Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Rootkit - Persisting through HDD wipe?


  • This topic is locked This topic is locked
13 replies to this topic

#1 donteversleep

donteversleep

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 02 August 2012 - 10:21 AM

Hi folks,

I'm not sure if I'm totally paranoid here, but I'd like some peace of mind that my system is 100% clean.

I'm running Windows 7 Home Premium - 64 bit. I'm on a Dell Studio XPS laptop.

For the past few weeks some extremely fishy stuff has been going on with my computer and I've been suspicious about a rootkit.

Symptoms:

Unnerving remote access connections.
-Caught a port open that is utilized for DDOS attacks.
-Established IP connection to the linode domain, known for involvment with bitcoins.
-Using TCPView, I've seen about 10 "System Process" connections to remote IPs pop up.
-Svchost connecting to remote, unrecognized IPs.

Hardware
-Unable to connect to wireless connection. (I can access the net through bypassing my router via ethernet).
-New "hidden" devices showing up under network devices I do not recognize. About 8 WAN Miniports, Teredo Tunnelling devices, 3 ISATAP devices.
-After windows loading screen, about 15 seconds of black screen with the "loading cursor."
-CPU usage would spike throughout the day, but this stopped about two weeks ago.

Software
-EXE files popping up and software has been installed on my system.
-Windows Sidebar installed, which I have recently learned has security vulnerabilites.
-When attempting to run an elevated command prompt, the default path would be something like: C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\
-Corrupt Winsock (made attempts to reset with netsh command) with 3rd party additions.
-Loads of folders in "shared" state
-Account privilege changes, weird unknown accounts with "full control" permissions.

Virus Scan finds:
-One month ago, Malware bytes found Trojan.Agent.CK and Trojan.Agent.Cn. Both were quarantined.
-A week later, Malware bytes found the SAME TWO exe files it had quarantined from the last scan.
-Microsoft Security Essentials found a malicious java application and deleted it.
-ADSSpy found ~15 ADS's attached to a bizarre file path that looked like "c:\Users\Default\Application Data\Common\Appdata\Common\Appdata(this repeated about ten times) - some gibberish ADS like D5F459

Unfortunately, I have no backups of these logs. I recently wiped my HDD with diskpart /cleanall from the boot command prompt. I did not want to connect my external drive to a compromised computer.

During a reinstall of windows, my system crashed during the install and I had to manually reboot. The installation completed after this.

Since clean install
- When reinstalling drivers, my wireless card was not found.
- Under device Manager "Unknown Devices" showed 3 "Base System Devices" and an "Unknown devices" with error symbols
- Event manager showed about 80 Logons during the install process (this occurred before I set my system time). No network connection.
- About 40 Firewall rules/exemptions made during the install process.
- Network devices added after each boot. After first login - only my ethernet device. Next login - 8 Wan Miniports. Current login - 6to4 adapter, two ISATAP adapters, Teredo Tunnel Interface.
- Closed my laptop lid the other night and it entered "sleep mode" My system time was changed during sleep mode. WinHTTP Web Proxy Auto-Discovery Service and DNS Client service started, computer resumed sleep and system time was normal at login.
- On most recent login, C:\ and many other folders are now in the "shared" state.
- Still experiencing 10-15 second black screen before login window. Login takes ~15 seconds even with clean install.


Weird findings in event manager since install:

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.
DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-2870307713-1228017732-154039020-1000:
Process 444 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-2870307713-1228017732-154039020-1000


Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:HKLM\SOFTWARE\Microsoft\Windows Defender\.\DisableRoutinelyTakingAction = 1
New value:HKLM\SOFTWARE\Microsoft\Windows Defender\.\DisableRoutinelyTakingAction = 0
Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\CheckForSignaturesBeforeRunningScan = 0
New value:HKLM\SOFTWARE\Microsoft\Windows Defender\Scan\CheckForSignaturesBeforeRunningScan = 1
Windows Defender Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = 0
New value:HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SpyNetReporting = 1

About 1000 Security Audit events.

DCOM errors - Event ID 10005 "DCOM got error "#" attempting to start service "servicename" in order to run server {#######}


Sorry for the HUGE wall of text. I'm just not sure if some of this is actually malicious or typical system activity. I don't think there's a keylogger involved - none of my passwords have been changed. I think it's more likely a zombie/botnet rootkit. No scans have picked up a "rootkit." However - I have no idea how some of these issues are persisting after a total HDD wipe.

The actions I've taken so far are:
Malware Bytes Scan (Clean)
Microsoft Security Essentials scan (Clean)
TDSS Killer (Clean)
Windows Defender Offline (Clean)
aswMBR (Clean)
ADSSpy (One entry)

I can attach txt files of event logs for firewall changes and events during the system time change.
Thanks!

Here's my DDS log:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Liz at 9:22:55 on 2012-08-02
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4061.2175 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Liz\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razertra.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerofa.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
uRun: [WirelessManager] C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe
uRun: [Google Update] "C:\Users\Liz\AppData\Local\Google\Update\GoogleUpdate.exe" /c
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Diamondback] C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{E9E5EACD-1D7A-4066-847D-E965CF3D4975} : DhcpNameServer = 75.75.75.75 75.75.76.76
IFEO: taskmgr.exe - "C:\USERS\LIZ\DESKTOP\PROCESSEXPLORER\PROCEXP.EXE"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Diamondback] C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
IFEO-X64: taskmgr.exe - "C:\USERS\LIZ\DESKTOP\PROCESSEXPLORER\PROCEXP.EXE"
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-31 655944]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 Razerlow;Razer Pro|Solutions;C:\Windows\system32\drivers\Razerlow.sys --> C:\Windows\system32\drivers\Razerlow.sys [?]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-01 13:42:37 -------- d-----w- C:\Windows\SysWow64\Wat
2012-08-01 13:42:37 -------- d-----w- C:\Windows\System32\Wat
2012-08-01 07:59:08 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2012-08-01 07:59:08 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2012-08-01 07:55:16 3147264 ----a-w- C:\Windows\System32\win32k.sys
2012-08-01 07:41:16 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2012-08-01 07:41:16 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2012-08-01 07:24:30 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2012-08-01 07:24:30 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2012-08-01 07:24:30 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2012-08-01 07:24:30 444752 ----a-w- C:\Windows\System32\mscoree.dll
2012-08-01 07:24:30 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2012-08-01 07:24:30 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2012-08-01 07:24:30 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2012-08-01 07:24:30 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2012-08-01 07:24:30 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2012-08-01 07:24:30 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2012-08-01 07:04:45 80896 ----a-w- C:\Windows\System32\imagehlp.dll
2012-08-01 07:04:45 22896 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-08-01 07:04:44 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-08-01 07:04:44 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-08-01 07:04:44 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-01 07:04:44 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-01 07:04:44 158720 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-08-01 07:00:49 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2012-08-01 07:00:49 184832 ----a-w- C:\Windows\System32\drivers\usbvideo.sys
2012-08-01 04:25:29 27016 ----a-w- C:\Windows\SysWow64\drivers\PROCEXP141.SYS
2012-08-01 04:08:58 142336 ----a-w- C:\Windows\System32\poqexec.exe
2012-08-01 04:08:58 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2012-08-01 04:08:49 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2012-08-01 04:08:47 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2012-08-01 04:08:46 259072 ----a-w- C:\Windows\System32\mpg2splt.ax
2012-08-01 04:08:46 1118720 ----a-w- C:\Windows\System32\sbe.dll
2012-08-01 04:08:45 850432 ----a-w- C:\Windows\SysWow64\sbe.dll
2012-08-01 04:08:45 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2012-08-01 04:08:43 2870272 ----a-w- C:\Windows\explorer.exe
2012-08-01 04:08:42 2614784 ----a-w- C:\Windows\SysWow64\explorer.exe
2012-08-01 04:08:41 148992 ----a-w- C:\Windows\System32\t2embed.dll
2012-08-01 04:08:40 109056 ----a-w- C:\Windows\SysWow64\t2embed.dll
2012-08-01 04:06:59 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2012-08-01 04:05:58 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2012-08-01 04:04:59 52224 ----a-w- C:\Windows\System32\rtutils.dll
2012-08-01 04:04:59 37376 ----a-w- C:\Windows\SysWow64\rtutils.dll
2012-08-01 04:02:53 27008 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2012-08-01 04:02:51 82944 ----a-w- C:\Windows\SysWow64\iccvid.dll
2012-08-01 04:02:50 223448 ----a-w- C:\Windows\System32\drivers\fvevol.sys
2012-08-01 04:02:49 208896 ----a-w- C:\Windows\System32\profsvc.dll
2012-08-01 04:02:47 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
2012-08-01 04:02:47 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
2012-08-01 04:02:47 182272 ----a-w- C:\Windows\System32\dnsrslvr.dll
2012-08-01 04:02:44 1024512 ----a-w- C:\Windows\System32\wmpmde.dll
2012-08-01 04:02:43 738816 ----a-w- C:\Windows\SysWow64\wmpmde.dll
2012-08-01 03:51:58 516096 ----a-w- C:\Program Files\Windows Mail\wab.exe
2012-08-01 03:49:51 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-01 03:48:57 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2012-08-01 03:48:52 861184 ----a-w- C:\Windows\System32\oleaut32.dll
2012-08-01 03:48:52 331776 ----a-w- C:\Windows\System32\oleacc.dll
2012-08-01 03:48:51 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2012-08-01 03:48:51 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2012-08-01 03:48:45 723456 ----a-w- C:\Windows\System32\EncDec.dll
2012-08-01 03:48:45 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2012-08-01 03:48:40 1739160 ----a-w- C:\Windows\System32\ntdll.dll
2012-08-01 03:48:39 1292592 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-08-01 03:48:38 73728 ----a-w- C:\Windows\SysWow64\Diamondback.cpl
2012-08-01 03:48:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-08-01 03:43:14 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-01 03:43:14 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-08-01 03:43:03 1895280 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-08-01 03:43:00 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-08-01 03:43:00 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-08-01 03:43:00 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-08-01 03:42:59 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-08-01 03:42:59 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-08-01 03:41:15 -------- d-----w- C:\Users\Liz\AppData\Roaming\Malwarebytes
2012-08-01 03:40:57 -------- d-----w- C:\ProgramData\Malwarebytes
2012-08-01 03:40:56 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-08-01 03:40:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-01 03:22:39 927800 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6F968243-261E-4F39-B57E-82E6ECD6BD1F}\gapaengine.dll
2012-08-01 03:22:23 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{0E873D61-0A3C-4BE7-90B0-F57C324FFB0B}\mpengine.dll
2012-08-01 03:18:09 720896 ----a-w- C:\Windows\System32\odbc32.dll
2012-08-01 03:18:09 573440 ----a-w- C:\Windows\SysWow64\odbc32.dll
2012-08-01 03:18:09 495616 ----a-w- C:\Program Files\Common Files\System\ado\msadox.dll
2012-08-01 03:18:09 466944 ----a-w- C:\Program Files\Common Files\System\ado\msadomd.dll
2012-08-01 03:18:09 372736 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadox.dll
2012-08-01 03:18:09 352256 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msadomd.dll
2012-08-01 03:18:09 258048 ----a-w- C:\Program Files\Common Files\System\msadc\msadco.dll
2012-08-01 03:18:09 208896 ----a-w- C:\Program Files (x86)\Common Files\System\msadc\msadco.dll
2012-08-01 03:18:06 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2012-08-01 03:18:05 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-08-01 03:18:01 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2012-08-01 03:18:00 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2012-08-01 03:17:43 77312 ----a-w- C:\Windows\System32\packager.dll
2012-08-01 03:17:43 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-08-01 03:13:13 139264 ----a-w- C:\Windows\System32\cabview.dll
2012-08-01 03:13:13 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2012-08-01 03:13:12 826368 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-08-01 03:13:12 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-08-01 03:13:12 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-08-01 03:12:35 -------- d-----w- C:\Users\Liz\AppData\Local\Diagnostics
2012-08-01 03:11:26 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-08-01 03:11:13 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-08-01 03:10:41 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
2012-08-01 03:07:11 -------- d-----w- C:\Users\Liz\AppData\Local\Google
2012-08-01 03:07:00 -------- d-----w- C:\Users\Liz\AppData\Local\Deployment
2012-08-01 03:07:00 -------- d-----w- C:\Users\Liz\AppData\Local\Apps
2012-08-01 03:05:21 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-08-01 03:05:13 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-08-01 03:05:03 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-08-01 03:05:03 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-07-30 21:23:41 -------- d-----w- C:\Windows\Panther
2012-07-30 21:23:14 -------- d-----w- C:\Windows\System32\oem
2012-07-30 20:32:20 0 ----a-w- C:\Windows\ativpsrm.bin
2012-07-30 17:54:20 -------- d-----w- C:\Users\Liz\AppData\Local\ElevatedDiagnostics
2012-07-30 17:50:14 -------- d-----w- C:\Program Files\Broadcom
2012-07-30 17:48:32 -------- d-----w- C:\Program Files\Dell
2012-07-30 17:47:16 -------- d-----w- C:\Users\Liz\AppData\Roaming\WirelessManager
2012-07-30 17:45:21 -------- d-----w- C:\dell
2012-07-30 17:43:36 45056 ----a-r- C:\Users\Liz\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2012-07-30 17:43:36 -------- d-----w- C:\Windows\SysWow64\vmm32
2012-07-30 17:43:36 -------- d-----w- C:\Program Files (x86)\Dell
2012-07-30 17:43:18 -------- d-sh--w- C:\Windows\Installer
.
==================== Find3M ====================
.
2012-06-06 05:50:50 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 05:50:50 1880064 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 05:09:46 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:09:46 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-02 05:38:26 95088 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:38:24 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:37:45 459216 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:27:02 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:27:00 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:48:39 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:48:35 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:47:31 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:42:51 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
.
============= FINISH: 9:24:38.57 ===============

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 AM

Posted 07 August 2012 - 10:25 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/463553 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 donteversleep

donteversleep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 07 August 2012 - 01:25 PM

Hi,

I do have my original Windows 7 OEM install disk.

