Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

get-answers-fast.com


  • This topic is locked This topic is locked
15 replies to this topic

#1 JoePapa4

JoePapa4

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 12 August 2012 - 10:58 AM

Hello, and thank you in advance for any guidance and insight you can provide to me regarding my problem. I'm running a fully up to date Windows XP.

It was aparent when I became infected a short while ago, and I took some immediate action. Shut down, restarted in safe mode, ran a recently-updated malwarebytes scan and removed several items. Ran a few others as well (Spybot Search and Destroy, SuperAntiSpyware, TDSSKiller, FixTDSS). I also went into WinPatrol (which I keep running all the time), and found two recently added programs and removed them as well. All of my symptoms went away (including the fake security warnings and offer to purchase some fake spyware removal tool, and the blocking of just about every .exe file I attempted to run). So, things were mostly better except for one main remaining symptom: google results redirect.

With every google search (not Bing search, etc), I get what seems to be accurate results. But when I click on a result, it sends me to 'click.get-answers-fast.com...'... which then more or less immediately forwards me to other sites with IP addresses as their name... obviously too good.

Another symptom seems to be that I can't start the Window's firewall... when I go to Control Panel and double click 'Windows Firewall', I get back an error message: "Due to an unidentified proglem, Windows cannot display Windows Firewall settings." Ugh.

So, I'm hoping you can help. I have the DDS log file and the GMER log file below, and I attached the attach.txt file.

Thanks again in advance for your time and effort! I really appreciate it.

Best regards,

Joe

=-=-=-=-=-=-= DDS log file =-=-=-=-=-=-=
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Carpinelli Home at 9:41:51 on 2012-08-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.491 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.weather.com/weather/tenday/08648:4:US
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\6d816777-7f6d-4d6e-afe7-90f557ded6b3.com
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [<NO NAME>]
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://cabinetstogo.2020.net/Core/Player/2020PlayerAX_Win32.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277649330408
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1282878750750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{6E74FC76-317A-4FEC-ADEB-D9A7C8D12B47} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\documents and settings\carpinelli home\local settings\application data\google\chrome\application\15.0.874.106\npchrome_frame.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2011-4-1 428640]
S0 cerc6;cerc6; [x]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-26 136176]
S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\r101342\ATIXPGAA.SYS [2010-6-27 12032]
S3 esgiguard;esgiguard;\??\c:\program files\enigma software group\spyhunter\esgiguard.sys --> c:\program files\enigma software group\spyhunter\esgiguard.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-26 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\pc tools security\bdt\bdtupdateservice.exe" --> c:\program files\pc tools security\bdt\BDTUpdateService.exe [?]
.
=============== Created Last 30 ================
.
2012-08-12 04:31:12 -------- d-----w- c:\program files\Enigma Software Group
2012-08-12 04:30:39 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-12 04:30:32 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2012-08-12 04:19:02 -------- d-----w- c:\windows\system32\drivers\etc
2012-08-03 05:14:29 -------- d-----w- c:\documents and settings\carpinelli home\local settings\application data\{05463A51-DD2A-11E1-8270-B8AC6F996F26}
2012-08-03 05:13:48 -------- d-----w- c:\documents and settings\all users\application data\6F638BFE83F957640000D5457B07D287
2012-08-03 05:12:58 56320 ------w- c:\windows\system32\labeonui.dll
.
==================== Find3M ====================
.
2012-08-12 13:05:56 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-12 13:05:56 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
.
============= FINISH: 9:49:58.32 ===============


=-=-=-=-=-=-= GMER log file =-=-=-=-=-=-=
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-08-12 11:58:06
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600BEVE-00WZT0 rev.01.01A01
Running: vjskjwj2.exe; Driver: C:\DOCUME~1\CARPIN~1\LOCALS~1\Temp\pxtdapog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEDEAA620]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\CARPIN~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[716] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A65 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[716] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0DD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[716] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2000] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2000] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2000] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2000] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2000] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2000] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2000] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2000] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2000] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9A65 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0DD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDAD4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E7207 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7139 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71A4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E700A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E706C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E726A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E70CE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB30 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2844] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E756F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Photosmart Plus B209a-m@ChangeID 3119218

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Carpinelli Home\Cookies\LRCSZKKJ.txt 0 bytes
File C:\Documents and Settings\Carpinelli Home\Cookies\NLP7TYCZ.txt 0 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674 0 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674\bckfg.tmp 823 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674\L(2) 0 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674\L(2)\macpavbj 75264 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674\U(2) 0 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674\U(2)\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674\U(2)\00000002.@ 209920 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674\U(2)\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB43989$\2150683674\U(2)\80000032.@ 71168 bytes
File C:\WINDOWS\$NtUninstallKB43989$\627833787 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 AM

Posted 14 August 2012 - 01:12 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 JoePapa4

JoePapa4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 15 August 2012 - 11:31 PM

Thanks for your reply, Gringo.

Here is the output of SecurityCheck...

