed5b48c8376281bab519271b7) C:\Windows\system32\drivers\ulsata2.sys
21:58:04.0599 6128 ulsata2 - ok
21:58:04.0614 6128 umbus (46e9a994c4fed537dd951f60b86ad3f4) C:\Windows\system32\DRIVERS\umbus.sys
21:58:04.0614 6128 umbus - ok
21:58:04.0646 6128 upnphost (7093799ff80e9deca0680d2e3535be60) C:\Windows\System32\upnphost.dll
21:58:04.0677 6128 upnphost - ok
21:58:04.0755 6128 USBAAPL64 (aa33fc47ed58c34e6e9261e4f850b7eb) C:\Windows\system32\Drivers\usbaapl64.sys
21:58:04.0755 6128 USBAAPL64 - ok
21:58:04.0817 6128 usbccgp (07e3498fc60834219d2356293da0fecc) C:\Windows\system32\DRIVERS\usbccgp.sys
21:58:04.0817 6128 usbccgp - ok
21:58:04.0848 6128 usbcir (9247f7e0b65852c1f6631480984d6ed2) C:\Windows\system32\drivers\usbcir.sys
21:58:04.0848 6128 usbcir - ok
21:58:04.0895 6128 usbehci (827e44de934a736ea31e91d353eb126f) C:\Windows\system32\DRIVERS\usbehci.sys
21:58:04.0895 6128 usbehci - ok
21:58:04.0926 6128 usbhub (bb35cd80a2ececfadc73569b3d70c7d1) C:\Windows\system32\DRIVERS\usbhub.sys
21:58:04.0942 6128 usbhub - ok
21:58:04.0958 6128 usbohci (eba14ef0c07cec233f1529c698d0d154) C:\Windows\system32\drivers\usbohci.sys
21:58:04.0958 6128 usbohci - ok
21:58:05.0004 6128 usbprint (28b693b6d31e7b9332c1bdcefef228c1) C:\Windows\system32\DRIVERS\usbprint.sys
21:58:05.0004 6128 usbprint - ok
21:58:05.0114 6128 usbscan (ea0bf666868964fbe8cb10e50c97b9f1) C:\Windows\system32\DRIVERS\usbscan.sys
21:58:05.0129 6128 usbscan - ok
21:58:05.0160 6128 USBSTOR (b854c1558fca0c269a38663e8b59b581) C:\Windows\system32\DRIVERS\USBSTOR.SYS
21:58:05.0160 6128 USBSTOR - ok
21:58:05.0192 6128 usbuhci (b2872cbf9f47316abd0e0c74a1aba507) C:\Windows\system32\DRIVERS\usbuhci.sys
21:58:05.0192 6128 usbuhci - ok
21:58:05.0223 6128 usbvideo (fc33099877790d51b0927b7039059855) C:\Windows\system32\Drivers\usbvideo.sys
21:58:05.0223 6128 usbvideo - ok
21:58:05.0348 6128 UxSms (d76e231e4850bb3f88a3d9a78df191e3) C:\Windows\System32\uxsms.dll
21:58:05.0363 6128 UxSms - ok
21:58:05.0488 6128 vds (294945381dfa7ce58cecf0a9896af327) C:\Windows\System32\vds.exe
21:58:05.0504 6128 vds - ok
21:58:05.0535 6128 vfs101a (24899eff90e725d9c3ac10be870b4d1d) C:\Windows\system32\drivers\vfs101a.sys
21:58:05.0535 6128 vfs101a - ok
21:58:05.0597 6128 vfsFPService (7edc5afee9570c821a64c85c15f86e3a) C:\Windows\system32\vfsFPService.exe
21:58:05.0613 6128 vfsFPService - ok
21:58:05.0691 6128 vga (916b94bcf1e09873fff2d5fb11767bbc) C:\Windows\system32\DRIVERS\vgapnp.sys
21:58:05.0691 6128 vga - ok
21:58:05.0706 6128 VgaSave (b83ab16b51feda65dd81b8c59d114d63) C:\Windows\System32\drivers\vga.sys
21:58:05.0706 6128 VgaSave - ok
21:58:05.0722 6128 viaide (8294b6c3fdb6c33f24e150de647ecdaa) C:\Windows\system32\drivers\viaide.sys
21:58:05.0722 6128 viaide - ok
21:58:05.0753 6128 volmgr (2b7e885ed951519a12c450d24535dfca) C:\Windows\system32\drivers\volmgr.sys
21:58:05.0753 6128 volmgr - ok
21:58:05.0831 6128 volmgrx (cec5ac15277d75d9e5dec2e1c6eaf877) C:\Windows\system32\drivers\volmgrx.sys
21:58:05.0862 6128 volmgrx - ok
21:58:05.0909 6128 volsnap (5280aada24ab36b01a84a6424c475c8d) C:\Windows\system32\drivers\volsnap.sys
21:58:05.0909 6128 volsnap - ok
21:58:05.0940 6128 vsmraid (a68f455ed2673835209318dd61bfbb0e) C:\Windows\system32\drivers\vsmraid.sys
21:58:05.0940 6128 vsmraid - ok
21:58:06.0065 6128 VSS (b75232dad33bfd95bf6f0a3e6bff51e1) C:\Windows\system32\vssvc.exe
21:58:06.0128 6128 VSS - ok
21:58:06.0190 6128 W32Time (f14a7de2ea41883e250892e1e5230a9a) C:\Windows\system32\w32time.dll
21:58:06.0206 6128 W32Time - ok
21:58:06.0299 6128 WacomPen (fef8fe5923fead2cee4dfabfce3393a7) C:\Windows\system32\drivers\wacompen.sys
21:58:06.0299 6128 WacomPen - ok
21:58:06.0330 6128 Wanarp (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
21:58:06.0330 6128 Wanarp - ok
21:58:06.0330 6128 Wanarpv6 (b8e7049622300d20ba6d8be0c47c0cfd) C:\Windows\system32\DRIVERS\wanarp.sys
21:58:06.0330 6128 Wanarpv6 - ok
21:58:06.0580 6128 wcncsvc (b4e4c37d0aa6100090a53213ee2bf1c1) C:\Windows\System32\wcncsvc.dll
21:58:06.0627 6128 wcncsvc - ok