Just wanted to note a few changes that I intentionally made to my system since my last log.

Installed OpenOffice 3.4

Disabled the following services:
- Bluetooth Support Service
- Certificate Propagation
- Distributed Link Tracking Client
- IP Helper
- Microsoft iSCSI Initiator Service
- Netlogon
- Network Access Protection Agent
- Parental Controls
- Remote Procedure Call (RPC) Locator
- Remote Registry
- Smart Card
- Smart Card Removal Policy
- SNMP Trap
- Windows Connect Now Config Registrar
- Windows Media Player Network Sharing Service
- Windows Search

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Liz at 13:23:46 on 2012-08-07
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2250 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razertra.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerofa.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Diamondback] C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{E9E5EACD-1D7A-4066-847D-E965CF3D4975} : DhcpNameServer = 75.75.75.75 75.75.76.76
IFEO: taskmgr.exe - "C:\USERS\LIZ\DESKTOP\PROCESSEXPLORER\PROCEXP.EXE"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Diamondback] C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
IFEO-X64: taskmgr.exe - "C:\USERS\LIZ\DESKTOP\PROCESSEXPLORER\PROCEXP.EXE"
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-31 655944]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 Razerlow;Razer Pro|Solutions;C:\Windows\system32\drivers\Razerlow.sys --> C:\Windows\system32\drivers\Razerlow.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-07 00:54:34 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5EAA0EB9-8FAB-4BC7-848F-83AA55E1F700}\mpengine.dll
2012-08-06 22:41:07 -------- d-----w- C:\Users\Liz\AppData\Roaming\OpenOffice.org
2012-08-06 22:28:06 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
2012-08-05 21:45:01 9133488 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-03 03:32:37 -------- d-----w- C:\Windows\System32\SPReview
2012-08-03 03:31:14 -------- d-----w- C:\Windows\System32\EventProviders
2012-08-03 03:30:16 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2012-08-03 03:30:14 902656 ----a-w- C:\Windows\System32\d2d1.dll
2012-08-03 03:30:14 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-08-01 23:30:59 800256 ----a-w- C:\Windows\System32\usp10.dll
2012-08-01 23:29:59 830464 ----a-w- C:\Windows\SysWow64\MSMPEG2ENC.DLL
2012-08-01 23:28:59 406528 ----a-w- C:\Windows\SysWow64\wimgapi.dll
2012-08-01 23:27:59 7680 ----a-w- C:\Windows\SysWow64\KBDCZ1.DLL
2012-08-01 23:24:57 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2012-08-01 23:24:57 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2012-08-01 23:24:43 244736 ----a-w- C:\Windows\System32\sqmapi.dll
2012-08-01 13:42:37 -------- d-----w- C:\Windows\SysWow64\Wat
2012-08-01 13:42:37 -------- d-----w- C:\Windows\System32\Wat
2012-08-01 07:55:16 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-08-01 07:04:45 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-08-01 07:04:44 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-08-01 07:04:44 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-08-01 07:04:44 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-08-01 07:04:44 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-01 07:04:44 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-01 07:04:44 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-08-01 04:25:29 27016 ----a-w- C:\Windows\SysWow64\drivers\PROCEXP141.SYS
2012-08-01 04:08:58 142336 ----a-w- C:\Windows\System32\poqexec.exe
2012-08-01 04:08:58 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2012-08-01 04:08:49 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2012-08-01 04:08:47 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2012-08-01 04:08:47 1118720 ----a-w- C:\Windows\System32\sbe.dll
2012-08-01 04:08:46 259072 ----a-w- C:\Windows\System32\mpg2splt.ax
2012-08-01 04:08:45 850944 ----a-w- C:\Windows\SysWow64\sbe.dll
2012-08-01 04:08:45 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2012-08-01 04:08:43 2871808 ----a-w- C:\Windows\explorer.exe
2012-08-01 04:08:43 2616320 ----a-w- C:\Windows\SysWow64\explorer.exe
2012-08-01 04:06:59 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2012-08-01 04:05:59 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2012-08-01 04:05:58 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2012-08-01 04:05:21 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2012-08-01 04:05:21 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll
2012-08-01 04:05:11 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
2012-08-01 04:05:10 1395712 ----a-w- C:\Windows\System32\mfc42.dll
2012-08-01 04:05:09 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll
2012-08-01 04:05:09 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll
2012-08-01 04:02:53 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2012-08-01 04:02:49 33792 ----a-w- C:\Windows\System32\profprov.dll
2012-08-01 04:02:49 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-08-01 04:02:48 183296 ----a-w- C:\Windows\System32\dnsrslvr.dll
2012-08-01 04:02:47 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
2012-08-01 04:02:47 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
2012-08-01 03:51:55 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-08-01 03:49:51 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-01 03:48:57 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2012-08-01 03:48:53 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2012-08-01 03:48:52 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2012-08-01 03:48:52 331776 ----a-w- C:\Windows\System32\oleacc.dll
2012-08-01 03:48:52 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2012-08-01 03:48:46 723456 ----a-w- C:\Windows\System32\EncDec.dll
2012-08-01 03:48:45 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2012-08-01 03:48:41 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-08-01 03:48:40 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-08-01 03:48:38 73728 ----a-w- C:\Windows\SysWow64\Diamondback.cpl
2012-08-01 03:48:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-08-01 03:43:14 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-01 03:43:14 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-08-01 03:43:03 288640 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-01 03:43:03 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-08-01 03:43:01 2164224 ----a-w- C:\Program Files\Windows Journal\Journal.exe
2012-08-01 03:43:00 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-08-01 03:43:00 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-08-01 03:43:00 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-08-01 03:43:00 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-08-01 03:42:59 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-08-01 03:41:15 -------- d-----w- C:\Users\Liz\AppData\Roaming\Malwarebytes
2012-08-01 03:40:57 -------- d-----w- C:\ProgramData\Malwarebytes
2012-08-01 03:40:56 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-08-01 03:40:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-01 03:22:39 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6F968243-261E-4F39-B57E-82E6ECD6BD1F}\gapaengine.dll
2012-08-01 03:17:43 77312 ----a-w- C:\Windows\System32\packager.dll
2012-08-01 03:17:43 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-08-01 03:13:12 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-08-01 03:13:12 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-08-01 03:13:12 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-08-01 03:12:35 -------- d-----w- C:\Users\Liz\AppData\Local\Diagnostics
2012-08-01 03:11:26 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-08-01 03:11:13 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-08-01 03:07:11 -------- d-----w- C:\Users\Liz\AppData\Local\Google
2012-08-01 03:07:00 -------- d-----w- C:\Users\Liz\AppData\Local\Deployment
2012-08-01 03:07:00 -------- d-----w- C:\Users\Liz\AppData\Local\Apps
2012-08-01 03:05:21 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-08-01 03:05:13 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-08-01 03:05:03 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-08-01 03:05:03 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-07-30 21:23:41 -------- d-----w- C:\Windows\Panther
2012-07-30 21:23:14 -------- d-----w- C:\Windows\System32\oem
2012-07-30 20:32:20 0 ----a-w- C:\Windows\ativpsrm.bin
2012-07-30 17:54:20 -------- d-----w- C:\Users\Liz\AppData\Local\ElevatedDiagnostics
2012-07-30 17:50:14 -------- d-----w- C:\Program Files\Broadcom
2012-07-30 17:48:32 -------- d-----w- C:\Program Files\Dell
2012-07-30 17:47:16 -------- d-----w- C:\Users\Liz\AppData\Roaming\WirelessManager
2012-07-30 17:45:21 -------- d-----w- C:\dell
2012-07-30 17:43:36 45056 ----a-r- C:\Users\Liz\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2012-07-30 17:43:36 -------- d-----w- C:\Windows\SysWow64\vmm32
2012-07-30 17:43:36 -------- d-----w- C:\Program Files (x86)\Dell
2012-07-30 17:43:18 -------- d-sh--w- C:\Windows\Installer
.
==================== Find3M ====================
.
2012-08-03 03:46:10 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-08-03 03:46:10 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
.
============= FINISH: 13:25:53.09 ===============

#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 AM

Posted 09 August 2012 - 08:46 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Your GMER log shows a ZeroAccess infection.
Lets start with these two scan.
Execute the in the order listed.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post these logs for my review.

Include a fresh DDS log also.

#5 donteversleep

donteversleep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 09 August 2012 - 10:17 AM

Thanks, Nasdaq. Was worried it was ZeroAccess :/ Should I be concerned about any of my personal files/passwords? Is this infection able to spread to external storage devices?

Here are my logs. TDSSKiller didn't find anything.