-=-=-=-=-

Results of screen317's Security Check version 0.99.44
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
WinPatrol
Spybot - Search & Destroy
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.62.0.1300
CCleaner
EasyCleaner
Java™ 6 Update 20
Java version out of Date!
Adobe Reader 9 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
WinPatrol winpatrol.exe
Carpinelli Home Desktop AntiVirus Stuff SecurityCheck.exe
BillP Studios WinPatrol winpatrol.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 3%
````````````````````End of Log``````````````````````

#4 JoePapa4

JoePapa4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 16 August 2012 - 12:01 AM

okay, I just finished with the next step... shut down the browser, killed all running programs and antivirus, and ran ComboFix. It took about 20 minutes in total, restarted once. Several times it told me that I has rootkit.zeroaccess, embedded itself in TCP/IP, particularly difficult.

The log is below.

I have only played with the computer for a moment or two since ComboFix ended, but it seems to be back to normal now. No more Google redirects. Firewall back on (i.e. I can see the Windows Security Alerts shield in my lower right screen again). So, seems like things are okay. Of course, I'll await your thoughts on the matter.

Thanks again for your time and effort!!!

=-=-=-=-=

ComboFix 12-08-15.02 - Carpinelli Home 08/16/2012 0:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.707 [GMT -4:00]
Running from: c:\documents and settings\Carpinelli Home\Desktop\AntiVirus Stuff\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\$NtUninstallKB43989$
c:\windows\$NtUninstallKB43989$\2150683674\@
c:\windows\$NtUninstallKB43989$\2150683674\bckfg.tmp
c:\windows\$NtUninstallKB43989$\2150683674\keywords
c:\windows\$NtUninstallKB43989$\2150683674\L(2)\macpavbj
c:\windows\$NtUninstallKB43989$\2150683674\U(2)\00000001.@
c:\windows\$NtUninstallKB43989$\2150683674\U(2)\00000002.@
c:\windows\$NtUninstallKB43989$\2150683674\U(2)\80000000.@
c:\windows\$NtUninstallKB43989$\2150683674\U(2)\80000032.@
c:\windows\$NtUninstallKB43989$\627833787
c:\windows\Installer\{2f75cbd9-6aa2-0558-a00f-f2f4c17aef5e}\@
c:\windows\Installer\{2f75cbd9-6aa2-0558-a00f-f2f4c17aef5e}\U\00000001.@
c:\windows\Installer\{2f75cbd9-6aa2-0558-a00f-f2f4c17aef5e}\U\80000000.@
c:\windows\jestertb.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-07-16 to 2012-08-16 )))))))))))))))))))))))))))))))
.
.
2012-08-12 04:31 . 2012-08-12 04:31 -------- d-----w- c:\program files\Enigma Software Group
2012-08-12 04:30 . 2012-08-12 04:56 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-12 04:30 . 2012-08-12 04:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-08-03 05:14 . 2012-08-03 05:14 -------- d-----w- c:\documents and settings\Carpinelli Home\Local Settings\Application Data\{05463A51-DD2A-11E1-8270-B8AC6F996F26}
2012-08-03 05:13 . 2012-08-05 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\6F638BFE83F957640000D5457B07D287
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-12 13:05 . 2012-04-11 04:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-12 13:05 . 2011-06-08 10:35 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2011-09-30 04:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:19 . 2008-04-14 07:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-04-14 07:00 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2008-04-14 07:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2008-04-14 07:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2010-06-27 14:36 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2010-06-27 14:36 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2010-06-27 13:46 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2010-06-27 13:46 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2010-06-27 13:46 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2010-06-27 14:36 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2010-06-27 14:36 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2010-06-27 13:46 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2010-06-27 13:46 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2008-04-14 07:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2010-06-27 14:36 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2010-06-27 13:46 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2010-06-27 13:46 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2012-03-25 13:47 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2012-03-25 13:47 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 19:18 . 2009-08-06 23:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2008-04-14 07:00 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\6d816777-7f6d-4d6e-afe7-90f557ded6b3.com" [2011-10-10 2403568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [4/1/2011 1:11 AM 428640]
S0 cerc6;cerc6; [x]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2010 1:56 PM 136176]
S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\R101342\ATIXPGAA.SYS [6/27/2010 10:22 AM 12032]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2010 1:56 PM 136176]
S4 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\PC Tools Security\BDT\BDTUpdateService.exe" --> c:\program files\PC Tools Security\BDT\BDTUpdateService.exe [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 17:56]
.
2012-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 17:56]
.
2012-08-16 c:\windows\Tasks\User_Feed_Synchronization-{5EC7C69F-2F62-4FC1-8F3D-28D8BC56FB71}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weather.com/weather/tenday/08648:4:US
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-63405778.sys
SafeBoot-71475721.sys
SafeBoot-82050538.sys
SafeBoot-98249596.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-16 00:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2784)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Apoint\HidFind.exe
.
**************************************************************************
.
Completion time: 2012-08-16 00:55:22 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-16 04:55
.
Pre-Run: 34,897,928,192 bytes free
Post-Run: 35,345,711,104 bytes free
.
- - End Of File - - 9D9BF8FF11EA979438246DA26869A3CD

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 AM

Posted 16 August 2012 - 08:25 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 JoePapa4

JoePapa4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 18 August 2012 - 07:38 AM

Thanks again, Gringo.

Here is the log from TDSSKiller. I'll post the next in my next response.

-=-=-=-=-=-=-=-

08:37:12.0406 1380 TDSS rootkit removing tool 2.8.6.0 Aug 13 2012 17:24:05
08:37:12.0640 1380 ============================================================
08:37:12.0640 1380 Current date / time: 2012/08/18 08:37:12.0640
08:37:12.0640 1380 SystemInfo:
08:37:12.0640 1380
08:37:12.0640 1380 OS Version: 5.1.2600 ServicePack: 3.0
08:37:12.0640 1380 Product type: Workstation
08:37:12.0640 1380 ComputerName: D810
08:37:12.0640 1380 UserName: Carpinelli Home
08:37:12.0640 1380 Windows directory: C:\WINDOWS
08:37:12.0640 1380 System windows directory: C:\WINDOWS
08:37:12.0640 1380 Processor architecture: Intel x86
08:37:12.0640 1380 Number of processors: 1
08:37:12.0640 1380 Page size: 0x1000
08:37:12.0640 1380 Boot type: Normal boot
08:37:12.0640 1380 ============================================================
08:37:14.0031 1380 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:37:14.0031 1380 ============================================================
08:37:14.0031 1380 \Device\Harddisk0\DR0:
08:37:14.0031 1380 MBR partitions:
08:37:14.0031 1380 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A18A82
08:37:14.0031 1380 ============================================================
08:37:14.0062 1380 C: <-> \Device\Harddisk0\DR0\Partition1
08:37:14.0062 1380 ============================================================
08:37:14.0062 1380 Initialize success
08:37:14.0062 1380 ============================================================
08:37:15.0046 2164 ============================================================
08:37:15.0046 2164 Scan started
08:37:15.0046 2164 Mode: Manual;
08:37:15.0046 2164 ============================================================
08:37:16.0015 2164 ================ Scan services =============================
08:37:16.0125 2164 Abiosdsk - ok
08:37:16.0140 2164 abp480n5 - ok
08:37:16.0187 2164 [ 8fd99680a539792a30e97944fdaecf17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:37:16.0187 2164 ACPI - ok
08:37:16.0234 2164 [ 9859c0f6936e723e4892d7141b1327d5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
08:37:16.0234 2164 ACPIEC - ok
08:37:16.0250 2164 adpu160m - ok
08:37:16.0281 2164 [ 8bed39e3c35d6a489438b8141717a557 ] aec C:\WINDOWS\system32\drivers\aec.sys
08:37:16.0296 2164 aec - ok
08:37:16.0343 2164 [ 1e44bc1e83d8fd2305f8d452db109cf9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
08:37:16.0343 2164 AFD - ok
08:37:16.0343 2164 Aha154x - ok