21:58:06.0658 6128 WcsPlugInService (ea4b369560e986f19d93f45a881484ac) C:\Windows\System32\WcsPlugInService.dll
21:58:06.0658 6128 WcsPlugInService - ok
21:58:06.0674 6128 Wd (0c17a0816f65b89e362e682ad5e7266e) C:\Windows\system32\drivers\wd.sys
21:58:06.0674 6128 Wd - ok
21:58:06.0783 6128 Wdf01000 (d02e7e4567da1e7582fbf6a91144b0df) C:\Windows\system32\drivers\Wdf01000.sys
21:58:06.0814 6128 Wdf01000 - ok
21:58:06.0830 6128 WdiServiceHost (c5efda73ebfca8b02a094898de0a9276) C:\Windows\system32\wdi.dll
21:58:06.0830 6128 WdiServiceHost - ok
21:58:06.0830 6128 WdiSystemHost (c5efda73ebfca8b02a094898de0a9276) C:\Windows\system32\wdi.dll
21:58:06.0845 6128 WdiSystemHost - ok
21:58:06.0892 6128 WebClient (3e6d05381cf35f75ebb055544a8ed9ac) C:\Windows\System32\webclnt.dll
21:58:06.0892 6128 WebClient - ok
21:58:06.0954 6128 Wecsvc (8d40bc587993f876658bf9fb0f7d3462) C:\Windows\system32\wecsvc.dll
21:58:06.0970 6128 Wecsvc - ok
21:58:06.0986 6128 wercplsupport (9c980351d7e96288ea0c23ae232bd065) C:\Windows\System32\wercplsupport.dll
21:58:06.0986 6128 wercplsupport - ok
21:58:07.0017 6128 WerSvc (66b9ecebc46683f47edc06333c075fef) C:\Windows\System32\WerSvc.dll
21:58:07.0032 6128 WerSvc - ok
21:58:07.0126 6128 WinDefend - ok
21:58:07.0126 6128 WinHttpAutoProxySvc - ok
21:58:07.0188 6128 Winmgmt (d2e7296ed1bd26d8db2799770c077a02) C:\Windows\system32\wbem\WMIsvc.dll
21:58:07.0204 6128 Winmgmt - ok
21:58:07.0344 6128 WinRM (6cbb0c68f13b9c2ec1b16f5fa5e7c869) C:\Windows\system32\WsmSvc.dll
21:58:07.0438 6128 WinRM - ok
21:58:07.0641 6128 Wlansvc (ec339c8115e91baed835957e9a677f16) C:\Windows\System32\wlansvc.dll
21:58:07.0672 6128 Wlansvc - ok
21:58:07.0703 6128 WmiAcpi (e18aebaaa5a773fe11aa2c70f65320f5) C:\Windows\system32\DRIVERS\wmiacpi.sys
21:58:07.0703 6128 WmiAcpi - ok
21:58:07.0781 6128 wmiApSrv (21fa389e65a852698b6a1341f36ee02d) C:\Windows\system32\wbem\WmiApSrv.exe
21:58:07.0781 6128 wmiApSrv - ok
21:58:07.0828 6128 WMPNetworkSvc - ok
21:58:07.0875 6128 WPCSvc (cbc156c913f099e6680d1df9307db7a8) C:\Windows\System32\wpcsvc.dll
21:58:07.0890 6128 WPCSvc - ok
21:58:07.0937 6128 WPDBusEnum (490a18b4e4d53dc10879deaa8e8b70d9) C:\Windows\system32\wpdbusenum.dll
21:58:07.0937 6128 WPDBusEnum - ok
21:58:07.0968 6128 WpdUsb (5e2401b3fc1089c90e081291357371a9) C:\Windows\system32\DRIVERS\wpdusb.sys
21:58:07.0968 6128 WpdUsb - ok
21:58:08.0280 6128 WPFFontCache_v0400 (991e2c2cf3bc204c2bb2ee1476149e4e) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe
21:58:08.0343 6128 WPFFontCache_v0400 - ok
21:58:08.0374 6128 ws2ifsl (8a900348370e359b6bff6a550e4649e1) C:\Windows\system32\drivers\ws2ifsl.sys
21:58:08.0374 6128 ws2ifsl - ok
21:58:08.0452 6128 wscsvc (9ea3e6d0ef7a5c2b9181961052a4b01a) C:\Windows\system32\wscsvc.dll
21:58:08.0468 6128 wscsvc - ok
21:58:08.0468 6128 WSearch - ok
21:58:08.0795 6128 wuauserv (d9ef901dca379cfe914e9fa13b73b4c4) C:\Windows\system32\wuaueng.dll
21:58:09.0170 6128 wuauserv - ok
21:58:09.0310 6128 WUDFRd (501a65252617b495c0f1832f908d54d8) C:\Windows\system32\DRIVERS\WUDFRd.sys
21:58:09.0310 6128 WUDFRd - ok
21:58:09.0419 6128 wudfsvc (6cbd51ff913c851d56ed9dc7f2a27dde) C:\Windows\System32\WUDFSvc.dll
21:58:09.0419 6128 wudfsvc - ok
21:58:09.0560 6128 yukonx64 (07f7285220307aafb755d890295f0f9a) C:\Windows\system32\DRIVERS\yk60x64.sys
21:58:09.0575 6128 yukonx64 - ok
21:58:09.0622 6128 MBR (0x1B8) (588ae8f0c685c02ba11f30d9cd7e61a0) \Device\Harddisk0\DR0
21:58:09.0731 6128 \Device\Harddisk0\DR0 - ok
21:58:09.0747 6128 Boot (0x1200) (f7b3aee3d3a924fc860f6ad523730f53) \Device\Harddisk0\DR0\Partition0
21:58:09.0747 6128 \Device\Harddisk0\DR0\Partition0 - ok
21:58:09.0747 6128 Boot (0x1200) (19b0e94c78ff1a48001527e69f68f85a) \Device\Harddisk0\DR0\Partition1
21:58:09.0762 6128 \Device\Harddisk0\DR0\Partition1 - ok
21:58:09.0762 6128 ============================================================
21:58:09.0762 6128 Scan finished
21:58:09.0762 6128 ============================================================
21:58:09.0778 5676 Detected object count: 0
21:58:09.0778 5676 Actual detected object count: 0



