Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sirefef (one minute reboot)


  • This topic is locked This topic is locked
33 replies to this topic

#1 Shadowz85

Shadowz85

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:43 AM

Posted 12 August 2012 - 08:00 PM

Hi! Had good results with this forum; back again!

Working on my nephew's computer, I noticed Google searches were being redirected.
Microsoft didn't catch the initial problem so I ran Malwarebytes and Eset Online scanner which found and clean some problems.
Rebooted.
Microsoft Security Essentials found Sirefef trojan, cleaned and rebooted.
Now every I boot the computer it says it will "restart automatically in one minute" (both safe and normal mode)

OS is Vista
AV is MSE

Advanced Boot options does NOT give me "Repair you computer" option
I do not have the Windows installation disk, although it might be possible to find with a lot of hunting.

Please help!

(As an aside, the reason I went to my nephew's computer was to check on the router... On my laptop my Symantec Endpoint Protection was giving me popups that it a "port scan attack is logged" coming from the router. Since it was being blocked I figured I would use the other computer to view router's admin page.)

BC AdBot (Login to Remove)

 


#2 Shadowz85

Shadowz85
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:43 AM

Posted 12 August 2012 - 11:36 PM

Update:
I booted to safe mode and brought up the task manager with a CTRL-ALT-DEL at the first opportunity. I used the processes tab to locate the MSI process and ended it. This allowed me to run DDS and GMER to get the following logs.

Awaiting help,
Thanks!

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by COREY at 20:04:59 on 2012-08-12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1652 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
uRun: [TivoServer] c:\program files\tivo\desktop\TiVoServer.exe /service /registry /auto:TivoServer
uRun: [TivoTransfer] c:\program files\tivo\desktop\TiVoTransfer.exe
uRun: [TivoNotify] c:\program files\tivo\desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
uRun: [TranscodingService] c:\program files\tivo\desktop\plus\\TranscodingService.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [Google Update] "c:\users\corey\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Creative Mouse Software] c:\program files\creative\shared files\cids\CTStray.exe
mRun: [Creative Keyboard Software] c:\program files\creative\shared files\cids\CTStray.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\users\corey\appdata\roaming\microsoft\windows\start menu\programs\startup\CurseClientStartup.ccip
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{018001D7-5C04-4AA8-AC7C-829907BD9C2A} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{2FE5EDC9-08BC-4664-AA09-2558F440CA37} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist Express Customer - c:\program files\citrix\gotoassist remote support customer\428\g2ax_winlogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\corey\appdata\roaming\mozilla\firefox\profiles\plnplmne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.search.selectedEngine - FreeMake Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3214568&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3214568&SearchSource=2&q=
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\corey\appdata\local\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\users\corey\appdata\locallow\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\users\corey\appdata\roaming\mozilla\firefox\profiles\plnplmne.default\extensions\{adca5064-9e30-43fe-9856-58b07a3149fe}\plugins\np-mswmp.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_270.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: Coupon Companion: crossriderapp4493@crossrider.com - %profile%\extensions\crossriderapp4493@crossrider.com
FF - Ext: Yontoo: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: FreeMake : {adca5064-9e30-43fe-9856-58b07a3149fe} - %profile%\extensions\{adca5064-9e30-43fe-9856-58b07a3149fe}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: extentions.y2layers.installId - 6ecae33c-e29e-4af3-815b-c7233b2d1e0a
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
============= SERVICES / DRIVERS ===============
.
S0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2012-3-20 171064]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\common files\adobe\arm\1.0\armsvc.exe [2012-1-3 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-7-14 176128]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-5-26 21504]
S2 GoToAssist Remote Support Customer;GoToAssist Remote Support Customer;c:\program files\citrix\gotoassist remote support customer\428\g2ax_service.exe [2012-7-30 609720]
S2 RoxLiveShare10;LiveShare P2P Server 10;"c:\program files\common files\roxio shared\10.0\sharedcom\roxliveshare10.exe" --> c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-30 250056]
S3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2011-11-9 8913920]
S3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2011-11-9 263680]
S3 AVMNgBasM780;AVerMedia M780 Base Driver;c:\windows\system32\drivers\AVerBas.sys [2009-2-2 57216]
S3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;c:\windows\system32\drivers\AVerCap.sys [2009-2-2 366976]
S3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;c:\windows\system32\drivers\AVerTun.sys [2009-2-2 165248]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2012-7-21 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2012-3-8 1492840]
S3 MSI_MSIBIOS_010507;MSI_MSIBIOS_010507;c:\program files\msi\live update 5\msibios32_100507.sys [2012-2-24 25912]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2012-3-20 74112]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\NisSrv.exe [2012-3-26 214952]
S3 NTIOLib_1_0_4;NTIOLib_1_0_4;c:\program files\msi\live update 5\NTIOLib.sys [2012-2-24 7680]
S3 RTL8192su;%RTL8192su.DeviceDesc.DispName%;c:\windows\system32\drivers\RTL8192su.sys [2010-7-8 541800]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 TivoBeacon2;TiVo Beacon Service;c:\program files\tivo\desktop\TiVoBeacon.exe [2010-8-24 1104656]
.
=============== Created Last 30 ================
.
2012-08-12 21:28:12 56200 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ab35551c-e78f-4373-bf9e-a345b5789972}\offreg.dll
2012-08-12 21:27:42 713784 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{cc02cd41-d2a2-459e-854d-9c34a4bb364c}\gapaengine.dll
2012-08-12 21:27:29 6891424 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{ab35551c-e78f-4373-bf9e-a345b5789972}\mpengine.dll
2012-08-12 21:24:51 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-12 16:35:37 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-09 01:33:37 -------- d-----w- c:\users\corey\appdata\roaming\Origin
2012-08-09 01:33:37 -------- d-----w- c:\program files\Origin Games
2012-08-09 01:29:40 -------- d-----w- c:\users\corey\appdata\local\Origin
2012-08-09 01:28:19 -------- d-----w- c:\programdata\Origin
2012-08-09 01:28:10 -------- d-----w- c:\program files\Origin
2012-08-08 00:19:22 -------- d-----w- c:\program files\Belkin
2012-08-08 00:18:52 -------- d-----w- c:\windows\{7EBEACC7-A0C9-4DA4-9A63-3DC7D244B051}
2012-08-04 19:31:44 -------- d-----w- c:\program files\GetFLV
2012-08-04 19:09:26 -------- d-----w- c:\users\corey\appdata\local\Coupon Companion
2012-08-04 19:09:23 -------- d-----w- c:\program files\Coupon Companion
2012-08-04 19:08:30 -------- d-----w- c:\program files\Yontoo
2012-08-04 19:08:28 -------- d-----w- c:\programdata\Tarma Installer
2012-08-04 18:51:08 -------- d-----w- c:\program files\Hulu Downloader
2012-07-30 16:47:37 197560 ----a-w- c:\windows\system32\g2ax_credential_provider_428.dll
2012-07-25 19:02:39 -------- d-----w- c:\program files\Conduit
2012-07-25 19:02:33 -------- d-----w- c:\users\corey\appdata\local\Conduit
2012-07-24 02:44:11 -------- d-----w- C:\game of thrones
2012-07-21 07:11:41 -------- d-----w- c:\windows\en
2012-07-21 07:10:18 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2012-07-21 07:05:56 19736 ----a-w- c:\programdata\microsoft\identitycrl\production\ppcrlconfig600.dll
2012-07-21 07:00:54 89944 ----a-w- c:\program files\common files\windows live\.cache\92256f311cd670e02\DSETUP.dll
2012-07-21 07:00:54 537432 ----a-w- c:\program files\common files\windows live\.cache\92256f311cd670e02\DXSETUP.exe
2012-07-21 07:00:54 1801048 ----a-w- c:\program files\common files\windows live\.cache\92256f311cd670e02\dsetup32.dll
2012-07-21 06:59:44 -------- d-----w- c:\users\corey\appdata\local\{D338EE31-B5CB-4F95-B72A-88791B075104}
2012-07-21 06:59:34 -------- d-----w- c:\users\corey\appdata\local\{D39CB2AE-DC38-4401-8665-12DE8B00E49A}
.
==================== Find3M ====================
.
2012-08-13 00:20:40 279552 ----a-w- c:\windows\system32\services.exe
2012-08-03 05:39:35 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-03 05:39:35 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-03 20:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:40:21 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-11 18:17:42 65536 ----a-w- c:\windows\system32\frapsvid.dll
2012-06-05 16:47:28 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26:04 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19:42 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:12:32 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12:20 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12:13 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 00:04:25 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03:42 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
============= FINISH: 20:08:16.33 ===============