11:05:17.0610 2404 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
11:05:18.0093 2404 ============================================================
11:05:18.0093 2404 Current date / time: 2012/08/09 11:05:18.0093
11:05:18.0093 2404 SystemInfo:
11:05:18.0093 2404
11:05:18.0093 2404 OS Version: 6.1.7601 ServicePack: 1.0
11:05:18.0093 2404 Product type: Workstation
11:05:18.0093 2404 ComputerName: TUPAC
11:05:18.0093 2404 UserName: Liz
11:05:18.0093 2404 Windows directory: C:\Windows
11:05:18.0093 2404 System windows directory: C:\Windows
11:05:18.0093 2404 Running under WOW64
11:05:18.0093 2404 Processor architecture: Intel x64
11:05:18.0093 2404 Number of processors: 2
11:05:18.0093 2404 Page size: 0x1000
11:05:18.0093 2404 Boot type: Normal boot
11:05:18.0093 2404 ============================================================
11:05:21.0198 2404 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
11:05:21.0260 2404 ============================================================
11:05:21.0260 2404 \Device\Harddisk0\DR0:
11:05:21.0260 2404 MBR partitions:
11:05:21.0260 2404 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x32000
11:05:21.0260 2404 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x32800, BlocksNum 0x3A353000
11:05:21.0260 2404 ============================================================
11:05:21.0307 2404 C: <-> \Device\Harddisk0\DR0\Partition1
11:05:21.0307 2404 ============================================================
11:05:21.0307 2404 Initialize success
11:05:21.0307 2404 ============================================================
11:05:23.0335 1896 ============================================================
11:05:23.0335 1896 Scan started
11:05:23.0335 1896 Mode: Manual;
11:05:23.0335 1896 ============================================================
11:05:24.0146 1896 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
11:05:24.0193 1896 1394ohci - ok
11:05:24.0255 1896 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
11:05:24.0271 1896 ACPI - ok
11:05:24.0318 1896 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
11:05:24.0333 1896 AcpiPmi - ok
11:05:24.0474 1896 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
11:05:24.0489 1896 adp94xx - ok
11:05:24.0520 1896 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
11:05:24.0536 1896 adpahci - ok
11:05:24.0567 1896 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
11:05:24.0567 1896 adpu320 - ok
11:05:24.0630 1896 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\Windows\System32\aelupsvc.dll
11:05:24.0630 1896 AeLookupSvc - ok
11:05:24.0723 1896 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\Windows\system32\drivers\afd.sys
11:05:24.0786 1896 AFD - ok
11:05:24.0832 1896 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
11:05:24.0832 1896 agp440 - ok
11:05:24.0848 1896 ALG (3290d6946b5e30e70414990574883ddb) C:\Windows\System32\alg.exe
11:05:24.0910 1896 ALG - ok
11:05:24.0957 1896 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
11:05:24.0957 1896 aliide - ok
11:05:25.0035 1896 AMD External Events Utility (d696f317bd465a602566f8e1dcce15f7) C:\Windows\system32\atiesrxx.exe
11:05:25.0176 1896 AMD External Events Utility - ok
11:05:25.0191 1896 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
11:05:25.0191 1896 amdide - ok
11:05:25.0238 1896 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
11:05:25.0269 1896 AmdK8 - ok
11:05:25.0285 1896 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
11:05:25.0316 1896 AmdPPM - ok
11:05:25.0378 1896 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
11:05:25.0378 1896 amdsata - ok
11:05:25.0441 1896 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
11:05:25.0456 1896 amdsbs - ok
11:05:25.0472 1896 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
11:05:25.0488 1896 amdxata - ok
11:05:25.0550 1896 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
11:05:25.0597 1896 AppID - ok
11:05:25.0628 1896 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\Windows\System32\appidsvc.dll
11:05:25.0690 1896 AppIDSvc - ok
11:05:25.0722 1896 Appinfo (3977d4a871ca0d4f2ed1e7db46829731) C:\Windows\System32\appinfo.dll
11:05:25.0784 1896 Appinfo - ok
11:05:25.0800 1896 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
11:05:25.0800 1896 arc - ok
11:05:25.0831 1896 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
11:05:25.0846 1896 arcsas - ok
11:05:25.0878 1896 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
11:05:25.0893 1896 AsyncMac - ok
11:05:25.0924 1896 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
11:05:25.0940 1896 atapi - ok
11:05:26.0564 1896 atikmdag (52bd95caa9cae8977fe043e9ad6d2d0e) C:\Windows\system32\DRIVERS\atikmdag.sys
11:05:26.0892 1896 atikmdag - ok
11:05:27.0235 1896 AudioEndpointBuilder (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
11:05:27.0328 1896 AudioEndpointBuilder - ok
11:05:27.0344 1896 AudioSrv (f23fef6d569fce88671949894a8becf1) C:\Windows\System32\Audiosrv.dll
11:05:27.0344 1896 AudioSrv - ok
11:05:27.0531 1896 AxInstSV (a6bf31a71b409dfa8cac83159e1e2aff) C:\Windows\System32\AxInstSV.dll
11:05:27.0594 1896 AxInstSV - ok
11:05:27.0796 1896 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
11:05:27.0843 1896 b06bdrv - ok
11:05:27.0874 1896 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
11:05:27.0921 1896 b57nd60a - ok
11:05:27.0968 1896 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\Windows\System32\bdesvc.dll
11:05:28.0015 1896 BDESVC - ok
11:05:28.0030 1896 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
11:05:28.0062 1896 Beep - ok
11:05:28.0155 1896 BFE (82974d6a2fd19445cc5171fc378668a4) C:\Windows\System32\bfe.dll
11:05:28.0171 1896 BFE - ok
11:05:28.0264 1896 BITS (1ea7969e3271cbc59e1730697dc74682) C:\Windows\System32\qmgr.dll
11:05:28.0342 1896 BITS - ok
11:05:28.0483 1896 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
11:05:28.0514 1896 blbdrive - ok
11:05:28.0592 1896 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
11:05:28.0654 1896 bowser - ok
11:05:28.0717 1896 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
11:05:28.0748 1896 BrFiltLo - ok
11:05:28.0748 1896 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
11:05:28.0779 1896 BrFiltUp - ok
11:05:28.0826 1896 Browser (8ef0d5c41ec907751b8429162b1239ed) C:\Windows\System32\browser.dll
11:05:28.0888 1896 Browser - ok
11:05:28.0951 1896 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
11:05:28.0998 1896 Brserid - ok
11:05:28.0998 1896 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
11:05:29.0029 1896 BrSerWdm - ok
11:05:29.0044 1896 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
11:05:29.0060 1896 BrUsbMdm - ok
11:05:29.0076 1896 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
11:05:29.0091 1896 BrUsbSer - ok
11:05:29.0107 1896 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
11:05:29.0154 1896 BTHMODEM - ok
11:05:29.0185 1896 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\Windows\system32\bthserv.dll
11:05:29.0247 1896 bthserv - ok
11:05:29.0263 1896 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
11:05:29.0310 1896 cdfs - ok
11:05:29.0356 1896 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\drivers\cdrom.sys
11:05:29.0403 1896 cdrom - ok
11:05:29.0450 1896 CertPropSvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
11:05:29.0528 1896 CertPropSvc - ok
11:05:29.0544 1896 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
11:05:29.0575 1896 circlass - ok
11:05:29.0622 1896 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
11:05:29.0637 1896 CLFS - ok
11:05:29.0793 1896 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:05:29.0809 1896 clr_optimization_v2.0.50727_32 - ok
11:05:29.0887 1896 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
11:05:29.0902 1896 clr_optimization_v2.0.50727_64 - ok
11:05:30.0105 1896 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
11:05:30.0168 1896 clr_optimization_v4.0.30319_32 - ok
11:05:30.0292 1896 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
11:05:30.0292 1896 clr_optimization_v4.0.30319_64 - ok
11:05:30.0339 1896 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
11:05:30.0370 1896 CmBatt - ok
11:05:30.0417 1896 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
11:05:30.0417 1896 cmdide - ok
11:05:30.0495 1896 CNG (9ac4f97c2d3e93367e2148ea940cd2cd) C:\Windows\system32\Drivers\cng.sys
11:05:30.0542 1896 CNG - ok
11:05:30.0573 1896 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
11:05:30.0573 1896 Compbatt - ok
11:05:30.0636 1896 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\drivers\CompositeBus.sys
11:05:30.0667 1896 CompositeBus - ok
11:05:30.0698 1896 COMSysApp - ok
11:05:30.0729 1896 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
11:05:30.0745 1896 crcdisk - ok
11:05:30.0807 1896 CryptSvc (4f5414602e2544a4554d95517948b705) C:\Windows\system32\cryptsvc.dll
11:05:30.0885 1896 CryptSvc - ok
11:05:30.0979 1896 DcomLaunch (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
11:05:30.0994 1896 DcomLaunch - ok
11:05:31.0057 1896 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\Windows\System32\defragsvc.dll
11:05:31.0135 1896 defragsvc - ok
11:05:31.0166 1896 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
11:05:31.0213 1896 DfsC - ok
11:05:31.0275 1896 Dhcp (43d808f5d9e1a18e5eeb5ebc83969e4e) C:\Windows\system32\dhcpcore.dll
11:05:31.0338 1896 Dhcp - ok
11:05:31.0353 1896 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
11:05:31.0384 1896 discache - ok
11:05:31.0431 1896 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
11:05:31.0431 1896 Disk - ok
11:05:31.0478 1896 Dnscache (16835866aaa693c7d7fceba8fff706e4) C:\Windows\System32\dnsrslvr.dll
11:05:31.0556 1896 Dnscache - ok
11:05:31.0618 1896 dot3svc (b1fb3ddca0fdf408750d5843591afbc6) C:\Windows\System32\dot3svc.dll
11:05:31.0681 1896 dot3svc - ok
11:05:31.0728 1896 DPS (b26f4f737e8f9df4f31af6cf31d05820) C:\Windows\system32\dps.dll
11:05:31.0743 1896 DPS - ok
11:05:31.0774 1896 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
11:05:31.0790 1896 drmkaud - ok
11:05:31.0930 1896 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
11:05:31.0977 1896 DXGKrnl - ok
11:05:32.0008 1896 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\Windows\System32\eapsvc.dll
11:05:32.0071 1896 EapHost - ok
11:05:32.0398 1896 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
11:05:32.0554 1896 ebdrv - ok
11:05:32.0820 1896 EFS (c118a82cd78818c29ab228366ebf81c3) C:\Windows\System32\lsass.exe
11:05:32.0866 1896 EFS - ok
11:05:33.0038 1896 ehRecvr (c4002b6b41975f057d98c439030cea07) C:\Windows\ehome\ehRecvr.exe
11:05:33.0178 1896 ehRecvr - ok
11:05:33.0225 1896 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\Windows\ehome\ehsched.exe
11:05:33.0303 1896 ehSched - ok
11:05:33.0506 1896 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
11:05:33.0522 1896 elxstor - ok
11:05:33.0553 1896 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
11:05:33.0568 1896 ErrDev - ok
11:05:33.0646 1896 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\Windows\system32\es.dll
11:05:33.0724 1896 EventSystem - ok
11:05:33.0756 1896 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
11:05:33.0802 1896 exfat - ok
11:05:33.0818 1896 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
11:05:33.0865 1896 fastfat - ok
11:05:33.0865 1896 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
11:05:33.0896 1896 fdc - ok
11:05:33.0912 1896 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\Windows\system32\fdPHost.dll
11:05:33.0958 1896 fdPHost - ok
11:05:33.0990 1896 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\Windows\system32\fdrespub.dll
11:05:34.0036 1896 FDResPub - ok
11:05:34.0052 1896 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
11:05:34.0052 1896 FileInfo - ok
11:05:34.0068 1896 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
11:05:34.0114 1896 Filetrace - ok
11:05:34.0130 1896 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
11:05:34.0146 1896 flpydisk - ok
11:05:34.0192 1896 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
11:05:34.0208 1896 FltMgr - ok
11:05:34.0348 1896 FontCache (5c4cb4086fb83115b153e47add961a0c) C:\Windows\system32\FntCache.dll
11:05:34.0458 1896 FontCache - ok
11:05:34.0567 1896 FontCache3.0.0.0 (a8b7f3818ab65695e3a0bb3279f6dce6) C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
11:05:34.0567 1896 FontCache3.0.0.0 - ok
11:05:34.0723 1896 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
11:05:34.0723 1896 FsDepends - ok
11:05:34.0785 1896 Fs_Rec (6bd9295cc032dd3077c671fccf579a7b) C:\Windows\system32\drivers\Fs_Rec.sys
11:05:34.0785 1896 Fs_Rec - ok
11:05:34.0863 1896 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
11:05:34.0879 1896 fvevol - ok
11:05:34.0910 1896 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
11:05:34.0926 1896 gagp30kx - ok
11:05:35.0004 1896 gpsvc (277bbc7e1aa1ee957f573a10eca7ef3a) C:\Windows\System32\gpsvc.dll
11:05:35.0097 1896 gpsvc - ok
11:05:35.0113 1896 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
11:05:35.0144 1896 hcw85cir - ok
11:05:35.0222 1896 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
11:05:35.0284 1896 HdAudAddService - ok
11:05:35.0316 1896 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\drivers\HDAudBus.sys
11:05:35.0316 1896 HDAudBus - ok
11:05:35.0331 1896 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
11:05:35.0347 1896 HidBatt - ok
11:05:35.0362 1896 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
11:05:35.0409 1896 HidBth - ok
11:05:35.0440 1896 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
11:05:35.0456 1896 HidIr - ok
11:05:35.0487 1896 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\Windows\system32\hidserv.dll
11:05:35.0550 1896 hidserv - ok
11:05:35.0581 1896 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\drivers\hidusb.sys
11:05:35.0628 1896 HidUsb - ok
11:05:35.0674 1896 hkmsvc (387e72e739e15e3d37907a86d9ff98e2) C:\Windows\system32\kmsvc.dll
11:05:35.0752 1896 hkmsvc - ok
11:05:35.0799 1896 HomeGroupListener (efdfb3dd38a4376f93e7985173813abd) C:\Windows\system32\ListSvc.dll
11:05:35.0893 1896 HomeGroupListener - ok
11:05:35.0924 1896 HomeGroupProvider (908acb1f594274965a53926b10c81e89) C:\Windows\system32\provsvc.dll
11:05:36.0018 1896 HomeGroupProvider - ok
11:05:36.0049 1896 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
11:05:36.0049 1896 HpSAMD - ok
11:05:36.0174 1896 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
11:05:36.0236 1896 HTTP - ok
11:05:36.0252 1896 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
11:05:36.0267 1896 hwpolicy - ok
11:05:36.0283 1896 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
11:05:36.0345 1896 i8042prt - ok
11:05:36.0408 1896 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
11:05:36.0454 1896 iaStorV - ok
11:05:36.0626 1896 idsvc (5988fc40f8db5b0739cd1e3a5d0d78bd) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
11:05:36.0673 1896 idsvc - ok
11:05:36.0704 1896 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
11:05:36.0720 1896 iirsp - ok
11:05:36.0813 1896 IKEEXT (fcd84c381e0140af901e58d48882d26b) C:\Windows\System32\ikeext.dll
11:05:36.0907 1896 IKEEXT - ok
11:05:36.0938 1896 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
11:05:36.0938 1896 intelide - ok
11:05:36.0985 1896 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
11:05:37.0016 1896 intelppm - ok
11:05:37.0047 1896 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\Windows\system32\ipbusenum.dll
11:05:37.0110 1896 IPBusEnum - ok