TDSS Killer didn't ask me to update anything when i opened it and didn't restart my computer. It also didn't detect any files to fix.


The report from aswMBR is here.


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-30 22:00:44
-----------------------------
22:00:44.647 OS Version: Windows x64 6.0.6002 Service Pack 2
22:00:44.663 Number of processors: 2 586 0x1706
22:00:44.663 ComputerName: SURFENTERPRISES UserName: Billy
22:00:46.800 Initialize success
22:00:47.221 AVAST engine defs: 12073100
22:01:21.901 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:01:21.901 Disk 0 Vendor: FUJITSU_ 8909 Size: 305245MB BusType: 3
22:01:21.901 Disk 0 MBR read successfully
22:01:21.901 Disk 0 MBR scan
22:01:21.901 Disk 0 unknown MBR code
22:01:21.917 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 294908 MB offset 63
22:01:21.932 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10333 MB offset 603973632
22:01:21.963 Disk 0 scanning C:\Windows\system32\drivers
22:01:37.610 Service scanning
22:02:02.898 Modules scanning
22:02:02.898 Disk 0 trace - called modules:
22:02:02.913 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys iaStor.sys hal.dll
22:02:02.913 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004f8a260]
22:02:02.913 3 CLASSPNP.SYS[fffffa6000a4ac33] -> nt!IofCallDriver -> [0xfffffa8004f8ab10]
22:02:02.929 5 hpdskflt.sys[fffffa6001bf8276] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004c3c050]
22:02:04.551 AVAST engine scan C:\Windows
22:02:12.866 AVAST engine scan C:\Windows\system32
22:05:31.068 AVAST engine scan C:\Windows\system32\drivers
22:05:45.233 AVAST engine scan C:\Users\Billy
22:07:08.446 Disk 0 MBR has been saved successfully to "C:\Users\Billy\Desktop\MBR.dat"
22:07:08.446 The log file has been saved successfully to "C:\Users\Billy\Desktop\aswMBRlog.txt"


Hope this will still work, I won't do anything until i hear back..








and i saved the log file. The log file is

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:29 PM

Posted 31 July 2012 - 03:28 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

File::
c:\windows\system32\drivers\adkwlvpo.sys

Firefox::
FF - ProfilePath - c:\users\Billy\AppData\Roaming\Mozilla\Firefox\Profiles\20elyxkw.default\
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3067892&SearchSource=2&q=

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 surfenterprises

surfenterprises
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 August 2012 - 12:51 AM

Hi Gringo,

Here is the report from running combofix.