Attached Files



#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 AM

Posted 13 August 2012 - 04:02 AM

Greetings and Welcome to The Forums!!


My name is Gringo and I'll be glad to help you with your computer problems.

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

:multiple Anti Virus programs:

It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

<insert av's>

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove all but one of them.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 Shadowz85

Shadowz85
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:43 AM

Posted 13 August 2012 - 12:33 PM

I thought the only on-access AV program I was running was MSE; I did uninstall Malwarebytes and ESET Online Scanner just to be on the safe side.
I ran ComboFix, and although the MSE service wasn't running, it thought MSE was still loaded. The only way to get it to not see the service was to uninstall MSE
After that ComboFix ran fine.

So far the computer seems to be running fine.
Is it okay to put MSE back on?
Would a different AV have prevented this Sirefef infection?




ComboFix Results
ComboFix 12-08-10.02 - COREY 08/13/2012 9:43.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1209 [GMT -7:00]
Running from: c:\download\AV\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome.manifest
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\background.html
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\browser.xul
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\crossrider.js
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\crossriderapi.js
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\dialog.js
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\lib\faye-browser-min.js
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\manage-apps-style.css
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\manage-apps.html
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\messaging.js
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\options.js
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\options.xul
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\push.html
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\search_dialog.xul
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\chrome\content\update.html
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\defaults\preferences\prefs.js
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\install.rdf
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\locale\en-US\translations.dtd
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\button1.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\button2.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\button3.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\button4.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\button5.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\crossrider_statusbar.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\icon128.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\icon16.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\icon24.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\icon48.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\panelarrow-up.png
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\popup.css
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\popup.html
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\popup_binding.xml
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\skin.css
c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\extensions\crossriderapp4493@crossrider.com\skin\update.css
c:\windows\Installer\{87196c57-0f66-141e-fff0-b063f03282b5}\@
c:\windows\Installer\{87196c57-0f66-141e-fff0-b063f03282b5}\L\00000004.@
c:\windows\Installer\{87196c57-0f66-141e-fff0-b063f03282b5}\L\201d3dde
c:\windows\Installer\{87196c57-0f66-141e-fff0-b063f03282b5}\U\00000004.@
c:\windows\Installer\{87196c57-0f66-141e-fff0-b063f03282b5}\U\00000008.@
c:\windows\Installer\{87196c57-0f66-141e-fff0-b063f03282b5}\U\000000cb.@
c:\windows\Installer\{87196c57-0f66-141e-fff0-b063f03282b5}\U\80000000.@
c:\windows\Installer\{87196c57-0f66-141e-fff0-b063f03282b5}\U\80000032.@
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
Infected copy of c:\windows\system32\Services.exe was found and disinfected
Restored copy from - c:\combofix\HarddiskVolumeShadowCopy9_!Windows!System32!services.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-13 to 2012-08-13 )))))))))))))))))))))))))))))))
.
.
2012-08-13 16:51 . 2012-08-13 16:54 -------- d-----w- c:\users\COREY\AppData\Local\temp
2012-08-13 16:51 . 2012-08-13 16:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-13 16:51 . 2012-08-13 16:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-12 22:35 . 2012-08-13 02:03 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-12 16:35 . 2012-08-12 16:35 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-09 02:04 . 2012-08-09 02:04 -------- d--h--r- c:\users\COREY\AppData\Roaming\SecuROM
2012-08-09 01:33 . 2012-08-09 01:35 -------- d-----w- c:\program files\Origin Games
2012-08-09 01:33 . 2012-08-09 01:34 -------- d-----w- c:\users\COREY\AppData\Roaming\Origin
2012-08-09 01:29 . 2012-08-09 01:29 -------- d-----w- c:\users\COREY\AppData\Local\Origin
2012-08-09 01:28 . 2012-08-09 01:35 -------- d-----w- c:\programdata\Origin
2012-08-09 01:28 . 2012-08-09 01:29 -------- d-----w- c:\program files\Origin
2012-08-08 00:19 . 2012-08-08 00:19 -------- d-----w- c:\program files\Belkin
2012-08-08 00:18 . 2012-08-08 00:18 -------- d-----w- c:\windows\{7EBEACC7-A0C9-4DA4-9A63-3DC7D244B051}
2012-08-04 19:31 . 2012-08-06 05:50 -------- d-----w- c:\program files\GetFLV
2012-08-04 19:09 . 2012-08-04 19:09 -------- d-----w- c:\users\COREY\AppData\Local\Coupon Companion
2012-08-04 19:09 . 2012-08-06 06:06 -------- d-----w- c:\program files\Coupon Companion
2012-08-04 19:08 . 2012-08-12 17:55 -------- d-----w- c:\program files\Yontoo
2012-08-04 19:08 . 2012-08-04 19:08 -------- d-----w- c:\programdata\Tarma Installer
2012-08-04 18:51 . 2012-08-06 05:51 -------- d-----w- c:\program files\Hulu Downloader
2012-07-30 16:47 . 2012-07-30 16:47 197560 ----a-w- c:\windows\system32\g2ax_credential_provider_428.dll
2012-07-25 19:02 . 2012-07-25 19:02 -------- d-----w- c:\program files\Conduit