11:05:37.0141 1896 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
11:05:37.0172 1896 IpFilterDriver - ok
11:05:37.0234 1896 iphlpsvc (a34a587fffd45fa649fba6d03784d257) C:\Windows\System32\iphlpsvc.dll
11:05:37.0328 1896 iphlpsvc - ok
11:05:37.0359 1896 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
11:05:37.0406 1896 IPMIDRV - ok
11:05:37.0453 1896 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
11:05:37.0500 1896 IPNAT - ok
11:05:37.0515 1896 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
11:05:37.0531 1896 IRENUM - ok
11:05:37.0562 1896 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
11:05:37.0562 1896 isapnp - ok
11:05:37.0609 1896 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
11:05:37.0624 1896 iScsiPrt - ok
11:05:37.0671 1896 itecir (8d990a44b4f2b68e2c56a3724ec3eb84) C:\Windows\system32\DRIVERS\itecir.sys
11:05:37.0671 1896 itecir - ok
11:05:37.0734 1896 k57nd60a (08dd34f74d65e1c8f238565570952630) C:\Windows\system32\DRIVERS\k57nd60a.sys
11:05:37.0749 1896 k57nd60a - ok
11:05:37.0780 1896 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\drivers\kbdclass.sys
11:05:37.0780 1896 kbdclass - ok
11:05:37.0812 1896 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\drivers\kbdhid.sys
11:05:37.0843 1896 kbdhid - ok
11:05:37.0890 1896 KeyIso (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
11:05:37.0890 1896 KeyIso - ok
11:05:37.0921 1896 KSecDD (97a7070aea4c058b6418519e869a63b4) C:\Windows\system32\Drivers\ksecdd.sys
11:05:37.0936 1896 KSecDD - ok
11:05:37.0952 1896 KSecPkg (26c43a7c2862447ec59deda188d1da07) C:\Windows\system32\Drivers\ksecpkg.sys
11:05:37.0952 1896 KSecPkg - ok
11:05:37.0999 1896 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
11:05:38.0030 1896 ksthunk - ok
11:05:38.0077 1896 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\Windows\system32\msdtckrm.dll
11:05:38.0139 1896 KtmRm - ok
11:05:38.0202 1896 LanmanServer (d9f42719019740baa6d1c6d536cbdaa6) C:\Windows\system32\srvsvc.dll
11:05:38.0264 1896 LanmanServer - ok
11:05:38.0311 1896 LanmanWorkstation (851a1382eed3e3a7476db004f4ee3e1a) C:\Windows\System32\wkssvc.dll
11:05:38.0373 1896 LanmanWorkstation - ok
11:05:38.0404 1896 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
11:05:38.0436 1896 lltdio - ok
11:05:38.0514 1896 lltdsvc (c1185803384ab3feed115f79f109427f) C:\Windows\System32\lltdsvc.dll
11:05:38.0576 1896 lltdsvc - ok
11:05:38.0592 1896 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\Windows\System32\lmhsvc.dll
11:05:38.0638 1896 lmhosts - ok
11:05:38.0670 1896 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
11:05:38.0670 1896 LSI_FC - ok
11:05:38.0701 1896 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
11:05:38.0701 1896 LSI_SAS - ok
11:05:38.0716 1896 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
11:05:38.0716 1896 LSI_SAS2 - ok
11:05:38.0748 1896 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
11:05:38.0763 1896 LSI_SCSI - ok
11:05:38.0794 1896 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
11:05:38.0841 1896 luafv - ok
11:05:38.0872 1896 MBAMProtector (dc8490812a3b72811ae534f423b4c206) C:\Windows\system32\drivers\mbam.sys
11:05:38.0888 1896 MBAMProtector - ok
11:05:38.0997 1896 MBAMService (43683e970f008c93c9429ef428147a54) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
11:05:39.0013 1896 MBAMService - ok
11:05:39.0075 1896 Mcx2Svc (0be09cd858abf9df6ed259d57a1a1663) C:\Windows\system32\Mcx2Svc.dll
11:05:39.0138 1896 Mcx2Svc - ok
11:05:39.0153 1896 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
11:05:39.0153 1896 megasas - ok
11:05:39.0200 1896 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
11:05:39.0200 1896 MegaSR - ok
11:05:39.0247 1896 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
11:05:39.0247 1896 MMCSS - ok
11:05:39.0262 1896 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
11:05:39.0294 1896 Modem - ok
11:05:39.0309 1896 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
11:05:39.0340 1896 monitor - ok
11:05:39.0372 1896 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\drivers\mouclass.sys
11:05:39.0387 1896 mouclass - ok
11:05:39.0403 1896 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
11:05:39.0434 1896 mouhid - ok
11:05:39.0465 1896 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
11:05:39.0465 1896 mountmgr - ok
11:05:39.0512 1896 MpFilter (94c66ededcdb6a126880472f9a704d8e) C:\Windows\system32\DRIVERS\MpFilter.sys
11:05:39.0528 1896 MpFilter - ok
11:05:39.0606 1896 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
11:05:39.0621 1896 mpio - ok
11:05:39.0637 1896 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
11:05:39.0668 1896 mpsdrv - ok
11:05:39.0777 1896 MpsSvc (54ffc9c8898113ace189d4aa7199d2c1) C:\Windows\system32\mpssvc.dll
11:05:39.0871 1896 MpsSvc - ok
11:05:39.0918 1896 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
11:05:39.0964 1896 MRxDAV - ok
11:05:39.0996 1896 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
11:05:40.0058 1896 mrxsmb - ok
11:05:40.0089 1896 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
11:05:40.0120 1896 mrxsmb10 - ok
11:05:40.0152 1896 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
11:05:40.0198 1896 mrxsmb20 - ok
11:05:40.0230 1896 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
11:05:40.0230 1896 msahci - ok
11:05:40.0292 1896 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
11:05:40.0308 1896 msdsm - ok
11:05:40.0370 1896 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\Windows\System32\msdtc.exe
11:05:40.0448 1896 MSDTC - ok
11:05:40.0495 1896 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
11:05:40.0526 1896 Msfs - ok
11:05:40.0526 1896 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
11:05:40.0557 1896 mshidkmdf - ok
11:05:40.0666 1896 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
11:05:40.0666 1896 msisadrv - ok
11:05:40.0729 1896 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\Windows\system32\iscsiexe.dll
11:05:40.0791 1896 MSiSCSI - ok
11:05:40.0791 1896 msiserver - ok
11:05:40.0822 1896 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
11:05:40.0854 1896 MSKSSRV - ok
11:05:40.0932 1896 MsMpSvc (59faaf2c83c8169ea20f9e335e418907) c:\Program Files\Microsoft Security Client\MsMpEng.exe
11:05:40.0932 1896 MsMpSvc - ok
11:05:40.0963 1896 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
11:05:40.0994 1896 MSPCLOCK - ok
11:05:40.0994 1896 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
11:05:41.0025 1896 MSPQM - ok
11:05:41.0072 1896 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
11:05:41.0088 1896 MsRPC - ok
11:05:41.0134 1896 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\drivers\mssmbios.sys
11:05:41.0134 1896 mssmbios - ok
11:05:41.0166 1896 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
11:05:41.0181 1896 MSTEE - ok
11:05:41.0197 1896 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
11:05:41.0212 1896 MTConfig - ok
11:05:41.0228 1896 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
11:05:41.0244 1896 Mup - ok
11:05:41.0290 1896 napagent (582ac6d9873e31dfa28a4547270862dd) C:\Windows\system32\qagentRT.dll
11:05:41.0368 1896 napagent - ok
11:05:41.0431 1896 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
11:05:41.0478 1896 NativeWifiP - ok
11:05:41.0602 1896 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
11:05:41.0634 1896 NDIS - ok
11:05:41.0665 1896 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
11:05:41.0712 1896 NdisCap - ok
11:05:41.0727 1896 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
11:05:41.0758 1896 NdisTapi - ok
11:05:41.0774 1896 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
11:05:41.0805 1896 Ndisuio - ok
11:05:41.0852 1896 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
11:05:41.0899 1896 NdisWan - ok
11:05:41.0930 1896 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
11:05:41.0977 1896 NDProxy - ok
11:05:41.0992 1896 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
11:05:42.0024 1896 NetBIOS - ok
11:05:42.0070 1896 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
11:05:42.0117 1896 NetBT - ok
11:05:42.0164 1896 Netlogon (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
11:05:42.0164 1896 Netlogon - ok
11:05:42.0226 1896 Netman (847d3ae376c0817161a14a82c8922a9e) C:\Windows\System32\netman.dll
11:05:42.0289 1896 Netman - ok
11:05:42.0336 1896 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\Windows\System32\netprofm.dll
11:05:42.0351 1896 netprofm - ok
11:05:42.0414 1896 NetTcpPortSharing (3e5a36127e201ddf663176b66828fafe) C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
11:05:42.0429 1896 NetTcpPortSharing - ok
11:05:42.0492 1896 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
11:05:42.0492 1896 nfrd960 - ok
11:05:42.0538 1896 NisDrv (91b4e0273d2f6c24ef845f2b41311289) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
11:05:42.0538 1896 NisDrv - ok
11:05:42.0663 1896 NisSrv (10a43829a9e606af3eef25a1c1665923) c:\Program Files\Microsoft Security Client\NisSrv.exe
11:05:42.0679 1896 NisSrv - ok
11:05:42.0741 1896 NlaSvc (1ee99a89cc788ada662441d1e9830529) C:\Windows\System32\nlasvc.dll
11:05:42.0819 1896 NlaSvc - ok
11:05:42.0835 1896 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
11:05:42.0866 1896 Npfs - ok
11:05:42.0897 1896 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\Windows\system32\nsisvc.dll
11:05:42.0944 1896 nsi - ok
11:05:42.0960 1896 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
11:05:42.0975 1896 nsiproxy - ok
11:05:43.0178 1896 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
11:05:43.0225 1896 Ntfs - ok
11:05:43.0615 1896 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
11:05:43.0646 1896 Null - ok
11:05:43.0677 1896 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
11:05:43.0693 1896 nvraid - ok
11:05:43.0724 1896 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
11:05:43.0740 1896 nvstor - ok
11:05:43.0786 1896 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
11:05:43.0786 1896 nv_agp - ok
11:05:43.0818 1896 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
11:05:43.0849 1896 ohci1394 - ok
11:05:43.0896 1896 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
11:05:43.0974 1896 p2pimsvc - ok
11:05:44.0020 1896 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\Windows\system32\p2psvc.dll
11:05:44.0114 1896 p2psvc - ok
11:05:44.0130 1896 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
11:05:44.0176 1896 Parport - ok
11:05:44.0223 1896 partmgr (e9766131eeade40a27dc27d2d68fba9c) C:\Windows\system32\drivers\partmgr.sys
11:05:44.0239 1896 partmgr - ok
11:05:44.0270 1896 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\Windows\System32\pcasvc.dll
11:05:44.0332 1896 PcaSvc - ok
11:05:44.0364 1896 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
11:05:44.0379 1896 pci - ok
11:05:44.0410 1896 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
11:05:44.0410 1896 pciide - ok
11:05:44.0457 1896 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
11:05:44.0473 1896 pcmcia - ok
11:05:44.0504 1896 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
11:05:44.0504 1896 pcw - ok
11:05:44.0598 1896 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
11:05:44.0644 1896 PEAUTH - ok
11:05:44.0863 1896 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\Windows\SysWow64\perfhost.exe
11:05:44.0910 1896 PerfHost - ok
11:05:45.0050 1896 pla (c7cf6a6e137463219e1259e3f0f0dd6c) C:\Windows\system32\pla.dll
11:05:45.0144 1896 pla - ok
11:05:45.0253 1896 PlugPlay (25fbdef06c4d92815b353f6e792c8129) C:\Windows\system32\umpnpmgr.dll
11:05:45.0331 1896 PlugPlay - ok
11:05:45.0378 1896 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\Windows\system32\pnrpauto.dll
11:05:45.0424 1896 PNRPAutoReg - ok
11:05:45.0456 1896 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\Windows\system32\pnrpsvc.dll
11:05:45.0471 1896 PNRPsvc - ok
11:05:45.0518 1896 PolicyAgent (4f15d75adf6156bf56eced6d4a55c389) C:\Windows\System32\ipsecsvc.dll
11:05:45.0596 1896 PolicyAgent - ok
11:05:45.0643 1896 Power (6ba9d927dded70bd1a9caded45f8b184) C:\Windows\system32\umpo.dll
11:05:45.0721 1896 Power - ok
11:05:45.0877 1896 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
11:05:45.0924 1896 PptpMiniport - ok
11:05:45.0955 1896 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
11:05:45.0986 1896 Processor - ok
11:05:46.0048 1896 ProfSvc (53e83f1f6cf9d62f32801cf66d8352a8) C:\Windows\system32\profsvc.dll
11:05:46.0126 1896 ProfSvc - ok
11:05:46.0173 1896 ProtectedStorage (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
11:05:46.0173 1896 ProtectedStorage - ok
11:05:46.0236 1896 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
11:05:46.0282 1896 Psched - ok
11:05:46.0423 1896 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
11:05:46.0516 1896 ql2300 - ok
11:05:46.0906 1896 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
11:05:46.0922 1896 ql40xx - ok
11:05:46.0984 1896 QWAVE (906191634e99aea92c4816150bda3732) C:\Windows\system32\qwave.dll
11:05:47.0094 1896 QWAVE - ok
11:05:47.0094 1896 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
11:05:47.0140 1896 QWAVEdrv - ok
11:05:47.0140 1896 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
11:05:47.0172 1896 RasAcd - ok
11:05:47.0218 1896 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
11:05:47.0250 1896 RasAgileVpn - ok
11:05:47.0281 1896 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\Windows\System32\rasauto.dll
11:05:47.0343 1896 RasAuto - ok
11:05:47.0390 1896 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
11:05:47.0437 1896 Rasl2tp - ok
11:05:47.0499 1896 RasMan (ee867a0870fc9e4972ba9eaad35651e2) C:\Windows\System32\rasmans.dll
11:05:47.0577 1896 RasMan - ok
11:05:47.0593 1896 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
11:05:47.0624 1896 RasPppoe - ok
11:05:47.0640 1896 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
11:05:47.0671 1896 RasSstp - ok
11:05:47.0718 1896 Razerlow (81ddbf4fe998ef1f4ba230f7e8d8c67e) C:\Windows\system32\drivers\Razerlow.sys
11:05:47.0749 1896 Razerlow - ok
11:05:47.0796 1896 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
11:05:47.0858 1896 rdbss - ok
11:05:47.0874 1896 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
11:05:47.0905 1896 rdpbus - ok
11:05:47.0905 1896 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
11:05:47.0936 1896 RDPCDD - ok
11:05:47.0952 1896 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
11:05:47.0983 1896 RDPENCDD - ok
11:05:47.0998 1896 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
11:05:48.0014 1896 RDPREFMP - ok
11:05:48.0061 1896 RDPWD (e61608aa35e98999af9aaeeea6114b0a) C:\Windows\system32\drivers\RDPWD.sys
11:05:48.0108 1896 RDPWD - ok
11:05:48.0201 1896 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
11:05:48.0217 1896 rdyboost - ok
11:05:48.0264 1896 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\Windows\System32\mprdim.dll
11:05:48.0326 1896 RemoteAccess - ok
11:05:48.0357 1896 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\Windows\system32\regsvc.dll
11:05:48.0435 1896 RemoteRegistry - ok
11:05:48.0498 1896 rimmptsk (9c23519fc1fd331aaaedc145ab947293) C:\Windows\system32\DRIVERS\rimmpx64.sys
11:05:48.0544 1896 rimmptsk - ok
11:05:48.0607 1896 rimsptsk (67f50c31713106fd1b0f286f86aa2b2e) C:\Windows\system32\DRIVERS\rimspx64.sys
11:05:48.0669 1896 rimsptsk - ok
11:05:48.0732 1896 rismxdp (2a43f9e6dbde12bc0c104785c3b3f5df) C:\Windows\system32\DRIVERS\rixdpx64.sys
11:05:48.0810 1896 rismxdp - ok
11:05:48.0841 1896 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\Windows\System32\RpcEpMap.dll