ComboFix 12-07-30.03 - Billy 07/31/2012 17:44:41.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4092.2000 [GMT -10:00]
Running from: c:\users\Billy\Desktop\ComboFix.exe
Command switches used :: c:\users\Billy\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\drivers\adkwlvpo.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\adkwlvpo.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))
.
.
2012-08-01 04:02 . 2012-08-01 05:38 -------- d-----w- c:\users\Billy\AppData\Local\temp
2012-08-01 04:02 . 2012-08-01 04:02 -------- d-----w- c:\users\navatek\AppData\Local\temp
2012-08-01 04:02 . 2012-08-01 04:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-31 06:01 . 2012-07-31 06:01 -------- d-----w- c:\users\Billy\AppData\Roaming\Malwarebytes
2012-07-31 06:01 . 2012-07-31 06:01 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-31 06:01 . 2012-07-31 06:01 -------- d-----w- c:\programdata\Malwarebytes
2012-07-31 06:01 . 2012-07-03 23:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-31 05:47 . 2012-07-03 16:21 355856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-31 05:47 . 2012-07-03 16:21 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-31 05:47 . 2012-07-03 16:21 958400 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-31 05:47 . 2012-07-03 16:21 71064 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-31 05:47 . 2012-07-03 16:21 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-31 05:47 . 2012-07-03 16:21 44272 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-31 05:47 . 2012-07-03 16:21 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-31 05:47 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
2012-07-31 05:47 . 2012-07-03 16:21 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-07-31 05:46 . 2012-07-31 05:46 -------- d-----w- c:\programdata\AVAST Software
2012-07-31 05:46 . 2012-07-31 05:46 -------- d-----w- c:\program files\AVAST Software
2012-07-29 17:42 . 2012-07-29 17:42 -------- d-----w- C:\FRST
2012-07-28 20:17 . 2012-07-31 05:09 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer
2012-07-28 20:08 . 2012-07-28 20:08 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-27 06:10 . 2012-07-29 06:22 -------- d-----w- c:\programdata\0C1CFAEF0047549464C509E42F3B707C
2012-07-27 06:09 . 2012-07-27 06:09 -------- d-----w- c:\users\Billy\AppData\Local\{A997FA7D-D7B1-11E1-8270-B8AC6F996F26}
2012-07-12 06:57 . 2012-06-13 13:58 2769408 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-28 21:16 . 2012-06-25 01:47 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-28 21:16 . 2011-07-16 16:36 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 07:00 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-03 01:19 . 2012-06-19 04:39 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-03 01:19 . 2012-06-19 04:39 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-03 01:15 . 2012-06-19 04:39 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-03 01:12 . 2012-06-19 04:39 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-02 22:19 . 2012-06-19 04:39 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 04:39 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-19 04:39 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 04:39 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 04:39 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-19 04:39 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 04:39 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-19 04:39 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-19 04:39 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-19 04:39 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-31_05.37.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2012-08-01 03:36 91034 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-10-30 08:18 . 2012-08-01 03:36 26554 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1130133561-2601091404-1853074284-1000_UserData.bin
- 2012-07-31 05:30 . 2012-07-31 05:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-01 04:04 . 2012-08-01 04:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-01 04:04 . 2012-08-01 04:04 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-31 05:30 . 2012-07-31 05:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-28 20:08 . 2012-07-29 05:57 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2012-07-28 20:08 . 2012-08-01 04:04 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 15:45 . 2012-08-01 03:36 110468 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 12:46 . 2012-08-01 04:12 668332 c:\windows\system32\perfh009.dat
- 2006-11-02 12:46 . 2012-07-31 05:15 668332 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-08-01 04:12 128720 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-07-31 05:15 128720 c:\windows\system32\perfc009.dat
- 2006-11-02 15:21 . 2012-07-12 15:42 337808 c:\windows\system32\FNTCACHE.DAT
+ 2006-11-02 15:21 . 2012-07-31 07:49 337808 c:\windows\system32\FNTCACHE.DAT
- 2011-02-10 07:00 . 2012-07-31 05:28 295812 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-10 07:00 . 2012-08-01 04:03 295812 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2008-01-21 03:20 . 2012-08-01 04:04 2392064 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-07-29 05:57 2392064 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-08-01 04:04 3981312 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-07-29 05:57 3981312 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-05 21:38 . 2012-07-31 15:42 4651556 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1130133561-2601091404-1853074284-1000-8192.dat
- 2011-05-05 21:38 . 2012-07-27 06:15 4651556 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1130133561-2601091404-1853074284-1000-8192.dat
+ 2011-05-04 06:53 . 2012-08-01 04:03 9900456 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1130133561-2601091404-1853074284-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}"= "c:\program files (x86)\Miniclip\prxtbMini.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\Miniclip\prxtbMini.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}"= "c:\program files (x86)\Miniclip\prxtbMini.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-07-12 226904]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-18 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"DpAgent"="c:\program files (x86)\DigitalPersona\Bin\dpagent.exe" [2009-12-01 842816]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-28 59240]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-25 421888]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
SolidWorks Background Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2012-6-16 1855048]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
SolidWorks Background Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2012-6-16 1855048]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\F:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-28 250056]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\AESTSr64.exe [2008-06-27 89088]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 21:16]
.
2012-07-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-31 17:41]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 00:43]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 00:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-17 1561384]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-25 15867936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-25 82464]
"SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [BU]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Billy\AppData\Roaming\Mozilla\Firefox\Profiles\20elyxkw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{1C68C940-1B2F-46EB-BD8C-2E1612FF6A58} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1130133561-2601091404-1853074284-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:08,9d,51,49,8b,a0,fa,32,de,b5,1f,75,47,0f,7a,b2,2f,c1,1c,0d,8e,6b,c9,
a1,70,ec,d6,ff,b0,0d,db,a3,48,bf,cb,24,2f,50,8a,57,e2,01,f8,13,06,dd,35,9a,\
"??"=hex:31,0f,de,ab,49,4c,df,c0,ff,8d,32,ca,1a,d1,e6,6a
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\DigitalPersona\Bin\DpHostW.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\SMINST\BLService.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
c:\program files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
.
**************************************************************************
.
Completion time: 2012-07-31 19:42:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-01 05:42
ComboFix2.txt 2012-07-31 05:40
.
Pre-Run: 69,079,433,216 bytes free
Post-Run: 69,833,441,280 bytes free
.
- - End Of File - - D8680E20F1734D37408CA4E2A62F1968