08:37:16.0359 2164 aic78u2 - ok
08:37:16.0375 2164 aic78xx - ok
08:37:16.0406 2164 [ a9a3daa780ca6c9671a19d52456705b4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
08:37:16.0406 2164 Alerter - ok
08:37:16.0421 2164 [ 8c515081584a38aa007909cd02020b3d ] ALG C:\WINDOWS\System32\alg.exe
08:37:16.0421 2164 ALG - ok
08:37:16.0437 2164 AliIde - ok
08:37:16.0453 2164 amsint - ok
08:37:16.0500 2164 [ 090880e9bf20f928bc341f96d27c019e ] ApfiltrService C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
08:37:16.0500 2164 ApfiltrService - ok
08:37:16.0593 2164 [ 3debbecf665dcdde3a95d9b902010817 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
08:37:16.0609 2164 Apple Mobile Device - ok
08:37:16.0656 2164 [ d8849f77c0b66226335a59d26cb4edc6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
08:37:16.0656 2164 AppMgmt - ok
08:37:16.0656 2164 asc - ok
08:37:16.0671 2164 asc3350p - ok
08:37:16.0671 2164 asc3550 - ok
08:37:16.0765 2164 [ 776acefa0ca9df0faa51a5fb2f435705 ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
08:37:16.0796 2164 aspnet_state - ok
08:37:16.0812 2164 [ b153affac761e7f5fcfa822b9c4e97bc ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:37:16.0812 2164 AsyncMac - ok
08:37:16.0859 2164 [ 9f3a2f5aa6875c72bf062c712cfa2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
08:37:16.0859 2164 atapi - ok
08:37:16.0875 2164 Atdisk - ok
08:37:16.0906 2164 [ dfea480ee09bdeb7f51244900170e173 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
08:37:16.0921 2164 Ati HotKey Poller - ok
08:37:17.0000 2164 [ 2a6c99cfdc23c9c26d0e30b1c99748d4 ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
08:37:17.0000 2164 ati2mtag - ok
08:37:17.0156 2164 [ f21a181099887722a775d575e51ecf3d ] ATIXPGAA C:\Dell\Drivers\R101342\ATIXPGAA.SYS
08:37:17.0156 2164 ATIXPGAA - ok
08:37:17.0171 2164 [ 9916c1225104ba14794209cfa8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:37:17.0171 2164 Atmarpc - ok
08:37:17.0218 2164 [ def7a7882bec100fe0b2ce2549188f9d ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
08:37:17.0218 2164 AudioSrv - ok
08:37:17.0250 2164 [ d9f724aa26c010a217c97606b160ed68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
08:37:17.0250 2164 audstub - ok
08:37:17.0281 2164 [ 2acf06176b9d011567d7f25b83ddd066 ] b57w2k C:\WINDOWS\system32\DRIVERS\b57xp32.sys
08:37:17.0281 2164 b57w2k - ok
08:37:17.0312 2164 [ 5d7be7b19e827125e016325334e58ff1 ] BANTExt C:\WINDOWS\System32\Drivers\BANTExt.sys
08:37:17.0312 2164 BANTExt - ok
08:37:17.0343 2164 [ b89bcf0a25aeb3b47030ac83287f894a ] BCM43XX C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
08:37:17.0359 2164 BCM43XX - ok
08:37:17.0390 2164 [ da1f27d85e0d1525f6621372e7b685e9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
08:37:17.0390 2164 Beep - ok
08:37:17.0437 2164 [ 574738f61fca2935f5265dc4e5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
08:37:17.0468 2164 BITS - ok
08:37:17.0546 2164 [ db5bea73edaf19ac68b2c0fad0f92b1a ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
08:37:17.0562 2164 Bonjour Service - ok
08:37:17.0593 2164 [ cfd4e51402da9838b5a04ae680af54a0 ] Browser C:\WINDOWS\System32\browser.dll
08:37:17.0593 2164 Browser - ok
08:37:17.0609 2164 Browser Defender Update Service - ok
08:37:17.0609 2164 catchme - ok
08:37:17.0671 2164 [ 90a673fc8e12a79afbed2576f6a7aaf9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
08:37:17.0671 2164 cbidf2k - ok
08:37:17.0703 2164 [ 0be5aef125be881c4f854c554f2b025c ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
08:37:17.0703 2164 CCDECODE - ok
08:37:17.0718 2164 cd20xrnt - ok
08:37:17.0734 2164 [ c1b486a7658353d33a10cc15211a873b ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
08:37:17.0734 2164 Cdaudio - ok
08:37:17.0765 2164 [ c885b02847f5d2fd45a24e219ed93b32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
08:37:17.0781 2164 Cdfs - ok
08:37:17.0796 2164 [ 1f4260cc5b42272d71f79e570a27a4fe ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:37:17.0796 2164 Cdrom - ok
08:37:17.0812 2164 cerc6 - ok
08:37:17.0812 2164 Changer - ok
08:37:17.0843 2164 [ 1cfe720eb8d93a7158a4ebc3ab178bde ] CiSvc C:\WINDOWS\system32\cisvc.exe
08:37:17.0843 2164 CiSvc - ok
08:37:17.0859 2164 [ 34cbe729f38138217f9c80212a2a0c82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
08:37:17.0859 2164 ClipSrv - ok
08:37:17.0921 2164 [ d87acaed61e417bba546ced5e7e36d9c ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
08:37:17.0937 2164 clr_optimization_v2.0.50727_32 - ok
08:37:17.0968 2164 [ c5a75eb48e2344abdc162bda79e16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
08:37:18.0015 2164 clr_optimization_v4.0.30319_32 - ok
08:37:18.0046 2164 [ 0f6c187d38d98f8df904589a5f94d411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
08:37:18.0046 2164 CmBatt - ok
08:37:18.0062 2164 CmdIde - ok
08:37:18.0062 2164 [ 6e4c9f21f0fae8940661144f41b13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:37:18.0062 2164 Compbatt - ok
08:37:18.0078 2164 COMSysApp - ok
08:37:18.0078 2164 Cpqarray - ok
08:37:18.0125 2164 [ 3d4e199942e29207970e04315d02ad3b ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
08:37:18.0125 2164 CryptSvc - ok
08:37:18.0125 2164 dac2w2k - ok
08:37:18.0140 2164 dac960nt - ok
08:37:18.0187 2164 [ 6b27a5c03dfb94b4245739065431322c ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
08:37:18.0187 2164 DcomLaunch - ok
08:37:18.0218 2164 [ 5e38d7684a49cacfb752b046357e0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
08:37:18.0234 2164 Dhcp - ok
08:37:18.0234 2164 [ 044452051f3e02e7963599fc8f4f3e25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
08:37:18.0234 2164 Disk - ok
08:37:18.0250 2164 dmadmin - ok
08:37:18.0328 2164 [ d992fe1274bde0f84ad826acae022a41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
08:37:18.0359 2164 dmboot - ok
08:37:18.0421 2164 [ 7c824cf7bbde77d95c08005717a95f6f ] dmio C:\WINDOWS\system32\drivers\dmio.sys
08:37:18.0421 2164 dmio - ok
08:37:18.0468 2164 [ e9317282a63ca4d188c0df5e09c6ac5f ] dmload C:\WINDOWS\system32\drivers\dmload.sys
08:37:18.0468 2164 dmload - ok
08:37:18.0484 2164 [ 57edec2e5f59f0335e92f35184bc8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
08:37:18.0500 2164 dmserver - ok
08:37:18.0546 2164 [ 8a208dfcf89792a484e76c40e5f50b45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
08:37:18.0546 2164 DMusic - ok
08:37:18.0578 2164 [ 5f7e24fa9eab896051ffb87f840730d2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
08:37:18.0578 2164 Dnscache - ok
08:37:18.0625 2164 [ 0f0f6e687e5e15579ef4da8dd6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
08:37:18.0625 2164 Dot3svc - ok
08:37:18.0625 2164 dpti2o - ok
08:37:18.0671 2164 [ 8f5fcff8e8848afac920905fbd9d33c8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
08:37:18.0671 2164 drmkaud - ok
08:37:18.0687 2164 [ 2187855a7703adef0cef9ee4285182cc ] EapHost C:\WINDOWS\System32\eapsvc.dll
08:37:18.0687 2164 EapHost - ok
08:37:18.0734 2164 [ bc93b4a066477954555966d77fec9ecb ] ERSvc C:\WINDOWS\System32\ersvc.dll
08:37:18.0734 2164 ERSvc - ok
08:37:18.0765 2164 esgiguard - ok
08:37:18.0796 2164 [ 65df52f5b8b6e9bbd183505225c37315 ] Eventlog C:\WINDOWS\system32\services.exe
08:37:18.0796 2164 Eventlog - ok
08:37:18.0843 2164 [ d4991d98f2db73c60d042f1aef79efae ] EventSystem C:\WINDOWS\system32\es.dll
08:37:18.0843 2164 EventSystem - ok
08:37:18.0906 2164 [ 38d332a6d56af32635675f132548343e ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
08:37:18.0921 2164 Fastfat - ok
08:37:18.0968 2164 [ 99bc0b50f511924348be19c7c7313bbf ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
08:37:18.0984 2164 FastUserSwitchingCompatibility - ok
08:37:19.0015 2164 [ 92cdd60b6730b9f50f6a1a0c1f8cdc81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
08:37:19.0015 2164 Fdc - ok
08:37:19.0046 2164 [ d45926117eb9fa946a6af572fbe1caa3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
08:37:19.0046 2164 Fips - ok
08:37:19.0062 2164 [ 9d27e7b80bfcdf1cdd9b555862d5e7f0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
08:37:19.0062 2164 Flpydisk - ok
08:37:19.0109 2164 [ b2cf4b0786f8212cb92ed2b50c6db6b0 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys
08:37:19.0109 2164 FltMgr - ok
08:37:19.0156 2164 [ 8ba7c024070f2b7fdd98ed8a4ba41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
08:37:19.0156 2164 FontCache3.0.0.0 - ok
08:37:19.0171 2164 [ 3e1e2bd4f39b0e2b7dc4f4d2bcc2779a ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:37:19.0171 2164 Fs_Rec - ok
08:37:19.0187 2164 [ 6ac26732762483366c3969c9e4d2259d ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:37:19.0203 2164 Ftdisk - ok
08:37:19.0250 2164 [ 8182ff89c65e4d38b2de4bb0fb18564e ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
08:37:19.0250 2164 GEARAspiWDM - ok
08:37:19.0265 2164 [ 0a02c63c8b144bd8c86b103dee7c86a2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:37:19.0265 2164 Gpc - ok
08:37:19.0328 2164 [ f02a533f517eb38333cb12a9e8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
08:37:19.0328 2164 gupdate - ok
08:37:19.0359 2164 [ f02a533f517eb38333cb12a9e8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