11:05:48.0903 1896 RpcEptMapper - ok
11:05:48.0919 1896 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\Windows\system32\locator.exe
11:05:48.0966 1896 RpcLocator - ok
11:05:49.0028 1896 RpcSs (5c627d1b1138676c0a7ab2c2c190d123) C:\Windows\system32\rpcss.dll
11:05:49.0044 1896 RpcSs - ok
11:05:49.0075 1896 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
11:05:49.0122 1896 rspndr - ok
11:05:49.0153 1896 SamSs (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
11:05:49.0153 1896 SamSs - ok
11:05:49.0215 1896 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
11:05:49.0231 1896 sbp2port - ok
11:05:49.0262 1896 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\Windows\System32\SCardSvr.dll
11:05:49.0324 1896 SCardSvr - ok
11:05:49.0371 1896 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
11:05:49.0402 1896 scfilter - ok
11:05:49.0527 1896 Schedule (262f6592c3299c005fd6bec90fc4463a) C:\Windows\system32\schedsvc.dll
11:05:49.0683 1896 Schedule - ok
11:05:49.0730 1896 SCPolicySvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\Windows\System32\certprop.dll
11:05:49.0730 1896 SCPolicySvc - ok
11:05:49.0777 1896 sdbus (111e0ebc0ad79cb0fa014b907b231cf0) C:\Windows\system32\drivers\sdbus.sys
11:05:49.0824 1896 sdbus - ok
11:05:49.0870 1896 SDRSVC (6ea4234dc55346e0709560fe7c2c1972) C:\Windows\System32\SDRSVC.dll
11:05:49.0948 1896 SDRSVC - ok
11:05:49.0980 1896 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
11:05:50.0011 1896 secdrv - ok
11:05:50.0042 1896 seclogon (bc617a4e1b4fa8df523a061739a0bd87) C:\Windows\system32\seclogon.dll
11:05:50.0120 1896 seclogon - ok
11:05:50.0136 1896 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\Windows\System32\sens.dll
11:05:50.0151 1896 SENS - ok
11:05:50.0167 1896 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\Windows\system32\sensrsvc.dll
11:05:50.0229 1896 SensrSvc - ok
11:05:50.0245 1896 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
11:05:50.0260 1896 Serenum - ok
11:05:50.0292 1896 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
11:05:50.0323 1896 Serial - ok
11:05:50.0338 1896 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
11:05:50.0370 1896 sermouse - ok
11:05:50.0432 1896 SessionEnv (0b6231bf38174a1628c4ac812cc75804) C:\Windows\system32\sessenv.dll
11:05:50.0510 1896 SessionEnv - ok
11:05:50.0541 1896 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
11:05:50.0557 1896 sffdisk - ok
11:05:50.0604 1896 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
11:05:50.0619 1896 sffp_mmc - ok
11:05:50.0635 1896 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
11:05:50.0666 1896 sffp_sd - ok
11:05:50.0682 1896 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
11:05:50.0697 1896 sfloppy - ok
11:05:50.0775 1896 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\Windows\System32\ipnathlp.dll
11:05:50.0869 1896 SharedAccess - ok
11:05:51.0056 1896 ShellHWDetection (aaf932b4011d14052955d4b212a4da8d) C:\Windows\System32\shsvcs.dll
11:05:51.0134 1896 ShellHWDetection - ok
11:05:51.0150 1896 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
11:05:51.0150 1896 SiSRaid2 - ok
11:05:51.0181 1896 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
11:05:51.0181 1896 SiSRaid4 - ok
11:05:51.0212 1896 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
11:05:51.0243 1896 Smb - ok
11:05:51.0274 1896 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\Windows\System32\snmptrap.exe
11:05:51.0321 1896 SNMPTRAP - ok
11:05:51.0337 1896 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
11:05:51.0337 1896 spldr - ok
11:05:51.0430 1896 Spooler (b96c17b5dc1424d56eea3a99e97428cd) C:\Windows\System32\spoolsv.exe
11:05:51.0508 1896 Spooler - ok
11:05:51.0774 1896 sppsvc (e17e0188bb90fae42d83e98707efa59c) C:\Windows\system32\sppsvc.exe
11:05:51.0883 1896 sppsvc - ok
11:05:52.0164 1896 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\Windows\system32\sppuinotify.dll
11:05:52.0226 1896 sppuinotify - ok
11:05:52.0413 1896 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
11:05:52.0491 1896 srv - ok
11:05:52.0585 1896 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
11:05:52.0632 1896 srv2 - ok
11:05:52.0663 1896 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
11:05:52.0725 1896 srvnet - ok
11:05:52.0772 1896 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\Windows\System32\ssdpsrv.dll
11:05:52.0850 1896 SSDPSRV - ok
11:05:52.0866 1896 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\Windows\system32\sstpsvc.dll
11:05:52.0912 1896 SstpSvc - ok
11:05:52.0944 1896 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
11:05:52.0944 1896 stexstor - ok
11:05:53.0022 1896 stisvc (8dd52e8e6128f4b2da92ce27402871c1) C:\Windows\System32\wiaservc.dll
11:05:53.0115 1896 stisvc - ok
11:05:53.0162 1896 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\drivers\swenum.sys
11:05:53.0162 1896 swenum - ok
11:05:53.0224 1896 swprv (e08e46fdd841b7184194011ca1955a0b) C:\Windows\System32\swprv.dll
11:05:53.0302 1896 swprv - ok
11:05:53.0521 1896 SysMain (bf9ccc0bf39b418c8d0ae8b05cf95b7d) C:\Windows\system32\sysmain.dll
11:05:53.0630 1896 SysMain - ok
11:05:53.0926 1896 TabletInputService (e3c61fd7b7c2557e1f1b0b4cec713585) C:\Windows\System32\TabSvc.dll
11:05:53.0989 1896 TabletInputService - ok
11:05:54.0036 1896 TapiSrv (40f0849f65d13ee87b9a9ae3c1dd6823) C:\Windows\System32\tapisrv.dll
11:05:54.0114 1896 TapiSrv - ok
11:05:54.0145 1896 TBS (1be03ac720f4d302ea01d40f588162f6) C:\Windows\System32\tbssvc.dll
11:05:54.0223 1896 TBS - ok
11:05:54.0550 1896 Tcpip (acb82bda8f46c84f465c1afa517dc4b9) C:\Windows\system32\drivers\tcpip.sys
11:05:54.0613 1896 Tcpip - ok
11:05:55.0190 1896 TCPIP6 (acb82bda8f46c84f465c1afa517dc4b9) C:\Windows\system32\DRIVERS\tcpip.sys
11:05:55.0206 1896 TCPIP6 - ok
11:05:55.0596 1896 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
11:05:55.0642 1896 tcpipreg - ok
11:05:55.0674 1896 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
11:05:55.0689 1896 TDPIPE - ok
11:05:55.0736 1896 TDTCP (51c5eceb1cdee2468a1748be550cfbc8) C:\Windows\system32\drivers\tdtcp.sys
11:05:55.0767 1896 TDTCP - ok
11:05:55.0814 1896 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
11:05:55.0861 1896 tdx - ok
11:05:55.0892 1896 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\drivers\termdd.sys
11:05:55.0892 1896 TermDD - ok
11:05:55.0954 1896 TermService (2e648163254233755035b46dd7b89123) C:\Windows\System32\termsrv.dll
11:05:56.0064 1896 TermService - ok
11:05:56.0095 1896 Themes (f0344071948d1a1fa732231785a0664c) C:\Windows\system32\themeservice.dll
11:05:56.0157 1896 Themes - ok
11:05:56.0188 1896 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\Windows\system32\mmcss.dll
11:05:56.0188 1896 THREADORDER - ok
11:05:56.0235 1896 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\Windows\System32\trkwks.dll
11:05:56.0298 1896 TrkWks - ok
11:05:56.0344 1896 TrustedInstaller (773212b2aaa24c1e31f10246b15b276c) C:\Windows\servicing\TrustedInstaller.exe
11:05:56.0438 1896 TrustedInstaller - ok
11:05:56.0469 1896 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
11:05:56.0500 1896 tssecsrv - ok
11:05:56.0547 1896 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
11:05:56.0578 1896 TsUsbFlt - ok
11:05:56.0656 1896 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
11:05:56.0703 1896 tunnel - ok
11:05:56.0797 1896 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
11:05:56.0797 1896 uagp35 - ok
11:05:56.0844 1896 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
11:05:56.0890 1896 udfs - ok
11:05:56.0937 1896 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\Windows\system32\UI0Detect.exe
11:05:56.0984 1896 UI0Detect - ok
11:05:57.0015 1896 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
11:05:57.0031 1896 uliagpkx - ok
11:05:57.0062 1896 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\drivers\umbus.sys
11:05:57.0093 1896 umbus - ok
11:05:57.0124 1896 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
11:05:57.0156 1896 UmPass - ok
11:05:57.0187 1896 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\Windows\System32\upnphost.dll
11:05:57.0249 1896 upnphost - ok
11:05:57.0280 1896 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
11:05:57.0280 1896 usbccgp - ok
11:05:57.0312 1896 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
11:05:57.0358 1896 usbcir - ok
11:05:57.0390 1896 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
11:05:57.0421 1896 usbehci - ok
11:05:57.0468 1896 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
11:05:57.0530 1896 usbhub - ok
11:05:57.0561 1896 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
11:05:57.0592 1896 usbohci - ok
11:05:57.0624 1896 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
11:05:57.0655 1896 usbprint - ok
11:05:57.0686 1896 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\drivers\USBSTOR.SYS
11:05:57.0717 1896 USBSTOR - ok
11:05:57.0733 1896 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\DRIVERS\usbuhci.sys
11:05:57.0764 1896 usbuhci - ok
11:05:57.0811 1896 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows\System32\Drivers\usbvideo.sys
11:05:57.0858 1896 usbvideo - ok
11:05:57.0889 1896 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\Windows\System32\uxsms.dll
11:05:57.0951 1896 UxSms - ok
11:05:57.0998 1896 VaultSvc (c118a82cd78818c29ab228366ebf81c3) C:\Windows\system32\lsass.exe
11:05:57.0998 1896 VaultSvc - ok
11:05:58.0045 1896 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
11:05:58.0045 1896 vdrvroot - ok
11:05:58.0123 1896 vds (8d6b481601d01a456e75c3210f1830be) C:\Windows\System32\vds.exe
11:05:58.0201 1896 vds - ok
11:05:58.0216 1896 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
11:05:58.0248 1896 vga - ok
11:05:58.0279 1896 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
11:05:58.0310 1896 VgaSave - ok
11:05:58.0341 1896 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
11:05:58.0357 1896 vhdmp - ok
11:05:58.0388 1896 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
11:05:58.0388 1896 viaide - ok
11:05:58.0404 1896 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
11:05:58.0419 1896 volmgr - ok
11:05:58.0482 1896 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
11:05:58.0528 1896 volmgrx - ok
11:05:58.0575 1896 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
11:05:58.0591 1896 volsnap - ok
11:05:58.0638 1896 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
11:05:58.0653 1896 vsmraid - ok
11:05:58.0872 1896 VSS (b60ba0bc31b0cb414593e169f6f21cc2) C:\Windows\system32\vssvc.exe
11:05:58.0981 1896 VSS - ok
11:05:59.0340 1896 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
11:05:59.0371 1896 vwifibus - ok
11:05:59.0433 1896 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\Windows\system32\w32time.dll
11:05:59.0511 1896 W32Time - ok
11:05:59.0527 1896 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
11:05:59.0558 1896 WacomPen - ok
11:05:59.0605 1896 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
11:05:59.0667 1896 WANARP - ok
11:05:59.0667 1896 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
11:05:59.0683 1896 Wanarpv6 - ok
11:05:59.0808 1896 WatAdminSvc (3cec96de223e49eaae3651fcf8faea6c) C:\Windows\system32\Wat\WatAdminSvc.exe
11:05:59.0854 1896 WatAdminSvc - ok
11:05:59.0979 1896 wbengine (78f4e7f5c56cb9716238eb57da4b6a75) C:\Windows\system32\wbengine.exe
11:06:00.0198 1896 wbengine - ok
11:06:00.0463 1896 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\Windows\System32\wbiosrvc.dll
11:06:00.0541 1896 WbioSrvc - ok
11:06:00.0603 1896 wcncsvc (7368a2afd46e5a4481d1de9d14848edd) C:\Windows\System32\wcncsvc.dll
11:06:00.0697 1896 wcncsvc - ok
11:06:00.0728 1896 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\Windows\System32\WcsPlugInService.dll
11:06:00.0775 1896 WcsPlugInService - ok
11:06:00.0931 1896 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
11:06:00.0931 1896 Wd - ok
11:06:01.0040 1896 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
11:06:01.0056 1896 Wdf01000 - ok
11:06:01.0087 1896 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
11:06:01.0149 1896 WdiServiceHost - ok
11:06:01.0165 1896 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\Windows\system32\wdi.dll
11:06:01.0165 1896 WdiSystemHost - ok
11:06:01.0227 1896 WebClient (3db6d04e1c64272f8b14eb8bc4616280) C:\Windows\System32\webclnt.dll
11:06:01.0290 1896 WebClient - ok
11:06:01.0368 1896 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\Windows\system32\wecsvc.dll
11:06:01.0446 1896 Wecsvc - ok
11:06:01.0461 1896 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\Windows\System32\wercplsupport.dll
11:06:01.0524 1896 wercplsupport - ok
11:06:01.0555 1896 WerSvc (6d137963730144698cbd10f202e9f251) C:\Windows\System32\WerSvc.dll
11:06:01.0617 1896 WerSvc - ok
11:06:01.0773 1896 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
11:06:01.0789 1896 WfpLwf - ok
11:06:01.0804 1896 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
11:06:01.0820 1896 WIMMount - ok
11:06:01.0836 1896 WinDefend - ok
11:06:01.0851 1896 WinHttpAutoProxySvc - ok
11:06:01.0976 1896 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\Windows\system32\wbem\WMIsvc.dll
11:06:02.0054 1896 Winmgmt - ok
11:06:02.0288 1896 WinRM (bcb1310604aa415c4508708975b3931e) C:\Windows\system32\WsmSvc.dll
11:06:02.0428 1896 WinRM - ok
11:06:02.0740 1896 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\Windows\System32\wlansvc.dll
11:06:02.0912 1896 Wlansvc - ok
11:06:03.0084 1896 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\drivers\wmiacpi.sys
11:06:03.0115 1896 WmiAcpi - ok
11:06:03.0255 1896 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\Windows\system32\wbem\WmiApSrv.exe
11:06:03.0318 1896 wmiApSrv - ok
11:06:03.0349 1896 WMPNetworkSvc - ok
11:06:03.0380 1896 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\Windows\System32\wpcsvc.dll
11:06:03.0427 1896 WPCSvc - ok
11:06:03.0458 1896 WPDBusEnum (93221146d4ebbf314c29b23cd6cc391d) C:\Windows\system32\wpdbusenum.dll
11:06:03.0536 1896 WPDBusEnum - ok
11:06:03.0567 1896 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
11:06:03.0598 1896 ws2ifsl - ok
11:06:03.0630 1896 wscsvc (e8b1fe6669397d1772d8196df0e57a9e) C:\Windows\System32\wscsvc.dll
11:06:03.0692 1896 wscsvc - ok
11:06:03.0708 1896 WSearch - ok
11:06:03.0926 1896 wuauserv (d9ef901dca379cfe914e9fa13b73b4c4) C:\Windows\system32\wuaueng.dll
11:06:04.0004 1896 wuauserv - ok
11:06:04.0347 1896 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
11:06:04.0425 1896 WudfPf - ok
11:06:04.0472 1896 wudfsvc (7a95c95b6c4cf292d689106bcae49543) C:\Windows\System32\WUDFSvc.dll
11:06:04.0534 1896 wudfsvc - ok
11:06:04.0581 1896 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\Windows\System32\wwansvc.dll
11:06:04.0644 1896 WwanSvc - ok
11:06:04.0675 1896 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
11:06:05.0002 1896 \Device\Harddisk0\DR0 - ok
11:06:05.0002 1896 Boot (0x1200) (cfe5992cdf3bac34e1cddcdbff3b235c) \Device\Harddisk0\DR0\Partition0
11:06:05.0002 1896 \Device\Harddisk0\DR0\Partition0 - ok
11:06:05.0018 1896 Boot (0x1200) (2f6ea54cdb88c6413bbf5b1ecec3f73a) \Device\Harddisk0\DR0\Partition1
11:06:05.0034 1896 \Device\Harddisk0\DR0\Partition1 - ok
11:06:05.0034 1896 ============================================================
11:06:05.0034 1896 Scan finished
11:06:05.0034 1896 ============================================================
11:06:05.0049 3616 Detected object count: 0
11:06:05.0049 3616 Actual detected object count: 0
11:06:27.0794 2580 Deinitialize success