2012-07-25 19:02 . 2012-07-25 19:10 -------- d-----w- c:\users\COREY\AppData\Local\Conduit
2012-07-24 02:44 . 2012-07-24 08:41 -------- d-----w- C:\game of thrones
2012-07-21 07:44 . 2012-07-22 16:43 -------- d-----w- c:\users\pics
2012-07-21 07:11 . 2012-07-21 07:11 -------- d-----w- c:\windows\en
2012-07-21 07:10 . 2012-03-09 01:32 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2012-07-21 07:00 . 2012-07-21 07:00 89944 ----a-w- c:\program files\Common Files\Windows Live\.cache\92256f311cd670e02\DSETUP.dll
2012-07-21 07:00 . 2012-07-21 07:00 537432 ----a-w- c:\program files\Common Files\Windows Live\.cache\92256f311cd670e02\DXSETUP.exe
2012-07-21 07:00 . 2012-07-21 07:00 1801048 ----a-w- c:\program files\Common Files\Windows Live\.cache\92256f311cd670e02\dsetup32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-06 06:33 . 2012-08-06 06:33 161792 ----a-w- c:\windows\system32\msls31.dll
2012-08-06 06:33 . 2012-08-06 06:33 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-08-06 06:33 . 2012-08-06 06:33 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-08-06 06:33 . 2012-08-06 06:33 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-08-06 06:33 . 2012-08-06 06:33 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-08-06 06:33 . 2012-08-06 06:33 152064 ----a-w- c:\windows\system32\wextract.exe
2012-08-06 06:33 . 2012-08-06 06:33 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-08-03 05:39 . 2012-03-30 22:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-03 05:39 . 2011-05-13 20:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-21 07:05 . 2012-07-21 07:05 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-06-13 13:40 . 2012-07-11 01:26 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-11 18:17 . 2012-06-11 18:17 65536 ----a-w- c:\windows\system32\frapsvid.dll
2012-06-05 16:47 . 2012-07-11 01:17 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47 . 2012-07-11 01:17 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26 . 2012-07-11 01:17 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-24 18:10 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-24 18:12 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-24 18:12 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-24 18:10 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-24 18:10 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-24 18:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-24 18:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-24 18:10 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-06-24 18:10 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 00:04 . 2012-07-11 01:17 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03 . 2012-07-11 01:17 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-17 171448]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-25 2264336]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-25 608528]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-25 437520]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-25 856336]
"Steam"="c:\program files\Steam\Steam.exe" [2012-08-04 1353080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 4349952]
"Creative Mouse Software"="c:\program files\Creative\Shared Files\CIDS\CTStray.exe" [2005-10-24 65536]
"Creative Keyboard Software"="c:\program files\Creative\Shared Files\CIDS\CTStray.exe" [2005-10-24 65536]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"CLMLServer"="c:\program files\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\users\COREY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2012-5-26 0]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2012-07-30 16:47 609208 ----a-w- c:\program files\Citrix\GoToAssist Remote Support Customer\428\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Live Update 5]
2011-12-15 22:13 1935888 ----a-w- c:\program files\MSI\Live Update 5\LU5.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 05:39]
.
2012-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-352308663-582380511-1965928383-1002Core.job
- c:\users\COREY\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-20 22:37]
.
2012-08-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-352308663-582380511-1965928383-1002UA.job
- c:\users\COREY\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-20 22:37]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.search.selectedEngine - FreeMake Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3214568&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3214568&SearchSource=2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: Yontoo: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: FreeMake : {adca5064-9e30-43fe-9856-58b07a3149fe} - %profile%\extensions\{adca5064-9e30-43fe-9856-58b07a3149fe}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: extentions.y2layers.installId - 6ecae33c-e29e-4af3-815b-c7233b2d1e0a
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{adca5064-9e30-43fe-9856-58b07a3149fe} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-Malwarebytes' Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-352308663-582380511-1965928383-1002\Software\SecuROM\License information*]
"datasecu"=hex:c6,ad,e6,d6,7f,c5,49,9f,bc,4e,66,d3,89,98,d6,fa,d1,bd,1e,85,34,
2f,70,4b,bb,eb,b7,12,13,e5,ba,c5,7d,58,50,03,2e,f0,2b,9c,9a,8f,d0,c8,74,80,\
"rkeysecu"=hex:3b,e5,e4,e3,26,0b,00,27,cf,f0,f3,a6,83,7c,95,2d
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atiesrxx.exe
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\428\g2ax_service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\428\g2ax_comm_customer.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\428\g2ax_system_customer.exe
c:\program files\Citrix\GoToAssist Remote Support Customer\428\g2ax_user_customer.exe
c:\windows\RtHDVCpl.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Common Files\Steam\SteamService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2012-08-13 10:06:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-13 17:04
ComboFix2.txt 2012-04-21 05:04
ComboFix3.txt 2012-04-20 15:27
.
Pre-Run: 192,936,902,656 bytes free
Post-Run: 193,650,704,384 bytes free
.
- - End Of File - - 479EF1A46EF3468BF69ACEA297ED30D4

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 AM

Posted 13 August 2012 - 12:42 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 Shadowz85