08:37:19.0359 2164 gupdatem - ok
08:37:19.0421 2164 [ cc839e8d766cc31a7710c9f38cf3e375 ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
08:37:19.0421 2164 gusvc - ok
08:37:19.0484 2164 [ 4fcca060dfe0c51a09dd5c3843888bcd ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
08:37:19.0484 2164 helpsvc - ok
08:37:19.0515 2164 [ deb04da35cc871b6d309b77e1443c796 ] HidServ C:\WINDOWS\System32\hidserv.dll
08:37:19.0515 2164 HidServ - ok
08:37:19.0546 2164 [ ccf82c5ec8a7326c3066de870c06daf1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:37:19.0546 2164 HidUsb - ok
08:37:19.0578 2164 [ 8878bd685e490239777bfe51320b88e9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
08:37:19.0578 2164 hkmsvc - ok
08:37:19.0593 2164 hpn - ok
08:37:19.0703 2164 [ 5da42d24712e00728cea2342a65009b2 ] hpqcxs08 C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
08:37:19.0703 2164 hpqcxs08 - ok
08:37:19.0734 2164 [ d86a39bf100069444d026d22d9a6e555 ] hpqddsvc C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
08:37:19.0734 2164 hpqddsvc - ok
08:37:19.0796 2164 [ a04f4ac48895774a2cf9d1c9eaaacef0 ] HPSLPSVC C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
08:37:19.0828 2164 HPSLPSVC - ok
08:37:19.0875 2164 [ 30ca91e657cede2f95359d6ef186f650 ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
08:37:19.0890 2164 HPZid412 - ok
08:37:19.0890 2164 [ efd31afa752aa7c7bbb57bcbe2b01c78 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
08:37:19.0890 2164 HPZipr12 - ok
08:37:19.0953 2164 [ 7ac43c38ca8fd7ed0b0a4466f753e06e ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
08:37:19.0953 2164 HPZius12 - ok
08:37:20.0000 2164 [ a84bbbdd125d370593004f6429f8445c ] HSFHWICH C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
08:37:20.0000 2164 HSFHWICH - ok
08:37:20.0062 2164 [ b678fa91cf4a1c19b462d8db04cd02ab ] HSF_DPV C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
08:37:20.0125 2164 HSF_DPV - ok
08:37:20.0171 2164 [ f80a415ef82cd06ffaf0d971528ead38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
08:37:20.0171 2164 HTTP - ok
08:37:20.0218 2164 [ 6100a808600f44d999cebdef8841c7a3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
08:37:20.0218 2164 HTTPFilter - ok
08:37:20.0234 2164 i2omgmt - ok
08:37:20.0250 2164 i2omp - ok
08:37:20.0281 2164 [ 4a0b06aa8943c1e332520f7440c0aa30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:37:20.0281 2164 i8042prt - ok
08:37:20.0359 2164 [ c01ac32dc5c03076cfb852cb5da5229c ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
08:37:20.0406 2164 idsvc - ok
08:37:20.0421 2164 [ 083a052659f5310dd8b6a6cb05edcf8e ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
08:37:20.0421 2164 Imapi - ok
08:37:20.0453 2164 [ 30deaf54a9755bb8546168cfe8a6b5e1 ] ImapiService C:\WINDOWS\system32\imapi.exe
08:37:20.0468 2164 ImapiService - ok
08:37:20.0484 2164 ini910u - ok
08:37:20.0500 2164 [ b5466a9250342a7aa0cd1fba13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
08:37:20.0500 2164 IntelIde - ok
08:37:20.0531 2164 [ 8c953733d8f36eb2133f5bb58808b66b ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:37:20.0546 2164 intelppm - ok
08:37:20.0609 2164 [ 3dc635b66dd7412e1c9c3a77b8d78f25 ] IntuitUpdateService C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
08:37:20.0609 2164 IntuitUpdateService - ok
08:37:20.0640 2164 [ 3bb22519a194418d5fec05d800a19ad0 ] Ip6Fw C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
08:37:20.0656 2164 Ip6Fw - ok
08:37:20.0687 2164 [ 731f22ba402ee4b62748adaf6363c182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:37:20.0687 2164 IpFilterDriver - ok
08:37:20.0703 2164 [ b87ab476dcf76e72010632b5550955f5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:37:20.0703 2164 IpInIp - ok
08:37:20.0734 2164 [ cc748ea12c6effde940ee98098bf96bb ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:37:20.0734 2164 IpNat - ok
08:37:20.0796 2164 [ 178fe38b7740f598391eb2f51ae4ccac ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
08:37:20.0828 2164 iPod Service - ok
08:37:20.0875 2164 [ 23c74d75e36e7158768dd63d92789a91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:37:20.0890 2164 IPSec - ok
08:37:20.0921 2164 [ c93c9ff7b04d772627a3646d89f7bf89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
08:37:20.0921 2164 IRENUM - ok
08:37:20.0953 2164 [ 05a299ec56e52649b1cf2fc52d20f2d7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:37:20.0968 2164 isapnp - ok
08:37:21.0015 2164 [ 1834c96fb1f9280bcf6ddfa6de8338bf ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
08:37:21.0015 2164 JavaQuickStarterService - ok
08:37:21.0031 2164 [ 463c1ec80cd17420a542b7f36a36f128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:37:21.0046 2164 Kbdclass - ok
08:37:21.0062 2164 [ 692bcf44383d056aed41b045a323d378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
08:37:21.0062 2164 kmixer - ok
08:37:21.0093 2164 [ b467646c54cc746128904e1654c750c1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
08:37:21.0093 2164 KSecDD - ok
08:37:21.0125 2164 [ 3a7c3cbe5d96b8ae96ce81f0b22fb527 ] LanmanServer C:\WINDOWS\System32\srvsvc.dll
08:37:21.0140 2164 LanmanServer - ok
08:37:21.0171 2164 [ a8888a5327621856c0cec4e385f69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
08:37:21.0187 2164 lanmanworkstation - ok
08:37:21.0187 2164 lbrtfdc - ok
08:37:21.0234 2164 [ a7db739ae99a796d91580147e919cc59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
08:37:21.0234 2164 LmHosts - ok
08:37:21.0281 2164 [ 8be71d7edb8c7494913722059f760dd0 ] LVPr2Mon C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
08:37:21.0281 2164 LVPr2Mon - ok
08:37:21.0343 2164 [ b6e1ccd6572984adcae68439afd07011 ] LVRS C:\WINDOWS\system32\DRIVERS\lvrs.sys
08:37:21.0359 2164 LVRS - ok
08:37:21.0546 2164 [ 6c42815dd57e397f0cd988304b5eb4b3 ] LVUVC C:\WINDOWS\system32\DRIVERS\lvuvc.sys
08:37:21.0687 2164 LVUVC - ok
08:37:21.0718 2164 [ 3c318b9cd391371bed62126581ee9961 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
08:37:21.0718 2164 mdmxsdk - ok
08:37:21.0750 2164 [ 986b1ff5814366d71e0ac5755c88f2d3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
08:37:21.0750 2164 Messenger - ok
08:37:21.0781 2164 [ 4ae068242760a1fb6e1a44bf4e16afa6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
08:37:21.0781 2164 mnmdd - ok
08:37:21.0812 2164 [ d18f1f0c101d06a1c1adf26eed16fcdd ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
08:37:21.0828 2164 mnmsrvc - ok
08:37:21.0843 2164 [ dfcbad3cec1c5f964962ae10e0bcc8e1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
08:37:21.0843 2164 Modem - ok
08:37:21.0875 2164 [ 35c9e97194c8cfb8430125f8dbc34d04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:37:21.0875 2164 Mouclass - ok
08:37:21.0937 2164 [ b1c303e17fb9d46e87a98e4ba6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:37:21.0953 2164 mouhid - ok
08:37:21.0968 2164 [ a80b9a0bad1b73637dbcbba7df72d3fd ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
08:37:21.0968 2164 MountMgr - ok
08:37:21.0968 2164 mraid35x - ok
08:37:22.0000 2164 [ 11d42bb6206f33fbb3ba0288d3ef81bd ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:37:22.0015 2164 MRxDAV - ok
08:37:22.0046 2164 [ 7d304a5eb4344ebeeab53a2fe3ffb9f0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:37:22.0062 2164 MRxSmb - ok
08:37:22.0093 2164 [ a137f1470499a205abbb9aafb3b6f2b1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
08:37:22.0093 2164 MSDTC - ok
08:37:22.0125 2164 [ c941ea2454ba8350021d774daf0f1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
08:37:22.0125 2164 Msfs - ok
08:37:22.0125 2164 MSIServer - ok
08:37:22.0156 2164 [ d1575e71568f4d9e14ca56b7b0453bf1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:37:22.0156 2164 MSKSSRV - ok
08:37:22.0203 2164 [ 325bb26842fc7ccc1fcce2c457317f3e ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:37:22.0203 2164 MSPCLOCK - ok
08:37:22.0234 2164 [ bad59648ba099da4a17680b39730cb3d ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
08:37:22.0250 2164 MSPQM - ok
08:37:22.0281 2164 [ af5f4f3f14a8ea2c26de30f7a1e17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:37:22.0281 2164 mssmbios - ok
08:37:22.0312 2164 [ e53736a9e30c45fa9e7b5eac55056d1d ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
08:37:22.0312 2164 MSTEE - ok
08:37:22.0343 2164 [ de6a75f5c270e756c5508d94b6cf68f5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
08:37:22.0343 2164 Mup - ok
08:37:22.0390 2164 [ 5b50f1b2a2ed47d560577b221da734db ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
08:37:22.0390 2164 NABTSFEC - ok
08:37:22.0453 2164 [ 0102140028fad045756796e1c685d695 ] napagent C:\WINDOWS\System32\qagentrt.dll
08:37:22.0468 2164 napagent - ok
08:37:22.0484 2164 [ 1df7f42665c94b825322fae71721130d ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
08:37:22.0484 2164 NDIS - ok
08:37:22.0515 2164 [ 7ff1f1fd8609c149aa432f95a8163d97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
08:37:22.0515 2164 NdisIP - ok
08:37:22.0546 2164 [ 0109c4f3850dfbab279542515386ae22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:37:22.0546 2164 NdisTapi - ok