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-09 11:06:34
-----------------------------
11:06:34.464 OS Version: Windows x64 6.1.7601 Service Pack 1
11:06:34.464 Number of processors: 2 586 0x170A
11:06:34.464 ComputerName: TUPAC UserName: Liz
11:06:36.304 Initialize success
11:06:43.149 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
11:06:43.149 Disk 0 Vendor: ST9500420ASG 0004SDM1 Size: 476940MB BusType: 11
11:06:43.165 Disk 0 MBR read successfully
11:06:43.180 Disk 0 MBR scan
11:06:43.180 Disk 0 Windows 7 default MBR code
11:06:43.196 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
11:06:43.211 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
11:06:43.258 Disk 0 scanning C:\Windows\system32\drivers
11:06:51.589 Service scanning
11:07:05.504 Modules scanning
11:07:05.519 Disk 0 trace - called modules:
11:07:05.566 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
11:07:05.566 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c2e390]
11:07:05.582 3 CLASSPNP.SYS[fffff88001bcd43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800478f060]
11:07:05.597 Scan finished successfully
11:07:20.995 Disk 0 MBR has been saved successfully to "C:\Users\Liz\Desktop\MBR.dat"
11:07:21.010 The log file has been saved successfully to "C:\Users\Liz\Desktop\aswMBR.txt"