The boot time has gotten a little better and most programs are functioning normally.

Do you think the computer is secure now, or is there a possiblity that there is still a trojan or whatever that somebody could steal infomation with?

Also, any way to make the boot time faster, or to reduce the amount of background extraneous crap that is running at any given time?

I have Avast installed now and also the trial version of MBAM. Is that a good package to keep me secure from any future attacks?

I will certianly be making a donation to you and thank you very much for all your help!!

#10 surfenterprises

surfenterprises
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 August 2012 - 01:54 AM

Let me clarify the long boot time a little. It is making it to the logon screen pretty quickly now, but after i logon it takes quite a while to get to the desktop and then i cant really do anythign for a while because it seems like it is loading something and working very hard. Maybe i need to edit startup programs or something?

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:29 PM

Posted 01 August 2012 - 07:06 AM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 surfenterprises

surfenterprises
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 August 2012 - 10:49 AM

Crap, I don't know what happened. Yesterday I was able to restart the computer and it seemed to be functioning ok although there was the long wait after logon and once i got to the desktop. This morning when i just tried to boot it up it didn't even make it to the logon screen for windows. When i first turned it on it showed the HP boot screen which would allow me to go into boot options if i pressed esc but if i let it go through that screen and start to load windows,(the point at which i would be able to press f8 and get the windows advanced boot options) the screen stays black and windows does not load. It just hangs there with the processor light on soild and the screen stays dark. I didn't leave it for very long at this point(maybe 5 mins) so i dont know if it would eventually recover. I turned it off by holding the power button( which by the way is also dark, there is usually a little light on the power button but it wasn't turning on) and then when i tried to start it again the same thing happenend. What do you think i shoud do now?

#13 surfenterprises

surfenterprises
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 01 August 2012 - 05:03 PM

Ok, i managed to get the thing working and was able to get back onto windows. Here is a report from running combofix and the extra report.