08:37:22.0578 2164 [ f927a4434c5028758a842943ef1a3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:37:22.0578 2164 Ndisuio - ok
08:37:22.0625 2164 [ edc1531a49c80614b2cfda43ca8659ab ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:37:22.0625 2164 NdisWan - ok
08:37:22.0703 2164 [ 9282bd12dfb069d3889eb3fcc1000a9b ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
08:37:22.0703 2164 NDProxy - ok
08:37:22.0750 2164 [ a081cb6fb9a12668f233eb5414be3a0e ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
08:37:22.0781 2164 Net Driver HPZ12 - ok
08:37:23.0171 2164 [ 5d81cf9a2f1a3a756b66cf684911cdf0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
08:37:23.0171 2164 NetBIOS - ok
08:37:23.0187 2164 [ 74b2b2f5bea5e9a3dc021d685551bd3d ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
08:37:23.0187 2164 NetBT - ok
08:37:23.0218 2164 [ b857ba82860d7ff85ae29b095645563b ] NetDDE C:\WINDOWS\system32\netdde.exe
08:37:23.0218 2164 NetDDE - ok
08:37:23.0234 2164 [ b857ba82860d7ff85ae29b095645563b ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
08:37:23.0234 2164 NetDDEdsdm - ok
08:37:23.0265 2164 [ bf2466b3e18e970d8a976fb95fc1ca85 ] Netlogon C:\WINDOWS\system32\lsass.exe
08:37:23.0265 2164 Netlogon - ok
08:37:23.0281 2164 [ 13e67b55b3abd7bf3fe7aae5a0f9a9de ] Netman C:\WINDOWS\System32\netman.dll
08:37:23.0281 2164 Netman - ok
08:37:23.0328 2164 [ d34612c5d02d026535b3095d620626ae ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
08:37:23.0328 2164 NetTcpPortSharing - ok
08:37:23.0375 2164 [ 943337d786a56729263071623bbb9de5 ] Nla C:\WINDOWS\System32\mswsock.dll
08:37:23.0390 2164 Nla - ok
08:37:23.0406 2164 [ 3182d64ae053d6fb034f44b6def8034a ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
08:37:23.0406 2164 Npfs - ok
08:37:23.0437 2164 [ 78a08dd6a8d65e697c18e1db01c5cdca ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
08:37:23.0453 2164 Ntfs - ok
08:37:23.0453 2164 [ bf2466b3e18e970d8a976fb95fc1ca85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
08:37:23.0453 2164 NtLmSsp - ok
08:37:23.0484 2164 [ 156f64a3345bd23c600655fb4d10bc08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
08:37:23.0500 2164 NtmsSvc - ok
08:37:23.0546 2164 [ cf7e041663119e09d2e118521ada9300 ] NuidFltr C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
08:37:23.0546 2164 NuidFltr - ok
08:37:23.0562 2164 [ 73c1e1f395918bc2c6dd67af7591a3ad ] Null C:\WINDOWS\system32\drivers\Null.sys
08:37:23.0562 2164 Null - ok
08:37:23.0609 2164 [ b305f3fad35083837ef46a0bbce2fc57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:37:23.0609 2164 NwlnkFlt - ok
08:37:23.0609 2164 [ c99b3415198d1aab7227f2c88fd664b9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:37:23.0609 2164 NwlnkFwd - ok
08:37:23.0640 2164 [ 5575faf8f97ce5e713d108c2a58d7c7c ] Parport C:\WINDOWS\system32\drivers\Parport.sys
08:37:23.0640 2164 Parport - ok
08:37:23.0640 2164 [ beb3ba25197665d82ec7065b724171c6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
08:37:23.0640 2164 PartMgr - ok
08:37:23.0718 2164 [ 70e98b3fd8e963a6a46a2e6247e0bea1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
08:37:23.0718 2164 ParVdm - ok
08:37:23.0718 2164 [ a219903ccf74233761d92bef471a07b1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
08:37:23.0718 2164 PCI - ok
08:37:23.0734 2164 PCIDump - ok
08:37:23.0734 2164 [ ccf5f451bb1a5a2a522a76e670000ff0 ] PCIIde C:\WINDOWS\system32\drivers\PCIIde.sys
08:37:23.0734 2164 PCIIde - ok
08:37:23.0750 2164 [ 9e89ef60e9ee05e3f2eef2da7397f1c1 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
08:37:23.0750 2164 Pcmcia - ok
08:37:23.0750 2164 PDCOMP - ok
08:37:23.0765 2164 PDFRAME - ok
08:37:23.0765 2164 PDRELI - ok
08:37:23.0781 2164 PDRFRAME - ok
08:37:23.0781 2164 perc2 - ok
08:37:23.0796 2164 perc2hib - ok
08:37:23.0828 2164 [ 65df52f5b8b6e9bbd183505225c37315 ] PlugPlay C:\WINDOWS\system32\services.exe
08:37:23.0828 2164 PlugPlay - ok
08:37:23.0859 2164 [ 65bc271f337637731d3c71455ae1f476 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
08:37:23.0859 2164 Pml Driver HPZ12 - ok
08:37:23.0875 2164 [ bf2466b3e18e970d8a976fb95fc1ca85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
08:37:23.0875 2164 PolicyAgent - ok
08:37:23.0890 2164 [ efeec01b1d3cf84f16ddd24d9d9d8f99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:37:23.0890 2164 PptpMiniport - ok
08:37:23.0906 2164 [ bf2466b3e18e970d8a976fb95fc1ca85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
08:37:23.0906 2164 ProtectedStorage - ok
08:37:23.0921 2164 [ 09298ec810b07e5d582cb3a3f9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
08:37:23.0921 2164 PSched - ok
08:37:23.0953 2164 [ 80d317bd1c3dbc5d4fe7b1678c60cadd ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:37:23.0953 2164 Ptilink - ok
08:37:23.0953 2164 ql1080 - ok
08:37:23.0968 2164 Ql10wnt - ok
08:37:23.0968 2164 ql12160 - ok
08:37:23.0968 2164 ql1240 - ok
08:37:23.0984 2164 ql1280 - ok
08:37:24.0015 2164 [ fe0d99d6f31e4fad8159f690d68ded9c ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:37:24.0015 2164 RasAcd - ok
08:37:24.0078 2164 [ ad188be7bdf94e8df4ca0a55c00a5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
08:37:24.0078 2164 RasAuto - ok
08:37:24.0109 2164 [ 11b4a627bc9614b885c4969bfa5ff8a6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:37:24.0109 2164 Rasl2tp - ok
08:37:24.0125 2164 [ 76a9a3cbeadd68cc57cda5e1d7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
08:37:24.0125 2164 RasMan - ok
08:37:24.0140 2164 [ 5bc962f2654137c9909c3d4603587dee ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:37:24.0140 2164 RasPppoe - ok
08:37:24.0156 2164 [ fdbb1d60066fcfbb7452fd8f9829b242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
08:37:24.0156 2164 Raspti - ok
08:37:24.0171 2164 [ 7ad224ad1a1437fe28d89cf22b17780a ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:37:24.0171 2164 Rdbss - ok
08:37:24.0187 2164 [ 4912d5b403614ce99c28420f75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:37:24.0187 2164 RDPCDD - ok
08:37:24.0234 2164 [ 15cabd0f7c00c47c70124907916af3f1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:37:24.0234 2164 rdpdr - ok
08:37:24.0281 2164 [ 43af5212bd8fb5ba6eed9754358bd8f7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
08:37:24.0281 2164 RDPWD - ok
08:37:24.0312 2164 [ 3c37bf86641bda977c3bf8a840f3b7fa ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
08:37:24.0312 2164 RDSessMgr - ok
08:37:24.0343 2164 [ f828dd7e1419b6653894a8f97a0094c5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
08:37:24.0343 2164 redbook - ok
08:37:24.0390 2164 [ 7e699ff5f59b5d9de5390e3c34c67cf5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
08:37:24.0390 2164 RemoteAccess - ok
08:37:24.0437 2164 [ 5b19b557b0c188210a56a6b699d90b8f ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
08:37:24.0437 2164 RemoteRegistry - ok
08:37:24.0484 2164 [ aaed593f84afa419bbae8572af87cf6a ] RpcLocator C:\WINDOWS\system32\locator.exe
08:37:24.0484 2164 RpcLocator - ok
08:37:24.0515 2164 [ 6b27a5c03dfb94b4245739065431322c ] RpcSs C:\WINDOWS\System32\rpcss.dll
08:37:24.0531 2164 RpcSs - ok
08:37:24.0562 2164 [ 471b3f9741d762abe75e9deea4787e47 ] RSVP C:\WINDOWS\system32\rsvp.exe
08:37:24.0562 2164 RSVP - ok
08:37:24.0593 2164 SABKUTIL - ok
08:37:24.0609 2164 [ bf2466b3e18e970d8a976fb95fc1ca85 ] SamSs C:\WINDOWS\system32\lsass.exe
08:37:24.0609 2164 SamSs - ok
08:37:24.0671 2164 [ a3281aec37e0720a2bc28034c2df2a56 ] SASDIFSV C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
08:37:24.0671 2164 SASDIFSV - ok
08:37:24.0703 2164 [ 61db0d0756a99506207fd724e3692b25 ] SASKUTIL C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
08:37:24.0703 2164 SASKUTIL - ok
08:37:24.0750 2164 [ 86d007e7a654b9a71d1d7d856b104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
08:37:24.0750 2164 SCardSvr - ok
08:37:24.0781 2164 [ 0a9a7365a1ca4319aa7c1d6cd8e4eafa ] Schedule C:\WINDOWS\system32\schedsvc.dll
08:37:24.0781 2164 Schedule - ok
08:37:24.0796 2164 [ 90a3935d05b494a5a39d37e71f09a677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:37:24.0796 2164 Secdrv - ok
08:37:24.0828 2164 [ cbe612e2bb6a10e3563336191eda1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
08:37:24.0828 2164 seclogon - ok
08:37:24.0843 2164 [ 7fdd5d0684eca8c1f68b4d99d124dcd0 ] SENS C:\WINDOWS\system32\sens.dll
08:37:24.0843 2164 SENS - ok
08:37:24.0859 2164 [ 0f29512ccd6bead730039fb4bd2c85ce ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
08:37:24.0859 2164 serenum - ok
08:37:24.0875 2164 [ cca207a8896d4c6a0c9ce29a4ae411a7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
08:37:24.0875 2164 Serial - ok
08:37:24.0921 2164 [ 8e6b8c671615d126fdc553d1e2de5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
08:37:24.0937 2164 Sfloppy - ok
08:37:24.0953 2164 [ 83f41d0d89645d7235c051ab1d9523ac ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
08:37:24.0953 2164 SharedAccess - ok
08:37:24.0984 2164 [ 99bc0b50f511924348be19c7c7313bbf ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
08:37:24.0984 2164 ShellHWDetection - ok
08:37:24.0984 2164 Simbad - ok