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Liz at 11:13:00 on 2012-08-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.2609 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razertra.exe
C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerofa.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Liz\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mWinlogon: Userinit=userinit.exe
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun: [Diamondback] C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{E9E5EACD-1D7A-4066-847D-E965CF3D4975} : DhcpNameServer = 75.75.75.75 75.75.76.76
IFEO: taskmgr.exe - "C:\USERS\LIZ\DESKTOP\PROCESSEXPLORER\PROCEXP.EXE"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
mRun-x64: [Diamondback] C:\Program Files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe
IFEO-X64: taskmgr.exe - "C:\USERS\LIZ\DESKTOP\PROCESSEXPLORER\PROCEXP.EXE"
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-7-31 655944]
R3 itecir;ITECIR Infrared Receiver;C:\Windows\system32\DRIVERS\itecir.sys --> C:\Windows\system32\DRIVERS\itecir.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\k57nd60a.sys --> C:\Windows\system32\DRIVERS\k57nd60a.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 Razerlow;Razer Pro|Solutions;C:\Windows\system32\drivers\Razerlow.sys --> C:\Windows\system32\drivers\Razerlow.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
S3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2012-3-26 291696]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-09 13:22:46 9133488 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{C74F46AF-C42C-4941-9EA0-9AC946F28DB0}\mpengine.dll
2012-08-08 07:17:44 9133488 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-06 22:41:07 -------- d-----w- C:\Users\Liz\AppData\Roaming\OpenOffice.org
2012-08-06 22:28:06 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
2012-08-03 03:32:37 -------- d-----w- C:\Windows\System32\SPReview
2012-08-03 03:31:14 -------- d-----w- C:\Windows\System32\EventProviders
2012-08-03 03:30:16 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2012-08-03 03:30:14 902656 ----a-w- C:\Windows\System32\d2d1.dll
2012-08-03 03:30:14 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-08-01 23:30:59 800256 ----a-w- C:\Windows\System32\usp10.dll
2012-08-01 23:29:59 830464 ----a-w- C:\Windows\SysWow64\MSMPEG2ENC.DLL
2012-08-01 23:28:59 406528 ----a-w- C:\Windows\SysWow64\wimgapi.dll
2012-08-01 23:27:59 7680 ----a-w- C:\Windows\SysWow64\KBDCZ1.DLL
2012-08-01 23:24:57 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2012-08-01 23:24:57 244736 ----a-w- C:\Program Files\Windows Portable Devices\sqmapi.dll
2012-08-01 23:24:43 244736 ----a-w- C:\Windows\System32\sqmapi.dll
2012-08-01 13:42:37 -------- d-----w- C:\Windows\SysWow64\Wat
2012-08-01 13:42:37 -------- d-----w- C:\Windows\System32\Wat
2012-08-01 07:55:16 3148800 ----a-w- C:\Windows\System32\win32k.sys
2012-08-01 07:04:45 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-08-01 07:04:44 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-08-01 07:04:44 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-08-01 07:04:44 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-08-01 07:04:44 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-08-01 07:04:44 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-08-01 07:04:44 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-08-01 04:25:29 27016 ----a-w- C:\Windows\SysWow64\drivers\PROCEXP141.SYS
2012-08-01 04:08:58 142336 ----a-w- C:\Windows\System32\poqexec.exe
2012-08-01 04:08:58 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2012-08-01 04:08:49 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2012-08-01 04:08:47 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2012-08-01 04:08:47 1118720 ----a-w- C:\Windows\System32\sbe.dll
2012-08-01 04:08:46 259072 ----a-w- C:\Windows\System32\mpg2splt.ax
2012-08-01 04:08:45 850944 ----a-w- C:\Windows\SysWow64\sbe.dll
2012-08-01 04:08:45 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2012-08-01 04:08:43 2871808 ----a-w- C:\Windows\explorer.exe
2012-08-01 04:08:43 2616320 ----a-w- C:\Windows\SysWow64\explorer.exe
2012-08-01 04:06:59 288768 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2012-08-01 04:05:59 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2012-08-01 04:05:58 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2012-08-01 04:05:21 870912 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2012-08-01 04:05:21 1465344 ----a-w- C:\Windows\System32\XpsPrint.dll
2012-08-01 04:05:11 1359872 ----a-w- C:\Windows\System32\mfc42u.dll
2012-08-01 04:05:10 1395712 ----a-w- C:\Windows\System32\mfc42.dll
2012-08-01 04:05:09 1164288 ----a-w- C:\Windows\SysWow64\mfc42u.dll
2012-08-01 04:05:09 1137664 ----a-w- C:\Windows\SysWow64\mfc42.dll
2012-08-01 04:02:53 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2012-08-01 04:02:49 33792 ----a-w- C:\Windows\System32\profprov.dll
2012-08-01 04:02:49 209920 ----a-w- C:\Windows\System32\profsvc.dll
2012-08-01 04:02:48 183296 ----a-w- C:\Windows\System32\dnsrslvr.dll
2012-08-01 04:02:47 30208 ----a-w- C:\Windows\System32\dnscacheugc.exe
2012-08-01 04:02:47 28672 ----a-w- C:\Windows\SysWow64\dnscacheugc.exe
2012-08-01 03:51:55 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2012-08-01 03:49:51 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2012-08-01 03:48:57 90624 ----a-w- C:\Windows\System32\drivers\bowser.sys
2012-08-01 03:48:53 861696 ----a-w- C:\Windows\System32\oleaut32.dll
2012-08-01 03:48:52 571904 ----a-w- C:\Windows\SysWow64\oleaut32.dll
2012-08-01 03:48:52 331776 ----a-w- C:\Windows\System32\oleacc.dll
2012-08-01 03:48:52 233472 ----a-w- C:\Windows\SysWow64\oleacc.dll
2012-08-01 03:48:46 723456 ----a-w- C:\Windows\System32\EncDec.dll
2012-08-01 03:48:45 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2012-08-01 03:48:41 1731920 ----a-w- C:\Windows\System32\ntdll.dll
2012-08-01 03:48:40 1292080 ----a-w- C:\Windows\SysWow64\ntdll.dll
2012-08-01 03:48:38 73728 ----a-w- C:\Windows\SysWow64\Diamondback.cpl
2012-08-01 03:48:20 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-08-01 03:43:14 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2012-08-01 03:43:14 2048 ----a-w- C:\Windows\System32\tzres.dll
2012-08-01 03:43:03 288640 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2012-08-01 03:43:03 1918320 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-08-01 03:43:01 2164224 ----a-w- C:\Program Files\Windows Journal\Journal.exe
2012-08-01 03:43:00 936960 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-08-01 03:43:00 1732096 ----a-w- C:\Program Files\Windows Journal\NBDoc.DLL
2012-08-01 03:43:00 1393664 ----a-w- C:\Program Files\Windows Journal\JNTFiltr.dll
2012-08-01 03:43:00 1367552 ----a-w- C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll
2012-08-01 03:42:59 1402880 ----a-w- C:\Program Files\Windows Journal\JNWDRV.dll
2012-08-01 03:41:15 -------- d-----w- C:\Users\Liz\AppData\Roaming\Malwarebytes
2012-08-01 03:40:57 -------- d-----w- C:\ProgramData\Malwarebytes
2012-08-01 03:40:56 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-08-01 03:40:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-08-01 03:22:39 927800 ------w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{6F968243-261E-4F39-B57E-82E6ECD6BD1F}\gapaengine.dll
2012-08-01 03:17:43 77312 ----a-w- C:\Windows\System32\packager.dll
2012-08-01 03:17:43 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-08-01 03:13:12 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-08-01 03:13:12 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-08-01 03:13:12 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-08-01 03:12:35 -------- d-----w- C:\Users\Liz\AppData\Local\Diagnostics
2012-08-01 03:11:26 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2012-08-01 03:11:13 -------- d-----w- C:\Program Files\Microsoft Security Client
2012-08-01 03:07:11 -------- d-----w- C:\Users\Liz\AppData\Local\Google
2012-08-01 03:07:00 -------- d-----w- C:\Users\Liz\AppData\Local\Deployment
2012-08-01 03:07:00 -------- d-----w- C:\Users\Liz\AppData\Local\Apps
2012-08-01 03:05:21 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-08-01 03:05:13 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-08-01 03:05:03 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-08-01 03:05:03 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-07-30 21:23:41 -------- d-----w- C:\Windows\Panther
2012-07-30 21:23:14 -------- d-----w- C:\Windows\System32\oem
2012-07-30 20:32:20 0 ----a-w- C:\Windows\ativpsrm.bin
2012-07-30 17:54:20 -------- d-----w- C:\Users\Liz\AppData\Local\ElevatedDiagnostics
2012-07-30 17:50:14 -------- d-----w- C:\Program Files\Broadcom
2012-07-30 17:48:32 -------- d-----w- C:\Program Files\Dell
2012-07-30 17:47:16 -------- d-----w- C:\Users\Liz\AppData\Roaming\WirelessManager
2012-07-30 17:45:21 -------- d-----w- C:\dell
2012-07-30 17:43:36 45056 ----a-r- C:\Users\Liz\AppData\Roaming\Microsoft\Installer\{42929F0F-CE14-47AF-9FC7-FF297A603021}\NewShortcut1_42929F0FCE1447AF9FC7FF297A603021_1.exe
2012-07-30 17:43:36 -------- d-----w- C:\Windows\SysWow64\vmm32
2012-07-30 17:43:36 -------- d-----w- C:\Program Files (x86)\Dell
2012-07-30 17:43:18 -------- d-sh--w- C:\Windows\Installer
.
==================== Find3M ====================
.
2012-08-03 03:46:10 175616 ----a-w- C:\Windows\System32\msclmd.dll
2012-08-03 03:46:10 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2012-06-06 06:06:16 2004480 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 06:06:16 1881600 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 06:02:54 1133568 ----a-w- C:\Windows\System32\cdosys.dll
2012-06-06 05:05:52 1390080 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:05:52 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-06 05:03:06 805376 ----a-w- C:\Windows\SysWow64\cdosys.dll
2012-06-02 05:50:10 458704 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:48:16 95600 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:48:16 151920 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:45:31 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:44:21 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:40:42 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:40:39 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:39:10 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:34:09 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
.
============= FINISH: 11:15:17.98 ===============