ComboFix 12-07-31.03 - Billy 08/01/2012 9:21.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.4092.2402 [GMT -10:00]
Running from: c:\users\Billy\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-01 to 2012-08-01 )))))))))))))))))))))))))))))))
.
.
2012-08-01 19:39 . 2012-08-01 21:41 -------- d-----w- c:\users\Billy\AppData\Local\temp
2012-08-01 19:39 . 2012-08-01 19:39 -------- d-----w- c:\users\navatek\AppData\Local\temp
2012-08-01 19:39 . 2012-08-01 19:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-31 06:01 . 2012-07-31 06:01 -------- d-----w- c:\users\Billy\AppData\Roaming\Malwarebytes
2012-07-31 06:01 . 2012-07-31 06:01 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-31 06:01 . 2012-07-31 06:01 -------- d-----w- c:\programdata\Malwarebytes
2012-07-31 06:01 . 2012-07-03 23:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-31 05:47 . 2012-07-03 16:21 355856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-07-31 05:47 . 2012-07-03 16:21 25232 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-07-31 05:47 . 2012-07-03 16:21 958400 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-07-31 05:47 . 2012-07-03 16:21 71064 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2012-07-31 05:47 . 2012-07-03 16:21 59728 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-07-31 05:47 . 2012-07-03 16:21 44272 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-07-31 05:47 . 2012-07-03 16:21 285328 ----a-w- c:\windows\system32\aswBoot.exe
2012-07-31 05:47 . 2012-07-03 16:21 41224 ----a-w- c:\windows\avastSS.scr
2012-07-31 05:47 . 2012-07-03 16:21 227648 ----a-w- c:\windows\SysWow64\aswBoot.exe
2012-07-31 05:46 . 2012-07-31 05:46 -------- d-----w- c:\programdata\AVAST Software
2012-07-31 05:46 . 2012-07-31 05:46 -------- d-----w- c:\program files\AVAST Software
2012-07-29 17:42 . 2012-07-29 17:42 -------- d-----w- C:\FRST
2012-07-28 20:17 . 2012-07-31 05:09 -------- d-----w- c:\program files (x86)\GridinSoft Trojan Killer
2012-07-28 20:08 . 2012-07-28 20:08 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-27 06:10 . 2012-07-29 06:22 -------- d-----w- c:\programdata\0C1CFAEF0047549464C509E42F3B707C
2012-07-27 06:09 . 2012-07-27 06:09 -------- d-----w- c:\users\Billy\AppData\Local\{A997FA7D-D7B1-11E1-8270-B8AC6F996F26}
2012-07-12 06:57 . 2012-06-13 13:58 2769408 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-28 21:16 . 2012-06-25 01:47 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-28 21:16 . 2011-07-16 16:36 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-12 07:00 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-03 01:19 . 2012-06-19 04:39 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-03 01:19 . 2012-06-19 04:39 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-03 01:15 . 2012-06-19 04:39 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-03 01:12 . 2012-06-19 04:39 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-02 22:19 . 2012-06-19 04:39 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 04:39 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-19 04:39 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 04:39 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 04:39 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-19 04:39 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 04:39 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-19 04:39 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-19 04:39 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-19 04:39 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-31_05.37.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:23 . 2012-08-01 06:52 91254 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-10-30 08:18 . 2012-08-01 19:14 26674 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1130133561-2601091404-1853074284-1000_UserData.bin
+ 2006-11-02 12:40 . 2012-08-01 19:11 51200 c:\windows\inf\infpub.dat
- 2006-11-02 12:40 . 2012-07-31 05:05 51200 c:\windows\inf\infpub.dat
- 2012-07-31 05:30 . 2012-07-31 05:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-01 19:41 . 2012-08-01 19:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-07-31 05:30 . 2012-07-31 05:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-01 19:41 . 2012-08-01 19:41 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-07-28 20:08 . 2012-08-01 19:14 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-07-28 20:08 . 2012-07-29 05:57 147456 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 15:45 . 2012-08-01 19:14 110700 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 12:46 . 2012-07-31 05:15 668332 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-08-01 19:15 668332 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-08-01 19:15 128720 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-07-31 05:15 128720 c:\windows\system32\perfc009.dat
- 2006-11-02 15:21 . 2012-07-12 15:42 337808 c:\windows\system32\FNTCACHE.DAT
+ 2006-11-02 15:21 . 2012-07-31 07:49 337808 c:\windows\system32\FNTCACHE.DAT
+ 2011-02-10 07:00 . 2012-08-01 19:39 295812 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-02-10 07:00 . 2012-07-31 05:28 295812 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2006-11-02 12:40 . 2012-08-01 19:11 143360 c:\windows\inf\infstrng.dat
- 2006-11-02 12:40 . 2012-07-31 05:05 143360 c:\windows\inf\infstrng.dat
+ 2008-01-21 03:20 . 2012-08-01 19:14 2392064 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-07-29 05:57 2392064 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-21 03:20 . 2012-08-01 19:14 3981312 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-21 03:20 . 2012-07-29 05:57 3981312 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-05 21:38 . 2012-08-01 06:46 4651556 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1130133561-2601091404-1853074284-1000-8192.dat
- 2011-05-05 21:38 . 2012-07-27 06:15 4651556 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1130133561-2601091404-1853074284-1000-8192.dat
+ 2011-05-04 06:53 . 2012-08-01 06:46 9911148 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1130133561-2601091404-1853074284-1000-4096.dat
- 2012-03-01 03:54 . 2012-07-31 05:28 3015860 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1130133561-2601091404-1853074284-1000-12288.dat
+ 2012-03-01 03:54 . 2012-08-01 06:46 3015860 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1130133561-2601091404-1853074284-1000-12288.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}"= "c:\program files (x86)\Miniclip\prxtbMini.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
2011-05-09 08:49 176936 ----a-w- c:\program files (x86)\Miniclip\prxtbMini.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}"= "c:\program files (x86)\Miniclip\prxtbMini.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{1c68c940-1b2f-46eb-bd8c-2e1612ff6a58}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\programdata\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-07-12 226904]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-18 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-16 75008]
"hpWirelessAssistant"="c:\program files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"DpAgent"="c:\program files (x86)\DigitalPersona\Bin\dpagent.exe" [2009-12-01 842816]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-09-28 59240]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-10-10 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-25 421888]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-07-03 4273976]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
SolidWorks Background Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2012-6-16 1855048]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled
SolidWorks Background Downloader.lnk - c:\program files (x86)\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2012-6-16 1855048]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\F:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-28 250056]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\AESTSr64.exe [2008-06-27 89088]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-25 21:16]
.
2012-08-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-31 17:41]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 00:43]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-01-30 00:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-07-03 16:21 133400 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-07-17 1561384]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-07-25 15867936]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-07-25 82464]
"SysTrayApp"="c:\program files (x86)\IDT\WDM\sttray64.exe" [BU]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1 192.168.0.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - c:\users\Billy\AppData\Roaming\Mozilla\Firefox\Profiles\20elyxkw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3067892&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{1C68C940-1B2F-46EB-BD8C-2E1612FF6A58} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1130133561-2601091404-1853074284-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:08,9d,51,49,8b,a0,fa,32,de,b5,1f,75,47,0f,7a,b2,2f,c1,1c,0d,8e,6b,c9,
a1,70,ec,d6,ff,b0,0d,db,a3,48,bf,cb,24,2f,50,8a,57,e2,01,f8,13,06,dd,35,9a,\
"??"=hex:31,0f,de,ab,49,4c,df,c0,ff,8d,32,ca,1a,d1,e6,6a
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_268_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_268.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\DigitalPersona\Bin\DpHostW.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\SMINST\BLService.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
c:\program files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
c:\program files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
c:\program files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
.
**************************************************************************
.
Completion time: 2012-08-01 11:45:10 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-01 21:45
ComboFix2.txt 2012-08-01 05:42
ComboFix3.txt 2012-07-31 05:40
.
Pre-Run: 70,188,822,528 bytes free
Post-Run: 71,420,121,088 bytes free
.
- - End Of File - - 17057FCBB145CBD28C4A6373844963C8