Shadowz85
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:43 AM

Posted 13 August 2012 - 06:45 PM

No problems running either of them

TDSSKiller Report

14:52:04.0819 3036 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
14:52:05.0590 3036 ============================================================
14:52:05.0590 3036 Current date / time: 2012/08/13 14:52:05.0590
14:52:05.0590 3036 SystemInfo:
14:52:05.0590 3036
14:52:05.0591 3036 OS Version: 6.0.6002 ServicePack: 2.0
14:52:05.0591 3036 Product type: Workstation
14:52:05.0591 3036 ComputerName: COREY-PC
14:52:05.0591 3036 UserName: COREY
14:52:05.0591 3036 Windows directory: C:\Windows
14:52:05.0591 3036 System windows directory: C:\Windows
14:52:05.0591 3036 Processor architecture: Intel x86
14:52:05.0591 3036 Number of processors: 2
14:52:05.0591 3036 Page size: 0x1000
14:52:05.0591 3036 Boot type: Normal boot
14:52:05.0591 3036 ============================================================
14:52:06.0847 3036 Drive \Device\Harddisk0\DR0 - Size: 0x5D27216000 (372.61 Gb), SectorSize: 0x200, Cylinders: 0xBE01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
14:52:06.0877 3036 ============================================================
14:52:06.0877 3036 \Device\Harddisk0\DR0:
14:52:06.0877 3036 MBR partitions:
14:52:06.0877 3036 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x2E938000
14:52:06.0877 3036 ============================================================
14:52:06.0928 3036 C: <-> \Device\Harddisk0\DR0\Partition0
14:52:06.0928 3036 ============================================================
14:52:06.0928 3036 Initialize success
14:52:06.0928 3036 ============================================================
14:52:16.0478 1676 ============================================================
14:52:16.0478 1676 Scan started
14:52:16.0478 1676 Mode: Manual;
14:52:16.0478 1676 ============================================================
14:52:17.0466 1676 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
14:52:17.0469 1676 ACPI - ok
14:52:17.0649 1676 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
14:52:17.0650 1676 AdobeARMservice - ok
14:52:17.0746 1676 AdobeFlashPlayerUpdateSvc (f19c98ad81d2c0e1bbfd8153d2c80ee8) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
14:52:17.0753 1676 AdobeFlashPlayerUpdateSvc - ok
14:52:17.0810 1676 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
14:52:17.0820 1676 adp94xx - ok
14:52:17.0851 1676 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
14:52:17.0865 1676 adpahci - ok
14:52:17.0883 1676 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
14:52:17.0885 1676 adpu160m - ok
14:52:17.0922 1676 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
14:52:17.0924 1676 adpu320 - ok
14:52:17.0944 1676 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
14:52:17.0946 1676 AeLookupSvc - ok
14:52:17.0997 1676 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\Windows\system32\drivers\Afc.sys
14:52:17.0998 1676 Afc - ok
14:52:18.0090 1676 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
14:52:18.0096 1676 AFD - ok
14:52:18.0158 1676 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
14:52:18.0159 1676 agp440 - ok
14:52:18.0244 1676 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
14:52:18.0245 1676 aic78xx - ok
14:52:18.0283 1676 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
14:52:18.0285 1676 ALG - ok
14:52:18.0301 1676 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
14:52:18.0302 1676 aliide - ok
14:52:18.0373 1676 AMD External Events Utility (f970ea885aefeb1b9eb97ca7f1eb226d) C:\Windows\system32\atiesrxx.exe
14:52:18.0375 1676 AMD External Events Utility - ok
14:52:18.0391 1676 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
14:52:18.0393 1676 amdagp - ok
14:52:18.0403 1676 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
14:52:18.0405 1676 amdide - ok
14:52:18.0449 1676 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
14:52:18.0450 1676 AmdK7 - ok
14:52:18.0465 1676 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
14:52:18.0467 1676 AmdK8 - ok
14:52:19.0256 1676 amdkmdag (ab70f110143892eb41aa46500aa5cf00) C:\Windows\system32\DRIVERS\atikmdag.sys
14:52:19.0470 1676 amdkmdag - ok
14:52:19.0641 1676 amdkmdap (32d68d05b871eed5572d0c2c764ea4ec) C:\Windows\system32\DRIVERS\atikmpag.sys
14:52:19.0647 1676 amdkmdap - ok
14:52:19.0717 1676 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
14:52:19.0718 1676 Appinfo - ok
14:52:19.0945 1676 Apple Mobile Device (acb095e7e1663f1b83a41c22c5d75f90) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
14:52:19.0946 1676 Apple Mobile Device - ok
14:52:20.0011 1676 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
14:52:20.0013 1676 arc - ok
14:52:20.0045 1676 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
14:52:20.0047 1676 arcsas - ok
14:52:20.0240 1676 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
14:52:20.0242 1676 aspnet_state - ok
14:52:20.0315 1676 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
14:52:20.0316 1676 AsyncMac - ok
14:52:20.0374 1676 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
14:52:20.0375 1676 atapi - ok
14:52:20.0419 1676 AtiHdmiService - ok
14:52:20.0979 1676 atikmdag (ab70f110143892eb41aa46500aa5cf00) C:\Windows\system32\DRIVERS\atikmdag.sys
14:52:21.0051 1676 atikmdag - ok
14:52:21.0248 1676 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
14:52:21.0253 1676 AudioEndpointBuilder - ok
14:52:21.0258 1676 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
14:52:21.0261 1676 Audiosrv - ok
14:52:21.0394 1676 AVMNgBasM780 (761d5c71047f828fedca056684fc67d9) C:\Windows\system32\DRIVERS\AVerBas.sys
14:52:21.0395 1676 AVMNgBasM780 - ok
14:52:21.0425 1676 AVMNgCapM780 (4a91f82e8404dfd9a711e666acc77f8f) C:\Windows\system32\DRIVERS\AVerCap.sys
14:52:21.0437 1676 AVMNgCapM780 - ok
14:52:21.0459 1676 AVMNgTunM780 (1308e8f88deaf7372b35b3b4b446947b) C:\Windows\system32\DRIVERS\AVerTun.sys
14:52:21.0462 1676 AVMNgTunM780 - ok
14:52:21.0543 1676 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
14:52:21.0544 1676 Beep - ok
14:52:21.0642 1676 BFE (c789af0f724fda5852fb9a7d3a432381) C:\Windows\System32\bfe.dll
14:52:21.0657 1676 BFE - ok
14:52:21.0693 1676 blbdrive - ok
14:52:21.0830 1676 Bonjour Service (a065f048e9e23e6c026a7bb548d126a7) C:\Program Files\Bonjour\mDNSResponder.exe
14:52:21.0833 1676 Bonjour Service - ok
14:52:21.0906 1676 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
14:52:21.0908 1676 bowser - ok
14:52:21.0967 1676 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
14:52:21.0968 1676 BrFiltLo - ok
14:52:21.0978 1676 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
14:52:21.0979 1676 BrFiltUp - ok
14:52:22.0004 1676 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
14:52:22.0006 1676 Browser - ok
14:52:22.0067 1676 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
14:52:22.0069 1676 Brserid - ok
14:52:22.0083 1676 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
14:52:22.0085 1676 BrSerWdm - ok
14:52:22.0110 1676 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