Attached Files

  • Attached File  MBR.zip   559bytes   0 downloads


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 AM

Posted 09 August 2012 - 01:23 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

I personally change my important passwords.
===


Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html


Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#7 donteversleep

donteversleep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 09 August 2012 - 08:06 PM

Here are my logs:


ComboFix 12-08-09.01 - Liz 08/09/2012 20:39:33.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.3045 [GMT -4:00]
Running from: c:\users\Liz\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-10 to 2012-08-10 )))))))))))))))))))))))))))))))
.
.
2012-08-09 13:22 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C74F46AF-C42C-4941-9EA0-9AC946F28DB0}\mpengine.dll
2012-08-08 07:17 . 2012-07-16 06:40 9133488 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-08-06 22:28 . 2012-08-06 22:28 -------- d-----w- c:\program files (x86)\OpenOffice.org 3
2012-08-03 03:52 . 2012-07-03 07:19 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-08-03 03:32 . 2012-08-03 03:32 -------- d-----w- c:\windows\system32\SPReview
2012-08-03 03:31 . 2012-08-03 03:31 -------- d-----w- c:\windows\system32\EventProviders
2012-08-03 03:30 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-08-03 03:30 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-08-03 03:30 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-08-01 23:31 . 2010-11-20 13:27 14633472 ----a-w- c:\windows\system32\wmp.dll
2012-08-01 23:30 . 2010-11-20 13:27 297984 ----a-w- c:\windows\system32\ws2_32.dll
2012-08-01 23:29 . 2010-11-20 13:33 103808 ----a-w- c:\windows\system32\drivers\sbp2port.sys
2012-08-01 23:28 . 2010-11-20 13:27 25600 ----a-w- c:\windows\system32\msyuv.dll
2012-08-01 23:27 . 2010-11-20 13:16 12625920 ----a-w- c:\windows\system32\wmploc.DLL
2012-08-01 23:24 . 2010-11-20 13:27 529408 ----a-w- c:\windows\system32\wbemcomn.dll
2012-08-01 23:24 . 2010-11-20 13:27 244736 ----a-w- c:\program files\Windows Portable Devices\sqmapi.dll
2012-08-01 23:24 . 2010-11-20 13:27 244736 ----a-w- c:\windows\system32\sqmapi.dll
2012-08-01 19:22 . 2012-08-01 19:22 -------- d-----w- c:\program files (x86)\Microsoft.NET
2012-08-01 13:42 . 2012-08-01 13:42 -------- d-----w- c:\windows\SysWow64\Wat
2012-08-01 13:42 . 2012-08-01 13:42 -------- d-----w- c:\windows\system32\Wat
2012-08-01 07:55 . 2012-06-12 03:08 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-08-01 07:04 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-08-01 07:04 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-08-01 07:04 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-08-01 07:04 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-08-01 07:04 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-08-01 07:04 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-08-01 07:04 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-08-01 04:25 . 2012-08-03 05:01 27016 ----a-w- c:\windows\SysWow64\drivers\PROCEXP141.SYS
2012-08-01 04:08 . 2011-04-09 06:58 142336 ----a-w- c:\windows\system32\poqexec.exe
2012-08-01 04:08 . 2011-04-09 05:56 123904 ----a-w- c:\windows\SysWow64\poqexec.exe
2012-08-01 04:08 . 2010-12-23 10:42 961024 ----a-w- c:\windows\system32\CPFilters.dll
2012-08-01 04:08 . 2010-12-23 10:42 1118720 ----a-w- c:\windows\system32\sbe.dll
2012-08-01 04:08 . 2010-12-23 05:54 642048 ----a-w- c:\windows\SysWow64\CPFilters.dll
2012-08-01 04:08 . 2010-12-23 10:36 259072 ----a-w- c:\windows\system32\mpg2splt.ax
2012-08-01 04:08 . 2010-12-23 05:54 850944 ----a-w- c:\windows\SysWow64\sbe.dll
2012-08-01 04:08 . 2010-12-23 05:50 199680 ----a-w- c:\windows\SysWow64\mpg2splt.ax
2012-08-01 04:08 . 2011-02-25 06:19 2871808 ----a-w- c:\windows\explorer.exe
2012-08-01 04:08 . 2011-02-25 05:30 2616320 ----a-w- c:\windows\SysWow64\explorer.exe
2012-08-01 04:06 . 2011-07-09 02:46 288768 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2012-08-01 04:05 . 2011-02-24 06:15 476160 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2012-08-01 04:05 . 2011-02-24 05:38 288256 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
2012-08-01 04:05 . 2011-03-12 12:08 1465344 ----a-w- c:\windows\system32\XpsPrint.dll
2012-08-01 04:05 . 2011-03-12 11:23 870912 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2012-08-01 04:05 . 2011-03-11 06:34 1359872 ----a-w- c:\windows\system32\mfc42u.dll
2012-08-01 04:05 . 2011-03-11 06:34 1395712 ----a-w- c:\windows\system32\mfc42.dll
2012-08-01 04:05 . 2011-03-11 05:33 1164288 ----a-w- c:\windows\SysWow64\mfc42u.dll
2012-08-01 04:05 . 2011-03-11 05:33 1137664 ----a-w- c:\windows\SysWow64\mfc42.dll
2012-08-01 04:05 . 2012-06-09 05:43 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-08-01 04:02 . 2011-04-22 22:15 27520 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2012-08-01 04:02 . 2012-05-01 05:40 209920 ----a-w- c:\windows\system32\profsvc.dll
2012-08-01 04:02 . 2010-11-20 13:27 33792 ----a-w- c:\windows\system32\profprov.dll
2012-08-01 04:02 . 2011-03-03 06:24 183296 ----a-w- c:\windows\system32\dnsrslvr.dll
2012-08-01 04:02 . 2011-03-03 06:24 357888 ----a-w- c:\windows\system32\dnsapi.dll
2012-08-01 04:02 . 2011-03-03 06:21 30208 ----a-w- c:\windows\system32\dnscacheugc.exe
2012-08-01 04:02 . 2011-03-03 05:36 28672 ----a-w- c:\windows\SysWow64\dnscacheugc.exe
2012-08-01 03:51 . 2011-12-28 03:59 498688 ----a-w- c:\windows\system32\drivers\afd.sys
2012-08-01 03:49 . 2011-07-16 05:41 362496 ----a-w- c:\windows\system32\wow64win.dll
2012-08-01 03:48 . 2011-02-23 04:55 90624 ----a-w- c:\windows\system32\drivers\bowser.sys
2012-08-01 03:48 . 2011-08-27 05:37 861696 ----a-w- c:\windows\system32\oleaut32.dll
2012-08-01 03:48 . 2011-08-27 05:37 331776 ----a-w- c:\windows\system32\oleacc.dll
2012-08-01 03:48 . 2011-08-27 04:26 571904 ----a-w- c:\windows\SysWow64\oleaut32.dll
2012-08-01 03:48 . 2011-08-27 04:26 233472 ----a-w- c:\windows\SysWow64\oleacc.dll
2012-08-01 03:48 . 2011-10-15 06:31 723456 ----a-w- c:\windows\system32\EncDec.dll
2012-08-01 03:48 . 2011-10-15 05:38 534528 ----a-w- c:\windows\SysWow64\EncDec.dll
2012-08-01 03:48 . 2011-11-17 06:41 1731920 ----a-w- c:\windows\system32\ntdll.dll
2012-08-01 03:48 . 2011-11-17 05:38 1292080 ----a-w- c:\windows\SysWow64\ntdll.dll
2012-08-01 03:48 . 2012-08-01 03:48 -------- d-----w- c:\program files (x86)\Razer
2012-08-01 03:48 . 2007-03-20 23:05 73728 ----a-w- c:\windows\SysWow64\Diamondback.cpl
2012-08-01 03:48 . 2012-08-01 03:48 -------- d--h--w- c:\program files (x86)\InstallShield Installation Information
2012-08-01 03:48 . 2012-01-31 12:44 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-08-01 03:43 . 2011-11-05 05:32 2048 ----a-w- c:\windows\system32\tzres.dll
2012-08-01 03:43 . 2011-11-05 04:26 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2012-08-01 03:43 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-08-01 03:43 . 2010-11-20 13:33 288640 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2012-08-01 03:43 . 2010-11-20 13:24 2164224 ----a-w- c:\program files\Windows Journal\Journal.exe
2012-08-01 03:43 . 2012-03-31 05:42 1732096 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-08-01 03:43 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-08-01 03:43 . 2012-03-31 05:40 1393664 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-08-01 03:43 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-08-01 03:42 . 2012-03-31 05:40 1402880 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-08-01 03:40 . 2012-08-01 03:40 -------- d-----w- c:\programdata\Malwarebytes
2012-08-01 03:40 . 2012-07-03 17:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-01 03:40 . 2012-08-01 03:41 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-08-01 03:22 . 2012-02-09 18:17 927800 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6F968243-261E-4F39-B57E-82E6ECD6BD1F}\gapaengine.dll
2012-08-01 03:17 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-08-01 03:17 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-08-01 03:13 . 2012-02-17 06:38 1031680 ----a-w- c:\windows\system32\rdpcore.dll
2012-08-01 03:13 . 2012-02-17 05:34 826880 ----a-w- c:\windows\SysWow64\rdpcore.dll
2012-08-01 03:13 . 2012-02-17 04:57 23552 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-08-01 03:11 . 2012-08-01 03:11 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-07-30 20:32 . 2012-07-30 20:32 0 ----a-w- c:\windows\ativpsrm.bin
2012-07-30 17:50 . 2012-07-30 17:50 -------- d-----w- c:\program files\Broadcom
2012-07-30 17:48 . 2012-07-30 17:48 -------- d-----w- c:\programdata\Dell
2012-07-30 17:48 . 2012-07-30 17:48 -------- d-----w- c:\program files\Dell
2012-07-30 17:45 . 2012-07-30 17:45 -------- d-----w- C:\dell
2012-07-30 17:43 . 2012-07-30 17:46 -------- d-----w- c:\program files (x86)\Dell
2012-07-30 17:43 . 2012-07-30 17:43 -------- d-----w- c:\windows\SysWow64\vmm32
2012-07-30 17:43 . 2012-08-07 06:10 -------- d-sh--w- c:\windows\Installer
2012-07-30 17:40 . 2012-08-02 13:21 -------- d-----w- c:\users\Liz
2012-07-30 17:40 . 2012-07-30 17:40 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-03 03:46 . 2009-07-14 02:36 175616 ----a-w- c:\windows\system32\msclmd.dll
2012-08-03 03:46 . 2009-07-14 02:36 152576 ----a-w- c:\windows\SysWow64\msclmd.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"Diamondback"="c:\program files (x86)\Razer\Diamondback\Razer\Diamondback\razerhid.exe" [2009-10-10 226816]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-21 98688]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 291696]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2012-08-01 1255736]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-08-18 203264]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-07-13 69736]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-07 317480]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 Razerlow;Razer Pro|Solutions;c:\windows\system32\drivers\Razerlow.sys [2005-11-07 21120]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2870307713-1228017732-154039020-1000Core.job
- c:\users\Liz\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-01 03:07]
.
2012-08-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2870307713-1228017732-154039020-1000UA.job
- c:\users\Liz\AppData\Local\Google\Update\GoogleUpdate.exe [2012-08-01 03:07]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickSet"="c:\program files\Dell\QuickSet\QuickSet.exe" [2009-07-02 3180624]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 1271168]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-08-09 20:51:15 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-10 00:51
.
Pre-Run: 468,571,471,872 bytes free
Post-Run: 467,922,149,376 bytes free
.
- - End Of File - - A712BBB8117865535D1E717E3841797C



Results of screen317's Security Check version 0.99.43
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Google Chrome 21.0.1180.60
Google Chrome VisualElementsManifest.xml..
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 5%
````````````````````End of Log``````````````````````

#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 AM

Posted 10 August 2012 - 07:47 AM

All of your logs are clean.

Can you tell me what are the current issues with this computer.

#9 donteversleep

donteversleep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 10 August 2012 - 11:11 AM

My logs are now clean? I thought my original logs indicated a ZeroAccess infection? What changed? What was it about my first logs specifically that made you suspect ZeroAccess?

-Actually, your first reply said my GMER log indicated a ZeroAccess infection. As I'm running the 64 bit version of windows 7, I did not run a gmer scan.

Again - I completely wiped my HDD 10 days ago because A: it was due for a reformat anyway and B: the suspicious activity and issues I mentioned in my first post. About two weeks before I wiped my drive, MSE detected the Java CVE-2012-1723 vulnerability shortly after I updated java. Soon after, I was unable to connect to the internet via my wireless router, but could connect by bypassing the router via ethernet. I'm not sure if those issues are related, however.

Since my clean install, my system was not able to detect the hardware for my wireless card when attempting to reinstall my drivers. Several "base system devices" and "unknown devices" with error symbols were listed in my device manager (however, now they are gone).

I am trying to determine if I am dealing with a corrupt windows installation or a rootkit that has been able to remain on my system after deleting all of my existing partitions.

Does any of the following seem abnormal to you, or is it typical windows activity? This is a 10 day old windows installation.

-3,686 Audit Policy change events, about 1000 within 1 day of new OS installation.
-Why have new network devices been appearing in my device manager that were not present on my first logon after the new install?
-Windows.Net Framework and Microsoft C++ Redistributable 2008 are now installed on my system - Does Windows install these programs automatically via Windows Update or something? The 'source' install folders for the C++ programs are named c:\"lots of number/letter gibberish" and are no longer there.
-Was the "Install.exe" file combofix deleted malware/suspcious? If so, how could that have gotten on my computer since a fresh install? I've hardly installed any new software and haven't been downloading any applications besides the anti-malware programs from this site and a few sysinternals applications.
-I've seen many of my folders change to "shared" states then back to unshared without my actions.

If you think this is a corrupt hardware/software issue, I can certainly seek help in the appropriate forum. I'm not sure how wildly unlikely it is for a rootkit to remain on a system after a total hard drive wipe, and not be picked up by any malware scans.

Edited by donteversleep, 10 August 2012 - 11:16 AM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 AM

Posted 10 August 2012 - 12:33 PM

-Actually, your first reply said my GMER log indicated a ZeroAccess infection. As I'm running the 64 bit version of windows 7, I did not run a gmer scan.

That comment was made after I had looked at your previous topic and GMER log.

The latest scans and logs are clean.

Your router may have been corrupted. I suggest you reset it to Factory default.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html

===

Keep me posted and will decide on the next step.

#11 donteversleep

donteversleep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 11 August 2012 - 04:41 PM

Okay, glad to hear things are looking good. I already reset my router to factory settings before I reinstalled, but I'll give it another shot. I also need to figure out the issue with my wireless card, because I'm having problems installing the driver.

I'll give you an update sunday - after that, I won't be able to get back to you until tuesday or wednesday.

Thanks.

#12 donteversleep

donteversleep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 15 August 2012 - 09:33 AM

Hey - sorry for the delay. I was in surgery this monday.

So, this is the issue I've been having since my re-installing my OS-

When attempting to install my drivers for my wireless card (from either my driver CD provided by dell, or online download) I get this error message:

"No compatible hardware found. The software you are attempting to install is not supported on this system.
The software will not be installed.

Setup will no exit."

My wireless card does not appear in my device manager either.


Before I wiped my system, I was considering my issues connecting to our wireless network might have been due to a problem with my wireless card. However, I couldn't connect to the network with my iphone or another laptop, so I assumed router issues.

Could these issues be connected?

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,243 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 AM

Posted 15 August 2012 - 10:25 AM

I suggest you start a new topic in this Networking forum
http://www.bleepingcomputer.com/forums/forum21.html

A more experience helper should be able to help you better in that field.

From my end:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#14 donteversleep

donteversleep
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 16 August 2012 - 12:53 PM

Okay - thanks for the assistance. Glad to know it isn't a malware issue - I'll check in with the folks in the networking forum.

Combofix uninstalled. Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users