08:37:25.0031 2164 [ 866d538ebe33709a5c9f5c62b73b7d14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
08:37:25.0031 2164 SLIP - ok
08:37:25.0046 2164 Sparrow - ok
08:37:25.0093 2164 [ ab8b92451ecb048a4d1de7c3ffcb4a9f ] splitter C:\WINDOWS\system32\drivers\splitter.sys
08:37:25.0093 2164 splitter - ok
08:37:25.0125 2164 [ 60784f891563fb1b767f70117fc2428f ] Spooler C:\WINDOWS\system32\spoolsv.exe
08:37:25.0125 2164 Spooler - ok
08:37:25.0156 2164 [ 76bb022c2fb6902fd5bdd4f78fc13a5d ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
08:37:25.0156 2164 sr - ok
08:37:25.0171 2164 [ 3805df0ac4296a34ba4bf93b346cc378 ] srservice C:\WINDOWS\system32\srsvc.dll
08:37:25.0171 2164 srservice - ok
08:37:25.0203 2164 [ 47ddfc2f003f7f9f0592c6874962a2e7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
08:37:25.0218 2164 Srv - ok
08:37:25.0250 2164 [ 0a5679b3714edab99e357057ee88fca6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
08:37:25.0250 2164 SSDPSRV - ok
08:37:25.0281 2164 [ 305cc42945a713347f978d78566113f3 ] STAC97 C:\WINDOWS\system32\drivers\STAC97.sys
08:37:25.0296 2164 STAC97 - ok
08:37:25.0312 2164 [ a9573045baa16eab9b1085205b82f1ed ] StillCam C:\WINDOWS\system32\DRIVERS\serscan.sys
08:37:25.0312 2164 StillCam - ok
08:37:25.0359 2164 [ 8bad69cbac032d4bbacfce0306174c30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
08:37:25.0375 2164 stisvc - ok
08:37:25.0406 2164 [ 77813007ba6265c4b6098187e6ed79d2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
08:37:25.0406 2164 streamip - ok
08:37:25.0421 2164 [ 3941d127aef12e93addf6fe6ee027e0f ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
08:37:25.0421 2164 swenum - ok
08:37:25.0453 2164 [ 8ce882bcc6cf8a62f2b2323d95cb3d01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
08:37:25.0468 2164 swmidi - ok
08:37:25.0468 2164 SwPrv - ok
08:37:25.0484 2164 symc810 - ok
08:37:25.0484 2164 symc8xx - ok
08:37:25.0500 2164 sym_hi - ok
08:37:25.0500 2164 sym_u3 - ok
08:37:25.0531 2164 [ 8b83f3ed0f1688b4958f77cd6d2bf290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
08:37:25.0531 2164 sysaudio - ok
08:37:25.0562 2164 [ c7abbc59b43274b1109df6b24d617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
08:37:25.0562 2164 SysmonLog - ok
08:37:25.0609 2164 [ 3cb78c17bb664637787c9a1c98f79c38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
08:37:25.0609 2164 TapiSrv - ok
08:37:25.0656 2164 [ 9aefa14bd6b182d61e3119fa5f436d3d ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:37:25.0656 2164 Tcpip - ok
08:37:25.0687 2164 [ 6471a66807f5e104e4885f5b67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
08:37:25.0687 2164 TDPIPE - ok
08:37:25.0718 2164 [ c56b6d0402371cf3700eb322ef3aaf61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
08:37:25.0718 2164 TDTCP - ok
08:37:25.0734 2164 [ 88155247177638048422893737429d9e ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
08:37:25.0734 2164 TermDD - ok
08:37:25.0765 2164 [ ff3477c03be7201c294c35f684b3479f ] TermService C:\WINDOWS\System32\termsrv.dll
08:37:25.0781 2164 TermService - ok
08:37:25.0843 2164 [ 99bc0b50f511924348be19c7c7313bbf ] Themes C:\WINDOWS\System32\shsvcs.dll
08:37:25.0843 2164 Themes - ok
08:37:25.0890 2164 [ db7205804759ff62c34e3efd8a4cc76a ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
08:37:25.0890 2164 TlntSvr - ok
08:37:25.0906 2164 TosIde - ok
08:37:25.0937 2164 [ 55bca12f7f523d35ca3cb833c725f54e ] TrkWks C:\WINDOWS\system32\trkwks.dll
08:37:25.0937 2164 TrkWks - ok
08:37:25.0968 2164 [ 5787b80c2e3c5e2f56c2a233d91fa2c9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
08:37:25.0984 2164 Udfs - ok
08:37:25.0984 2164 UIUSys - ok
08:37:26.0000 2164 ultra - ok
08:37:26.0093 2164 [ 8b802b483cbde06f62dbc04dc7afaf8e ] UMVPFSrv C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
08:37:26.0109 2164 UMVPFSrv - ok
08:37:26.0156 2164 [ 402ddc88356b1bac0ee3dd1580c76a31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
08:37:26.0171 2164 Update - ok
08:37:26.0218 2164 [ 1ebafeb9a3fbdc41b8d9c7f0f687ad91 ] upnphost C:\WINDOWS\System32\upnphost.dll
08:37:26.0234 2164 upnphost - ok
08:37:26.0265 2164 [ 05365fb38fca1e98f7a566aaaf5d1815 ] UPS C:\WINDOWS\System32\ups.exe
08:37:26.0265 2164 UPS - ok
08:37:26.0312 2164 [ 83cafcb53201bbac04d822f32438e244 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
08:37:26.0312 2164 USBAAPL - ok
08:37:26.0343 2164 [ e919708db44ed8543a7c017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
08:37:26.0343 2164 usbaudio - ok
08:37:26.0390 2164 [ 173f317ce0db8e21322e71b7e60a27e8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
08:37:26.0390 2164 usbccgp - ok
08:37:26.0406 2164 [ 65dcf09d0e37d4c6b11b5b0b76d470a7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:37:26.0406 2164 usbehci - ok
08:37:26.0421 2164 [ 1ab3cdde553b6e064d2e754efe20285c ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:37:26.0421 2164 usbhub - ok
08:37:26.0484 2164 [ a717c8721046828520c9edf31288fc00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
08:37:26.0484 2164 usbprint - ok
08:37:26.0531 2164 [ a0b8cf9deb1184fbdd20784a58fa75d4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:37:26.0531 2164 usbscan - ok
08:37:26.0578 2164 [ a32426d9b14a089eaa1d922e0c5801a9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:37:26.0578 2164 USBSTOR - ok
08:37:26.0609 2164 [ 26496f9dee2d787fc3e61ad54821ffe6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:37:26.0609 2164 usbuhci - ok
08:37:26.0671 2164 [ 63bbfca7f390f4c49ed4b96bfb1633e0 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
08:37:26.0687 2164 usbvideo - ok
08:37:26.0703 2164 [ 0d3a8fafceacd8b7625cd549757a7df1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
08:37:26.0703 2164 VgaSave - ok
08:37:26.0718 2164 ViaIde - ok
08:37:26.0734 2164 [ 4c8fcb5cc53aab716d810740fe59d025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
08:37:26.0734 2164 VolSnap - ok
08:37:26.0796 2164 [ 7a9db3a67c333bf0bd42e42b8596854b ] VSS C:\WINDOWS\System32\vssvc.exe
08:37:26.0812 2164 VSS - ok
08:37:26.0859 2164 [ 54af4b1d5459500ef0937f6d33b1914f ] W32Time C:\WINDOWS\system32\w32time.dll
08:37:26.0875 2164 W32Time - ok
08:37:26.0890 2164 [ e20b95baedb550f32dd489265c1da1f6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:37:26.0890 2164 Wanarp - ok
08:37:26.0968 2164 [ fd47474bd21794508af449d9d91af6e6 ] Wdf01000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
08:37:26.0984 2164 Wdf01000 - ok
08:37:27.0000 2164 WDICA - ok
08:37:27.0046 2164 [ 6768acf64b18196494413695f0c3a00f ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
08:37:27.0046 2164 wdmaud - ok
08:37:27.0062 2164 [ 77a354e28153ad2d5e120a5a8687bc06 ] WebClient C:\WINDOWS\System32\webclnt.dll
08:37:27.0078 2164 WebClient - ok
08:37:27.0109 2164 [ 0c5b9cf1bdf998750d9c5eeb5f8c55ac ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
08:37:27.0140 2164 winachsf - ok
08:37:27.0218 2164 [ 2d0e4ed081963804ccc196a0929275b5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
08:37:27.0218 2164 winmgmt - ok
08:37:27.0250 2164 wltrysvc - ok
08:37:27.0296 2164 [ c7e39ea41233e9f5b86c8da3a9f1e4a8 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
08:37:27.0296 2164 WmdmPmSN - ok
08:37:27.0359 2164 [ e76f8807070ed04e7408a86d6d3a6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
08:37:27.0390 2164 Wmi - ok
08:37:27.0437 2164 [ e0673f1106e62a68d2257e376079f821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
08:37:27.0437 2164 WmiApSrv - ok
08:37:27.0546 2164 [ dcf3e3edf5109ee8bc02fe6e1f045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
08:37:27.0578 2164 WPFFontCache_v0400 - ok
08:37:27.0640 2164 [ 6abe6e225adb5a751622a9cc3bc19ce8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
08:37:27.0640 2164 WS2IFSL - ok
08:37:27.0671 2164 [ 7c278e6408d1dce642230c0585a854d5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
08:37:27.0687 2164 wscsvc - ok
08:37:27.0750 2164 [ c98b39829c2bbd34e454150633c62c78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
08:37:27.0750 2164 WSTCODEC - ok
08:37:27.0781 2164 [ 35321fb577cdc98ce3eb3a3eb9e4610a ] wuauserv C:\WINDOWS\system32\wuauserv.dll
08:37:27.0781 2164 wuauserv - ok
08:37:27.0828 2164 [ 81dc3f549f44b1c1fff022dec9ecf30b ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
08:37:27.0859 2164 WZCSVC - ok
08:37:27.0906 2164 [ 295d21f14c335b53cb8154e5b1f892b9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
08:37:27.0921 2164 xmlprov - ok
08:37:27.0937 2164 ================ Scan global ===============================
08:37:27.0984 2164 (42f1f4c0afb08410e5f02d4b13ebb623) C:\WINDOWS\system32\basesrv.dll
08:37:28.0031 2164 (8c7dca4b158bf16894120786a7a5f366) C:\WINDOWS\system32\winsrv.dll
08:37:28.0062 2164 (8c7dca4b158bf16894120786a7a5f366) C:\WINDOWS\system32\winsrv.dll
08:37:28.0093 2164 (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
08:37:28.0093 2164 [Global] - ok
08:37:28.0093 2164 ================ Scan MBR ==================================
08:37:28.0109 2164 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
08:37:28.0390 2164 \Device\Harddisk0\DR0 - ok