14:52:22.0111 1676 BrUsbMdm - ok
14:52:22.0123 1676 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
14:52:22.0124 1676 BrUsbSer - ok
14:52:22.0171 1676 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
14:52:22.0172 1676 BTHMODEM - ok
14:52:22.0277 1676 catchme - ok
14:52:22.0302 1676 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
14:52:22.0304 1676 cdfs - ok
14:52:22.0389 1676 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
14:52:22.0391 1676 cdrom - ok
14:52:22.0465 1676 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
14:52:22.0466 1676 CertPropSvc - ok
14:52:22.0495 1676 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
14:52:22.0496 1676 circlass - ok
14:52:22.0557 1676 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
14:52:22.0565 1676 CLFS - ok
14:52:22.0624 1676 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
14:52:22.0626 1676 clr_optimization_v2.0.50727_32 - ok
14:52:22.0744 1676 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
14:52:22.0752 1676 clr_optimization_v4.0.30319_32 - ok
14:52:22.0779 1676 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
14:52:22.0780 1676 cmdide - ok
14:52:22.0798 1676 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
14:52:22.0799 1676 Compbatt - ok
14:52:22.0803 1676 COMSysApp - ok
14:52:22.0825 1676 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
14:52:22.0826 1676 crcdisk - ok
14:52:22.0856 1676 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
14:52:22.0857 1676 Crusoe - ok
14:52:22.0939 1676 CryptSvc (75c6a297e364014840b48eccd7525e30) C:\Windows\system32\cryptsvc.dll
14:52:22.0941 1676 CryptSvc - ok
14:52:23.0020 1676 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
14:52:23.0048 1676 DcomLaunch - ok
14:52:23.0115 1676 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
14:52:23.0117 1676 DfsC - ok
14:52:23.0315 1676 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe
14:52:23.0373 1676 DFSR - ok
14:52:23.0543 1676 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll
14:52:23.0553 1676 Dhcp - ok
14:52:23.0684 1676 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
14:52:23.0686 1676 disk - ok
14:52:23.0769 1676 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll
14:52:23.0772 1676 Dnscache - ok
14:52:23.0840 1676 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll
14:52:23.0844 1676 dot3svc - ok
14:52:23.0914 1676 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
14:52:23.0918 1676 DPS - ok
14:52:23.0987 1676 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
14:52:23.0988 1676 drmkaud - ok
14:52:24.0093 1676 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
14:52:24.0102 1676 DXGKrnl - ok
14:52:24.0177 1676 e1express (908ed85b7806e8af3af5e9b74f7809d4) C:\Windows\system32\DRIVERS\e1e6032.sys
14:52:24.0179 1676 e1express - ok
14:52:24.0223 1676 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
14:52:24.0225 1676 E1G60 - ok
14:52:24.0274 1676 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
14:52:24.0277 1676 EapHost - ok
14:52:24.0359 1676 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
14:52:24.0362 1676 Ecache - ok
14:52:24.0420 1676 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
14:52:24.0435 1676 ehRecvr - ok
14:52:24.0447 1676 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
14:52:24.0449 1676 ehSched - ok
14:52:24.0462 1676 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
14:52:24.0463 1676 ehstart - ok
14:52:24.0529 1676 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
14:52:24.0541 1676 elxstor - ok
14:52:24.0616 1676 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll
14:52:24.0630 1676 EMDMgmt - ok
14:52:24.0726 1676 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll
14:52:24.0740 1676 EventSystem - ok
14:52:24.0806 1676 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
14:52:24.0809 1676 exfat - ok
14:52:24.0851 1676 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
14:52:24.0854 1676 fastfat - ok
14:52:24.0909 1676 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
14:52:24.0910 1676 fdc - ok
14:52:24.0923 1676 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
14:52:24.0924 1676 fdPHost - ok
14:52:24.0947 1676 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
14:52:24.0950 1676 FDResPub - ok
14:52:25.0017 1676 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
14:52:25.0019 1676 FileInfo - ok
14:52:25.0045 1676 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
14:52:25.0047 1676 Filetrace - ok
14:52:25.0075 1676 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
14:52:25.0076 1676 flpydisk - ok
14:52:25.0090 1676 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
14:52:25.0093 1676 FltMgr - ok
14:52:25.0248 1676 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll
14:52:25.0277 1676 FontCache - ok
14:52:25.0365 1676 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
14:52:25.0366 1676 FontCache3.0.0.0 - ok
14:52:25.0439 1676 fssfltr (b0082808a6856a252f7cdd939892ce50) C:\Windows\system32\DRIVERS\fssfltr.sys
14:52:25.0440 1676 fssfltr - ok
14:52:25.0768 1676 fsssvc (28ddeeec44e988657b732cf404d504cb) C:\Program Files\Windows Live\Family Safety\fsssvc.exe
14:52:25.0816 1676 fsssvc - ok
14:52:25.0994 1676 Fs_Rec (b972a66758577e0bfd1de0f91aaa27b5) C:\Windows\system32\drivers\Fs_Rec.sys
14:52:25.0995 1676 Fs_Rec - ok
14:52:26.0012 1676 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
14:52:26.0014 1676 gagp30kx - ok
14:52:26.0174 1676 GoToAssist Remote Support Customer (9144b18ce0db8debb3ae31d2ed25c384) C:\Program Files\Citrix\GoToAssist Remote Support Customer\428\g2ax_service.exe
14:52:26.0186 1676 GoToAssist Remote Support Customer - ok
14:52:26.0275 1676 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll
14:52:26.0288 1676 gpsvc - ok
14:52:26.0385 1676 gusvc (751c1d2ca2abf4a9f5a6b8d7d45b907c) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
14:52:26.0388 1676 gusvc - ok
14:52:26.0475 1676 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
14:52:26.0483 1676 HdAudAddService - ok
14:52:26.0568 1676 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
14:52:26.0583 1676 HDAudBus - ok
14:52:26.0596 1676 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
14:52:26.0597 1676 HidBth - ok
14:52:26.0608 1676 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
14:52:26.0609 1676 HidIr - ok
14:52:26.0665 1676 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\System32\hidserv.dll
14:52:26.0666 1676 hidserv - ok
14:52:26.0731 1676 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
14:52:26.0732 1676 HidUsb - ok
14:52:26.0761 1676 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
14:52:26.0764 1676 hkmsvc - ok
14:52:26.0789 1676 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
14:52:26.0791 1676 HpCISSs - ok
14:52:26.0860 1676 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
14:52:26.0879 1676 HTTP - ok
14:52:26.0906 1676 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
14:52:26.0907 1676 i2omp - ok
14:52:26.0987 1676 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