EXTRA REPORT EXTRA REPORTEXTRA REPORTEXTRA REPORTEXTRA REPORTEXTRA REPORTEXTRA REPORTEXTRA REPORTEXTRA REPORTEXTRA REPORT

ActiveCheck component for HP Active Support Library
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Photoshop 6.0
Adobe Reader 8.1.3
Adobe Shockwave Player 11
Adobe SVG Viewer
AIO_CDA_ProductContext
AIO_CDA_Software
AIO_Scan
AKU SHAPER
Apple Application Support
Apple Software Update
avast! Free Antivirus
Battlefield 1942
Battlefield 1942: Secret Weapons of WWII
Battlefield 1942: The Road To Rome
BufferChm
C3100
c3100_Help
Compatibility Pack for the 2007 Office system
Copy
Crimson Editor (remove only)
CustomerResearchQFolder
CyberLink DVD Suite
CyberLink YouCam
DefilerPak 1.19 (Remove Only)
Destinations
DeviceManagementQFolder
DocProc
DocProcQFolder
EA SPORTS online 2008
ESU for Microsoft Vista
eSupportQFolder
Fax
FIFA 08
GameSpy Arcade
Garmin Training Center
Garmin Trip and Waypoint Manager v5
Garmin USB Drivers
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GPL Ghostscript Lite 8.63
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Doc Viewer
HP Help and Support
HP Photosmart Essential
HP Quick Launch Buttons 6.40 H2
HP Smart Web Printing
HP Update
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPProductAssistant
HPSSupply
HPTCSSetup
IDT Audio
Ipswitch WS_FTP Professional 2007
Java Auto Updater
Java™ 6 Update 24
JMicron JMB38X Flash Media Controller
Malwarebytes Anti-Malware version 1.62.0.1300
MapSend Manager
MarketResearch
Mastercam X4
Mastercam X4 Catia Translator
Mastercam X4 Direct For Inventor
Mastercam X4 Direct For SolidEdge
Mastercam X4 Direct For SolidWorks
Mastercam X4 Sample Files
Mastercam X4 Videos
Microsoft Office 2003 Web Components
Microsoft Office File Validation Add-In
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (AUTODESKVAULT)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Setup Support Files (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft Visual C++ 8.0 Support DLLs
Microsoft Visual Studio 2005 Tools for Applications - ENU
Microsoft WSE 3.0 Runtime
Miniclip Toolbar
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MultiSurf
muvee autoProducer 6.1
Need For Speed Hot Pursuit 2
Origin
Power2Go
PowerDirector
QuickTime
Realtek 8169 8168 8101E 8102E Ethernet Driver
Rhinoceros 4.0 SR6
Rhinoceros 4.0 SR8
Safari
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Skype Toolbars
Skype™ 5.9
SolidWorks 2012 x64 Edition SP03
SolutionCenter
Status
Toolbox
TrayApp
TurboTax 2008
TurboTax 2008 whiiper
TurboTax 2008 WinBizFedFormset
TurboTax 2008 WinBizProgramHelp
TurboTax 2008 WinBizReleaseEngine
TurboTax 2008 WinBizTaxSupport
TurboTax 2008 WinBizUserEducation
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Business 2008
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
VantagePoint
VBA (2627.01)
Visual C++ 8.0 Runtime Setup Package (x64)
WebReg
Worms World Party



The screen was having problems and it would only work when i closed the lid and reopened it. Then it would only work for about 30 seconds and it would flicker and go off. Then if i closed the lid and opened it a again the screen would come back on and the process would repeat. Now, however, it seems to have stopped doing that. Not sure exactly what was going on, maybe a short? Whatever. At least it is back sortof working again.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:29 PM

Posted 02 August 2012 - 09:31 PM

That sounds very strange - it sounds like it may have something to do with what is called the backlight - you should ask in the hardware forum to be sure

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 8.1.3
Java™ 6 Update 24
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 surfenterprises

surfenterprises
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 03 August 2012 - 05:54 PM

hi Gringo,

Here are the logs.