08:37:28.0390 2164 ================ Scan VBR ==================================
08:37:28.0390 2164 Boot (0x1200) (949cbef2b8c6beaf871ebd3b7b9aeab3) \Device\Harddisk0\DR0\Partition1
08:37:28.0390 2164 \Device\Harddisk0\DR0\Partition1 - ok
08:37:28.0406 2164 ============================================================
08:37:28.0406 2164 Scan finished
08:37:28.0406 2164 ============================================================
08:37:28.0421 1600 Detected object count: 0
08:37:28.0421 1600 Actual detected object count: 0

#7 JoePapa4

JoePapa4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 18 August 2012 - 07:54 AM

And okay, here is the log for aswMBR. Both this one, and aswMBR, ran without a hitch. No restarts on either.

Looking forward to your reply.

Joe

-=-=-=-=-=-=-=-=

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-18 08:38:25
-----------------------------
08:38:25.093 OS Version: Windows 5.1.2600 Service Pack 3
08:38:25.093 Number of processors: 1 586 0xD08
08:38:25.093 ComputerName: D810 UserName:
08:38:26.140 Initialize success
08:45:28.296 AVAST engine defs: 12081800
08:48:04.625 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:48:04.625 Disk 0 Vendor: WDC_WD1600BEVE-00WZT0 01.01A01 Size: 152627MB BusType: 3
08:48:04.671 Disk 0 MBR read successfully
08:48:04.671 Disk 0 MBR scan
08:48:04.734 Disk 0 Windows XP default MBR code
08:48:04.734 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152625 MB offset 63
08:48:04.734 Disk 0 scanning sectors +312576705
08:48:04.843 Disk 0 scanning C:\WINDOWS\system32\drivers
08:48:13.640 Service scanning
08:48:29.765 Modules scanning
08:48:35.828 Disk 0 trace - called modules:
08:48:35.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
08:48:35.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x867d2ab8]
08:48:36.359 3 CLASSPNP.SYS[f761bfd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x867dfd98]
08:48:38.281 AVAST engine scan C:\WINDOWS
08:48:42.812 AVAST engine scan C:\WINDOWS\system32
08:51:37.296 AVAST engine scan C:\WINDOWS\system32\drivers
08:51:53.093 AVAST engine scan C:\Documents and Settings\Carpinelli Home
08:52:41.093 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Carpinelli Home\Desktop\AntiVirus Stuff\MBR.dat"
08:52:41.093 The log file has been saved successfully to "C:\Documents and Settings\Carpinelli Home\Desktop\AntiVirus Stuff\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 AM

Posted 18 August 2012 - 11:57 AM

Greetings JoePapa4

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 AM

Posted 21 August 2012 - 12:29 AM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 JoePapa4

JoePapa4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 21 August 2012 - 06:51 AM

Hi Gringo -

I just need more time. I'm also dealing with a car repair and a phone repair (its been a bad few weeks), and now have visitors... so a couple more days would be appreciated. FWIW, the computer seems to be back to normal now, but I am committed to completing the process to make sure all REALLY is well.

Thanks for your patience.

Joe

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 AM

Posted 21 August 2012 - 04:35 PM

Hello Joe


No problem I will check on you in a couple of days if I have not heard from you



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 JoePapa4

JoePapa4
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 24 August 2012 - 07:33 AM

Hi Gringo -

Thanks for your patience. I finally got a moment to tend to this computer.

I created the script file as instructed above and dragged it onto ComboFix. Everything ran smoothly.

1) report is below

2) had no problems running ComboFix, as last time.

3) Computer seems to be functionally normally, both before and after running ComboFix.

Are you still seeing evidence that something is wrong, or are these steps just a precaution?

ComboFix log is below... Thanks again!!!

Joe

-=-=-=-=-
ComboFix 12-08-22.03 - Carpinelli Home 08/24/2012 8:13.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.654 [GMT -4:00]
Running from: c:\documents and settings\Carpinelli Home\Desktop\AntiVirus Stuff\ComboFix.exe
Command switches used :: c:\documents and settings\Carpinelli Home\Desktop\AntiVirus Stuff\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2012-07-24 to 2012-08-24 )))))))))))))))))))))))))))))))
.
.
2012-08-12 04:31 . 2012-08-12 04:31 -------- d-----w- c:\program files\Enigma Software Group
2012-08-12 04:30 . 2012-08-12 04:56 -------- d-----w- c:\windows\CC1F6DA021D2425AB1B65B164A598450.TMP
2012-08-12 04:30 . 2012-08-12 04:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2012-08-03 05:14 . 2012-08-03 05:14 -------- d-----w- c:\documents and settings\Carpinelli Home\Local Settings\Application Data\{05463A51-DD2A-11E1-8270-B8AC6F996F26}
2012-08-03 05:13 . 2012-08-05 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\6F638BFE83F957640000D5457B07D287
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-19 12:02 . 2012-04-11 04:50 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-19 12:02 . 2011-06-08 10:35 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-06 13:58 . 2008-04-14 07:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05 . 2010-06-27 13:44 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 17:46 . 2011-09-30 04:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 13:40 . 2008-04-14 07:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2008-04-14 07:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2008-04-14 07:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2008-04-14 07:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2008-04-14 07:00 385024 ----a-w- c:\windows\system32\html.iec
2012-06-05 15:50 . 2008-04-14 07:00 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2008-04-14 07:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2008-04-14 07:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2010-06-27 14:36 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2010-06-27 14:36 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2010-06-27 13:46 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2010-06-27 13:46 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2010-06-27 13:46 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2010-06-27 14:36 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2010-06-27 14:36 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2010-06-27 13:46 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2010-06-27 13:46 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2008-04-14 07:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2010-06-27 14:36 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2010-06-27 13:46 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2010-06-27 13:46 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2012-03-25 13:47 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2012-03-25 13:47 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 19:18 . 2009-08-06 23:23 214256 ----a-w- c:\windows\system32\muweb.dll
2012-05-31 13:22 . 2008-04-14 07:00 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-16_04.50.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-24 10:27 . 2012-08-24 10:27 16384 c:\windows\Temp\Perflib_Perfdata_20c.dat
- 2008-04-14 07:00 . 2012-05-11 14:42 67072 c:\windows\system32\mshtmled.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 67072 c:\windows\system32\mshtmled.dll
- 2009-03-08 08:31 . 2012-05-11 14:42 55296 c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 08:31 . 2012-07-02 17:49 55296 c:\windows\system32\msfeedsbs.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 25600 c:\windows\system32\jsproxy.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 25600 c:\windows\system32\jsproxy.dll
+ 2010-06-27 15:06 . 2012-07-02 17:49 12800 c:\windows\system32\dllcache\xpshims.dll
- 2010-06-27 15:06 . 2012-05-11 14:42 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 67072 c:\windows\system32\dllcache\mshtmled.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 67072 c:\windows\system32\dllcache\mshtmled.dll
- 2010-06-27 15:06 . 2012-05-11 14:42 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2010-06-27 15:06 . 2012-07-02 17:49 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-14 07:00 . 2012-07-06 13:58 78336 c:\windows\system32\dllcache\browser.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 12800 c:\windows\ie8updates\KB2722913-IE8\xpshims.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 67072 c:\windows\ie8updates\KB2722913-IE8\mshtmled.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 55296 c:\windows\ie8updates\KB2722913-IE8\msfeedsbs.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 43520 c:\windows\ie8updates\KB2722913-IE8\licmgr10.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 25600 c:\windows\ie8updates\KB2722913-IE8\jsproxy.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 105984 c:\windows\system32\url.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 105984 c:\windows\system32\url.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 206848 c:\windows\system32\occache.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 206848 c:\windows\system32\occache.dll