14:52:26.0988 1676 i8042prt - ok
14:52:27.0132 1676 ialm (496db78e6a0c4c44023d9a92b4a7ac31) C:\Windows\system32\DRIVERS\igdkmd32.sys
14:52:27.0174 1676 ialm - ok
14:52:27.0400 1676 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
14:52:27.0407 1676 iaStorV - ok
14:52:27.0542 1676 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
14:52:27.0569 1676 idsvc - ok
14:52:27.0601 1676 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
14:52:27.0603 1676 iirsp - ok
14:52:27.0736 1676 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll
14:52:27.0762 1676 IKEEXT - ok
14:52:28.0914 1676 IntcAzAudAddService (721b1a0434647418f98d034bebd4b4db) C:\Windows\system32\drivers\RTKVHDA.sys
14:52:28.0973 1676 IntcAzAudAddService - ok
14:52:30.0201 1676 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
14:52:30.0213 1676 intelide - ok
14:52:30.0488 1676 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
14:52:30.0489 1676 intelppm - ok
14:52:30.0746 1676 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
14:52:30.0749 1676 IPBusEnum - ok
14:52:30.0777 1676 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
14:52:30.0779 1676 IpFilterDriver - ok
14:52:30.0936 1676 iphlpsvc (1998bd97f950680bb55f55a7244679c2) C:\Windows\System32\iphlpsvc.dll
14:52:30.0946 1676 iphlpsvc - ok
14:52:30.0951 1676 IpInIp - ok
14:52:30.0991 1676 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
14:52:31.0022 1676 IPMIDRV - ok
14:52:31.0071 1676 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
14:52:31.0073 1676 IPNAT - ok
14:52:31.0097 1676 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
14:52:31.0098 1676 IRENUM - ok
14:52:31.0112 1676 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
14:52:31.0114 1676 isapnp - ok
14:52:31.0203 1676 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
14:52:31.0205 1676 iScsiPrt - ok
14:52:31.0348 1676 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
14:52:31.0355 1676 iteatapi - ok
14:52:31.0381 1676 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
14:52:31.0382 1676 iteraid - ok
14:52:31.0421 1676 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
14:52:31.0422 1676 kbdclass - ok
14:52:31.0483 1676 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
14:52:31.0484 1676 kbdhid - ok
14:52:31.0520 1676 KeyIso (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
14:52:31.0521 1676 KeyIso - ok
14:52:31.0731 1676 KSecDD (4a1445efa932a3baf5bdb02d7131ee20) C:\Windows\system32\Drivers\ksecdd.sys
14:52:31.0809 1676 KSecDD - ok
14:52:32.0504 1676 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
14:52:32.0530 1676 KtmRm - ok
14:52:32.0698 1676 LanmanServer (1bf5eebfd518dd7298434d8c862f825d) C:\Windows\System32\srvsvc.dll
14:52:32.0703 1676 LanmanServer - ok
14:52:33.0003 1676 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll
14:52:33.0009 1676 LanmanWorkstation - ok
14:52:33.0166 1676 LightScribeService (559c9b7800fac92fc515cd0003d7c631) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
14:52:33.0174 1676 LightScribeService - ok
14:52:33.0327 1676 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
14:52:33.0329 1676 lltdio - ok
14:52:33.0377 1676 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
14:52:33.0382 1676 lltdsvc - ok
14:52:33.0416 1676 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
14:52:33.0419 1676 lmhosts - ok
14:52:33.0461 1676 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
14:52:33.0463 1676 LSI_FC - ok
14:52:33.0483 1676 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
14:52:33.0486 1676 LSI_SAS - ok
14:52:33.0506 1676 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
14:52:33.0507 1676 LSI_SCSI - ok
14:52:33.0612 1676 ltmodem5 (838df9675a08116f057b6bc530fbbe15) C:\Windows\system32\DRIVERS\ltmdmnt.sys
14:52:33.0628 1676 ltmodem5 - ok
14:52:33.0655 1676 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
14:52:33.0658 1676 luafv - ok
14:52:33.0682 1676 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2Svc.dll
14:52:33.0685 1676 Mcx2Svc - ok
14:52:33.0701 1676 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
14:52:33.0702 1676 megasas - ok
14:52:33.0736 1676 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
14:52:33.0739 1676 MMCSS - ok
14:52:33.0763 1676 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
14:52:33.0764 1676 Modem - ok
14:52:33.0902 1676 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
14:52:33.0906 1676 monitor - ok
14:52:33.0939 1676 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
14:52:33.0940 1676 mouclass - ok
14:52:33.0956 1676 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
14:52:33.0957 1676 mouhid - ok
14:52:33.0983 1676 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
14:52:33.0985 1676 MountMgr - ok
14:52:34.0017 1676 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
14:52:34.0019 1676 mpio - ok
14:52:34.0080 1676 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
14:52:34.0081 1676 mpsdrv - ok
14:52:34.0175 1676 MpsSvc (5de62c6e9108f14f6794060a9bdecaec) C:\Windows\system32\mpssvc.dll
14:52:34.0186 1676 MpsSvc - ok
14:52:34.0215 1676 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
14:52:34.0217 1676 Mraid35x - ok
14:52:34.0434 1676 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
14:52:34.0438 1676 MRxDAV - ok
14:52:34.0610 1676 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
14:52:34.0623 1676 mrxsmb - ok
14:52:34.0700 1676 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
14:52:34.0708 1676 mrxsmb10 - ok
14:52:34.0928 1676 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
14:52:34.0944 1676 mrxsmb20 - ok
14:52:34.0959 1676 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
14:52:34.0960 1676 msahci - ok
14:52:34.0982 1676 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
14:52:34.0985 1676 msdsm - ok
14:52:35.0033 1676 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
14:52:35.0037 1676 MSDTC - ok
14:52:35.0077 1676 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
14:52:35.0095 1676 Msfs - ok
14:52:35.0120 1676 MSICDSetup - ok
14:52:35.0154 1676 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
14:52:35.0155 1676 msisadrv - ok
14:52:35.0273 1676 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
14:52:35.0288 1676 MSiSCSI - ok
14:52:35.0292 1676 msiserver - ok
14:52:35.0496 1676 MSI_MSIBIOS_010507 (3846c05a66a3f5cd1d33e1a323c1762c) C:\Program Files\MSI\Live Update 5\msibios32_100507.sys
14:52:35.0503 1676 MSI_MSIBIOS_010507 - ok
14:52:35.0527 1676 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
14:52:35.0528 1676 MSKSSRV - ok
14:52:35.0595 1676 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
14:52:35.0596 1676 MSPCLOCK - ok
14:52:35.0620 1676 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
14:52:35.0621 1676 MSPQM - ok
14:52:35.0717 1676 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
14:52:35.0721 1676 MsRPC - ok
14:52:35.0740 1676 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
14:52:35.0741 1676 mssmbios - ok
14:52:35.0758 1676 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