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.03.09

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Billy :: SURFENTERPRISES [administrator]

Protection: Enabled

8/3/2012 11:30:35 AM
mbam-log-2012-08-03 (11-30-35).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 230679
Time elapsed: 4 minute(s), 42 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:47:47 PM, on 8/3/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\DigitalPersona\Bin\DpAgent.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_268_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Billy\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Miniclip Toolbar - {1c68c940-1b2f-46eb-bd8c-2e1612ff6a58} - C:\Program Files (x86)\Miniclip\prxtbMini.dll
O1 - Hosts: 216.239.32.20 www.google.ae # bck9
O1 - Hosts: 216.239.32.20 www.google.at # bck9
O1 - Hosts: 216.239.32.20 www.google.be # bck9
O1 - Hosts: 216.239.32.20 www.google.ca # bck9
O1 - Hosts: 216.239.32.20 www.google.ch # bck9
O1 - Hosts: 216.239.32.20 www.google.cl # bck9
O1 - Hosts: 216.239.32.20 www.google.co.il # bck9
O1 - Hosts: 216.239.32.20 www.google.co.in # bck9
O1 - Hosts: 216.239.32.20 www.google.co.jp # bck9
O1 - Hosts: 216.239.32.20 www.google.co.kr # bck9
O1 - Hosts: 216.239.32.20 www.google.co.nz # bck9
O1 - Hosts: 216.239.32.20 www.google.co.uk # bck9
O1 - Hosts: 216.239.32.20 www.google.co.ve # bck9
O1 - Hosts: 216.239.32.20 www.google.co.za # bck9
O1 - Hosts: 216.239.32.20 www.google.com # bck9
O1 - Hosts: 216.239.32.20 www.google.com.ar # bck9
O1 - Hosts: 216.239.32.20 www.google.com.au # bck9
O1 - Hosts: 216.239.32.20 www.google.com.br # bck9
O1 - Hosts: 216.239.32.20 www.google.com.co # bck9
O1 - Hosts: 216.239.32.20 www.google.com.gr # bck9
O1 - Hosts: 216.239.32.20 www.google.com.hk # bck9
O1 - Hosts: 216.239.32.20 www.google.com.mx # bck9
O1 - Hosts: 216.239.32.20 www.google.com.my # bck9
O1 - Hosts: 216.239.32.20 www.google.com.pe # bck9
O1 - Hosts: 216.239.32.20 www.google.com.ph # bck9
O1 - Hosts: 216.239.32.20 www.google.com.pk # bck9
O1 - Hosts: 216.239.32.20 www.google.com.sg # bck9
O1 - Hosts: 216.239.32.20 www.google.com.tr # bck9
O1 - Hosts: 216.239.32.20 www.google.com.tw # bck9
O1 - Hosts: 216.239.32.20 www.google.com.ua # bck9
O1 - Hosts: 216.239.32.20 www.google.de # bck9
O1 - Hosts: 216.239.32.20 www.google.dk # bck9
O1 - Hosts: 216.239.32.20 www.google.es # bck9
O1 - Hosts: 216.239.32.20 www.google.fi # bck9
O1 - Hosts: 216.239.32.20 www.google.fr # bck9
O1 - Hosts: 216.239.32.20 www.google.it # bck9
O1 - Hosts: 216.239.32.20 www.google.lt # bck9
O1 - Hosts: 216.239.32.20 www.google.lv # bck9
O1 - Hosts: 216.239.32.20 www.google.nl # bck9
O1 - Hosts: 216.239.32.20 www.google.pl # bck9
O1 - Hosts: 216.239.32.20 www.google.pt # bck9
O1 - Hosts: 216.239.32.20 www.google.ro # bck9
O1 - Hosts: 216.239.32.20 www.google.ru # bck9
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Miniclip - {1c68c940-1b2f-46eb-bd8c-2e1612ff6a58} - C:\Program Files (x86)\Miniclip\prxtbMini.dll
O2 - BHO: DigitalPersona Personal Extension - {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files (x86)\DigitalPersona\Bin\DpOtsPluginIe8.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: Miniclip Toolbar - {1c68c940-1b2f-46eb-bd8c-2e1612ff6a58} - C:\Program Files (x86)\Miniclip\prxtbMini.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [QlbCtrl.exe] "C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DpAgent] C:\Program Files (x86)\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SolidWorks Background Downloader.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\AESTSr64.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files (x86)\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Blue Coat K9 Web Protection (bckwfs) - Blue Coat Systems, Inc. - C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\SYSTEM32\crypserv.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe,-128 (DpHost) - DigitalPersona, Inc. - C:\Program Files (x86)\DigitalPersona\Bin\DpHostW.exe
O23 - Service: FLEXnet Licensing Service - Flexera Software, Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FLEXnet Licensing Service 64 - Flexera Software, Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Remote Solver for Flow Simulation 2012 - Mentor Graphics Corporation - C:\Program Files\SolidWorks Corp\SolidWorks Flow Simulation\binCFW\StandAloneSlv.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files (x86)\Skype\Updater\Updater.exe
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files (x86)\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_86727c20\STacSV64.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Validity Fingerprint Service (vfsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vfsFPService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 15458 bytes


The computer is running ok now. I figured out that the problem was probably the inverter and am now using an external monitor as the regular screen will only stay on for 5 seconds. I have the parts to fix it though just have to find the directions on how to do it.


otherwise everything good for them most part.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users