+ 2008-04-14 07:00 . 2012-07-06 13:58 337920 c:\windows\system32\netapi32.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 611840 c:\windows\system32\mstime.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 611840 c:\windows\system32\mstime.dll
- 2009-03-08 08:32 . 2012-05-11 14:42 629760 c:\windows\system32\msfeeds.dll
+ 2009-03-08 08:32 . 2012-07-02 17:49 629760 c:\windows\system32\msfeeds.dll
+ 2012-08-19 12:02 . 2012-08-19 12:02 686792 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.exe
+ 2012-08-19 12:02 . 2012-08-19 12:02 466632 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_271_ActiveX.dll
- 2012-04-11 04:50 . 2012-08-12 13:05 250056 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-04-11 04:50 . 2012-08-19 12:02 250056 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
- 2008-04-14 07:00 . 2009-05-07 15:32 345600 c:\windows\system32\localspl.dll
+ 2008-04-14 07:00 . 2012-05-14 09:22 345600 c:\windows\system32\localspl.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 184320 c:\windows\system32\iepeers.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 184320 c:\windows\system32\iepeers.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 387584 c:\windows\system32\iedkcs32.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 387584 c:\windows\system32\iedkcs32.dll
+ 2008-04-14 07:00 . 2012-07-02 12:05 174080 c:\windows\system32\ie4uinit.exe
- 2008-04-14 07:00 . 2012-05-11 11:38 174080 c:\windows\system32\ie4uinit.exe
- 2010-06-27 09:34 . 2012-07-15 12:09 132480 c:\windows\system32\FNTCACHE.DAT
+ 2010-06-27 09:34 . 2012-08-16 05:09 132480 c:\windows\system32\FNTCACHE.DAT
- 2008-04-14 07:00 . 2012-05-16 15:08 916992 c:\windows\system32\dllcache\wininet.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 916992 c:\windows\system32\dllcache\wininet.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 105984 c:\windows\system32\dllcache\url.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 105984 c:\windows\system32\dllcache\url.dll
+ 2010-06-27 13:44 . 2012-07-04 14:05 139784 c:\windows\system32\dllcache\rdpwd.sys
+ 2008-04-14 07:00 . 2012-07-02 17:49 206848 c:\windows\system32\dllcache\occache.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 206848 c:\windows\system32\dllcache\occache.dll
+ 2008-04-14 07:00 . 2012-07-06 13:58 337920 c:\windows\system32\dllcache\netapi32.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 611840 c:\windows\system32\dllcache\mstime.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 611840 c:\windows\system32\dllcache\mstime.dll
+ 2010-06-27 15:06 . 2012-07-02 17:49 629760 c:\windows\system32\dllcache\msfeeds.dll
- 2010-06-27 15:06 . 2012-05-11 14:42 629760 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-04-14 07:00 . 2012-05-14 09:22 345600 c:\windows\system32\dllcache\localspl.dll
- 2008-04-14 07:00 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2012-06-14 10:38 . 2012-07-02 17:49 521728 c:\windows\system32\dllcache\jsdbgui.dll
- 2012-06-14 10:38 . 2012-05-11 14:42 521728 c:\windows\system32\dllcache\jsdbgui.dll
- 2010-06-27 15:06 . 2012-05-11 14:42 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2010-06-27 15:06 . 2012-07-02 17:49 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-27 15:06 . 2012-07-02 17:49 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-27 15:06 . 2012-05-11 14:42 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-04-14 07:00 . 2012-07-02 12:05 174080 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-04-14 07:00 . 2012-05-11 11:38 174080 c:\windows\system32\dllcache\ie4uinit.exe
+ 2012-08-16 05:04 . 2012-05-16 15:08 916992 c:\windows\ie8updates\KB2722913-IE8\wininet.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 105984 c:\windows\ie8updates\KB2722913-IE8\url.dll
+ 2012-08-16 05:04 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2722913-IE8\spuninst\updspapi.dll
+ 2012-08-16 05:04 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2722913-IE8\spuninst\spuninst.exe
+ 2012-08-16 05:04 . 2012-05-11 14:42 206848 c:\windows\ie8updates\KB2722913-IE8\occache.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 611840 c:\windows\ie8updates\KB2722913-IE8\mstime.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 629760 c:\windows\ie8updates\KB2722913-IE8\msfeeds.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 521728 c:\windows\ie8updates\KB2722913-IE8\jsdbgui.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 247808 c:\windows\ie8updates\KB2722913-IE8\ieproxy.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 184320 c:\windows\ie8updates\KB2722913-IE8\iepeers.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 743424 c:\windows\ie8updates\KB2722913-IE8\iedvtool.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 387584 c:\windows\ie8updates\KB2722913-IE8\iedkcs32.dll
+ 2012-08-16 05:04 . 2012-05-11 11:38 174080 c:\windows\ie8updates\KB2722913-IE8\ie4uinit.exe
+ 2010-04-15 18:45 . 2010-04-15 18:45 732296 c:\windows\Downloaded Program Files\Photochannel.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 1212416 c:\windows\system32\urlmon.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 1212416 c:\windows\system32\urlmon.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 6008320 c:\windows\system32\mshtml.dll
+ 2009-03-08 08:32 . 2012-07-02 17:49 2000384 c:\windows\system32\iertutil.dll
- 2009-03-08 08:32 . 2012-05-11 14:42 2000384 c:\windows\system32\iertutil.dll
- 2008-04-14 07:00 . 2012-06-13 13:19 1866112 c:\windows\system32\dllcache\win32k.sys
+ 2008-04-14 07:00 . 2012-07-03 13:40 1866112 c:\windows\system32\dllcache\win32k.sys
+ 2008-04-14 07:00 . 2012-07-02 17:49 1212416 c:\windows\system32\dllcache\urlmon.dll
- 2008-04-14 07:00 . 2012-05-11 14:42 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2008-04-14 07:00 . 2012-07-02 17:49 6008320 c:\windows\system32\dllcache\mshtml.dll
+ 2010-06-27 15:06 . 2012-07-02 17:49 2000384 c:\windows\system32\dllcache\iertutil.dll
- 2010-06-27 15:06 . 2012-05-11 14:42 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 1212416 c:\windows\ie8updates\KB2722913-IE8\urlmon.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 6007808 c:\windows\ie8updates\KB2722913-IE8\mshtml.dll
+ 2012-08-16 05:04 . 2012-05-11 14:42 2000384 c:\windows\ie8updates\KB2722913-IE8\iertutil.dll
+ 2010-06-27 15:04 . 2012-08-16 05:05 59884088 c:\windows\system32\MRT.exe
+ 2009-03-08 08:39 . 2012-07-03 03:19 11111424 c:\windows\system32\ieframe.dll
- 2009-03-08 08:39 . 2012-05-12 00:12 11111424 c:\windows\system32\ieframe.dll
+ 2010-06-27 15:06 . 2012-07-03 03:19 11111424 c:\windows\system32\dllcache\ieframe.dll
- 2010-06-27 15:06 . 2012-05-12 00:12 11111424 c:\windows\system32\dllcache\ieframe.dll
+ 2012-08-16 05:04 . 2012-05-12 00:12 11111424 c:\windows\ie8updates\KB2722913-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\6d816777-7f6d-4d6e-afe7-90f557ded6b3.com" [2011-10-10 2403568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-07-07 344064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 UMVPFSrv;UMVPFSrv;c:\program files\Common Files\LogiShrd\LVMVFM\UMVPFSrv.exe [4/1/2011 1:11 AM 428640]
S0 cerc6;cerc6; [x]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2010 1:56 PM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 12:50 AM 250056]
S3 ATIXPGAA;ATIXPGAA;c:\dell\drivers\R101342\ATIXPGAA.SYS [6/27/2010 10:22 AM 12032]
S3 esgiguard;esgiguard;\??\c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys --> c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2010 1:56 PM 136176]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 12:02]
.
2012-08-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
.
2012-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 17:56]
.
2012-08-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-26 17:56]
.
2012-08-23 c:\windows\Tasks\User_Feed_Synchronization-{5EC7C69F-2F62-4FC1-8F3D-28D8BC56FB71}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.weather.com/weather/tenday/08648:4:US
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-24 08:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(832)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2820)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-08-24 08:22:29
ComboFix-quarantined-files.txt 2012-08-24 12:22
ComboFix2.txt 2012-08-16 04:55
.
Pre-Run: 35,607,785,472 bytes free
Post-Run: 35,609,485,312 bytes free
.
- - End Of File - - 17F18110C2AB0BC617DF28F27C01342C

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 AM

Posted 24 August 2012 - 12:28 PM

Hello


at this time we are just sweeping up and locking the doors.



These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 9.5.1
Java™ 6 Update 20
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 AM

Posted 26 August 2012 - 11:45 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:17 AM

Posted 29 August 2012 - 11:12 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users