14:52:35.0759 1676 MSTEE - ok
14:52:35.0851 1676 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
14:52:35.0861 1676 Mup - ok
14:52:36.0377 1676 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll
14:52:36.0407 1676 napagent - ok
14:52:36.0707 1676 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
14:52:36.0712 1676 NativeWifiP - ok
14:52:37.0673 1676 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
14:52:37.0709 1676 NDIS - ok
14:52:37.0747 1676 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
14:52:37.0749 1676 NdisTapi - ok
14:52:37.0818 1676 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
14:52:37.0824 1676 Ndisuio - ok
14:52:37.0985 1676 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
14:52:37.0988 1676 NdisWan - ok
14:52:38.0020 1676 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
14:52:38.0022 1676 NDProxy - ok
14:52:38.0036 1676 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
14:52:38.0037 1676 NetBIOS - ok
14:52:38.0346 1676 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
14:52:38.0360 1676 netbt - ok
14:52:38.0391 1676 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
14:52:38.0392 1676 Netlogon - ok
14:52:38.0426 1676 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
14:52:38.0441 1676 Netman - ok
14:52:38.0882 1676 NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
14:52:38.0886 1676 NetMsmqActivator - ok
14:52:38.0890 1676 NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
14:52:38.0892 1676 NetPipeActivator - ok
14:52:38.0941 1676 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
14:52:38.0956 1676 netprofm - ok
14:52:38.0960 1676 NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
14:52:38.0961 1676 NetTcpActivator - ok
14:52:38.0966 1676 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
14:52:38.0967 1676 NetTcpPortSharing - ok
14:52:39.0005 1676 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
14:52:39.0006 1676 nfrd960 - ok
14:52:39.0034 1676 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
14:52:39.0045 1676 NlaSvc - ok
14:52:39.0130 1676 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
14:52:39.0133 1676 Npfs - ok
14:52:39.0156 1676 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
14:52:39.0158 1676 nsi - ok
14:52:39.0182 1676 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
14:52:39.0183 1676 nsiproxy - ok
14:52:39.0734 1676 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
14:52:39.0764 1676 Ntfs - ok
14:52:39.0943 1676 NTIOLib_1_0_4 (cd2166c9511d336a058cde91778aaa69) C:\Program Files\MSI\Live Update 5\NTIOLib.sys
14:52:39.0945 1676 NTIOLib_1_0_4 - ok
14:52:39.0972 1676 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
14:52:39.0973 1676 ntrigdigi - ok
14:52:39.0997 1676 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
14:52:39.0998 1676 Null - ok
14:52:40.0027 1676 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
14:52:40.0029 1676 nvraid - ok
14:52:40.0057 1676 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
14:52:40.0058 1676 nvstor - ok
14:52:40.0076 1676 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
14:52:40.0079 1676 nv_agp - ok
14:52:40.0084 1676 NwlnkFlt - ok
14:52:40.0090 1676 NwlnkFwd - ok
14:52:40.0204 1676 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
14:52:40.0209 1676 ohci1394 - ok
14:52:40.0725 1676 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
14:52:40.0744 1676 p2pimsvc - ok
14:52:40.0753 1676 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
14:52:40.0761 1676 p2psvc - ok
14:52:41.0014 1676 Parport (8a79fdf04a73428597e2caf9d0d67850) C:\Windows\system32\DRIVERS\parport.sys
14:52:41.0016 1676 Parport - ok
14:52:41.0134 1676 partmgr (b9c2b89f08670e159f7181891e449cd9) C:\Windows\system32\drivers\partmgr.sys
14:52:41.0137 1676 partmgr - ok
14:52:41.0154 1676 Parvdm (6c580025c81caf3ae9e3617c22cad00e) C:\Windows\system32\DRIVERS\parvdm.sys
14:52:41.0155 1676 Parvdm - ok
14:52:41.0181 1676 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
14:52:41.0184 1676 PcaSvc - ok
14:52:41.0256 1676 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
14:52:41.0259 1676 pci - ok
14:52:41.0281 1676 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
14:52:41.0282 1676 pciide - ok
14:52:41.0317 1676 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
14:52:41.0320 1676 pcmcia - ok
14:52:41.0424 1676 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
14:52:41.0474 1676 PEAUTH - ok
14:52:42.0541 1676 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
14:52:42.0596 1676 pla - ok
14:52:43.0252 1676 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll
14:52:43.0289 1676 PlugPlay - ok
14:52:43.0354 1676 PnkBstrA (a1dd33d16f277ce34124ee52ab2c0f14) C:\Windows\system32\PnkBstrA.exe
14:52:43.0357 1676 PnkBstrA - ok
14:52:43.0412 1676 PnkBstrB (f482f214bffdf46dc35f47ba5b453e84) C:\Windows\system32\PnkBstrB.exe
14:52:43.0418 1676 PnkBstrB - ok
14:52:43.0694 1676 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
14:52:43.0701 1676 PNRPAutoReg - ok
14:52:43.0710 1676 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
14:52:43.0718 1676 PNRPsvc - ok
14:52:44.0575 1676 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll
14:52:44.0602 1676 PolicyAgent - ok
14:52:44.0692 1676 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
14:52:44.0694 1676 PptpMiniport - ok
14:52:44.0831 1676 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
14:52:44.0835 1676 Processor - ok
14:52:45.0214 1676 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll
14:52:45.0221 1676 ProfSvc - ok
14:52:45.0261 1676 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
14:52:45.0263 1676 ProtectedStorage - ok
14:52:45.0466 1676 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
14:52:45.0474 1676 PSched - ok
14:52:45.0545 1676 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\Windows\system32\Drivers\PxHelp20.sys
14:52:45.0546 1676 PxHelp20 - ok
14:52:45.0739 1676 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
14:52:45.0794 1676 ql2300 - ok
14:52:45.0817 1676 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
14:52:45.0819 1676 ql40xx - ok
14:52:46.0351 1676 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
14:52:46.0391 1676 QWAVE - ok
14:52:46.0407 1676 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
14:52:46.0408 1676 QWAVEdrv - ok
14:52:46.0437 1676 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
14:52:46.0449 1676 RasAcd - ok
14:52:46.0474 1676 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
14:52:46.0479 1676 RasAuto - ok
14:52:46.0503 1676 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
14:52:46.0505 1676 Rasl2tp - ok
14:52:46.0703 1676 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll
14:52:46.0709 1676 RasMan - ok
14:52:46.0796 1676 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
14:52:46.0798 1676 RasPppoe - ok
14:52:46.0861 1676 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
14:52:46.0863 1676 RasSstp - ok
14:52:46.0935 1676 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
14:52:46.0943 1676 rdbss - ok
14:52:46.0955 1676 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
14:52:46.0956 1676 RDPCDD - ok
14:52:47.0002 1676 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
14:52:47.0009 1676 rdpdr - ok
14:52:47.0012 1676 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
14:52:47.0013 1676 RDPENCDD - ok
14:52:47.0056 1676 RDPWD (c127ebd5afab31524662c48dfceb773a) C:\Windows\system32\drivers\RDPWD.sys
14:52:47.0066 1676 RDPWD - ok
14:52:47.0090 1676 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
14:52:47.0093 1676 RemoteAccess - ok
14:52:47.0152 1676 RemoteRegistry (9e6894ea18daff37b63e1005f83ae4ab) C:\Windows\system32\regsvc.dll
14:52:47.0157 1676 RemoteRegistry - ok
14:52:47.0303 1676 RoxLiveShare10 - ok
14:52:47.0332 1676 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
14:52:47.0334 1676 RpcLocator - ok
14:52:47.0418 1676 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
14:52:47.0425 1676 RpcSs - ok
14:52:47.0451 1676 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
14:52:47.0453 1676 rspndr - ok
14:52:47.0709 1676 RTL8192su (3e322976d9414490df552d63a0dbe288) C:\Windows\system32\DRIVERS\RTL8192su.sys
14:52:47.0766 1676 RTL8192su - ok
14:52:47.0799 1676 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
14:52:47.0800 1676 SamSs - ok
14:52:48.0122 1676 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
14:52:48.0146 1676 sbp2port - ok
14:52:48.0488 1676 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll
14:52:48.0494 1676 SCardSvr - ok
14:52:49.0138 1676 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll
14:52:49.0188 1676 Schedule - ok
14:52:49.0379 1676 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
14:52:49.0380 1676 SCPolicySvc - ok
14:52:49.0740 1676 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
14:52:49.0744 1676 SDRSVC - ok
14:52:49.0850 1676 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
14:52:49.0853 1676 secdrv - ok
14:52:49.0970 1676 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
14:52:49.0988 1676 seclogon - ok
14:52:50.0026 1676 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll
14:52:50.0029 1676 SENS - ok
14:52:50.0050 1676 Serenum (ce9ec966638ef0b10b864ddedf62a099) C:\Windows\system32\DRIVERS\serenum.sys
14:52:50.0051 1676 Serenum - ok
14:52:50.0083 1676 Serial (6d663022db3e7058907784ae14b69898) C:\Windows\system32\DRIVERS\serial.sys
14:52:50.0085 1676 Serial - ok
14:52:50.0113 1676 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
14:52:50.0114 1676 sermouse - ok
14:52:50.0159 1676 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
14:52:50.0163 1676 SessionEnv - ok
14:52:50.0182 1676 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
14:52:50.0183 1676 sffdisk - ok
14:52:50.0196 1676 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
14:52:50.0198 1676 sffp_mmc - ok
14:52:50.0218 1676 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
14:52:50.0220 1676 sffp_sd - ok
14:52:50.0235 1676 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\DRIVERS\sfloppy.sys
14:52:50.0236 1676 sfloppy - ok
14:52:50.0506 1676 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
14:52:50.0543 1676 SharedAccess - ok
14:52:50.0582 1676 ShellHWDetection (c7230fbee14437716701c15be02c27b8) C:\Windows\System32\shsvcs.dll
14:52:50.0605 1676 ShellHWDetection - ok
14:52:50.0622 1676 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
14:52:50.0623 1676 sisagp - ok
14:52:50.0650 1676 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
14:52:50.0651 1676 SiSRaid2 - ok
14:52:50.0673 1676 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
14:52:50.0675 1676 SiSRaid4 - ok
14:52:51.0984 1676 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe
14:52:52.0095 1676 slsvc - ok
14:52:53.0884 1676 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll
14:52:53.0898 1676 SLUINotify - ok
14:52:54.0598 1676 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
14:52:54.0603 1676 Smb - ok
14:52:54.0664 1676 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
14:52:54.0668 1676 SNMPTRAP - ok
14:52:54.0691 1676 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
14:52:54.0692 1676 spldr - ok
14:52:54.0994 1676 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe
14:52:55.0000 1676 Spooler - ok
14:52:55.0058 1676 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
14:52:55.0087 1676 srv - ok
14:52:55.0168 1676 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
14:52:55.0172 1676 srv2 - ok
14:52:55.0643 1676 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
14:52:55.0683 1676 srvnet - ok
14:52:55.0730 1676 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
14:52:55.0770 1676 SSDPSRV - ok
14:52:55.0844 1676 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
14:52:55.0880 1676 SstpSvc - ok
14:52:56.0157 1676 Steam Client Service - ok
14:52:57.0936 1676 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll
14:52:58.0009 1676 stisvc - ok
14:52:58.0032 1676 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
14:52:58.0034 1676 swenum - ok
14:52:59.0359 1676 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll
14:52:59.0416 1676 swprv - ok
14:52:59.0575 1676 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
14:52:59.0577 1676 Symc8xx - ok
14:52:59.0620 1676 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
14:52:59.0621 1676 Sym_hi - ok
14:52:59.0650 1676 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
14:52:59.0651 1676 Sym_u3 - ok
14:52:59.0735 1676 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll
14:52:59.0757 1676 SysMain - ok
14:52:59.0782 1676 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
14:52:59.0823 1676 TabletInputService - ok
14:53:00.0722 1676 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll
14:53:00.0736 1676 TapiSrv - ok
14:53:00.0760 1676 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
14:53:00.0764 1676 TBS - ok
14:53:01.0838 1676 Tcpip (ee7e10bed85c312c1d5d30c435bdda9f) C:\Windows\system32\drivers\tcpip.sys
14:53:01.0907 1676 Tcpip - ok
14:53:01.0921 1676 Tcpip6 (ee7e10bed85c312c1d5d30c435bdda9f) C:\Windows\system32\DRIVERS\tcpip.sys
14:53:01.0929 1676 Tcpip6 - ok
14:53:01.0965 1676 tcpipreg (2c2d4cff5e09c73908f9b5af49a51365) C:\Windows\system32\drivers\tcpipreg.sys
14:53:01.0967 1676 tcpipreg - ok
14:53:02.0002 1676 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
14:53:02.0003 1676 TDPIPE - ok
14:53:02.0044 1676 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
14:53:02.0046 1676 TDTCP - ok
14:53:02.0111 1676 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
14:53:02.0113 1676 tdx - ok
14:53:02.0173 1676 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
14:53:02.0175 1676 TermDD - ok
14:53:02.0260 1676 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll
14:53:02.0277 1676 TermService - ok
14:53:02.0315 1676 Themes (c7230fbee14437716701c15be02c27b8) C:\Windows\system32\shsvcs.dll
14:53:02.0320 1676 Themes - ok
14:53:02.0350 1676 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
14:53:02.0352 1676 THREADORDER - ok
14:53:02.0515 1676 TivoBeacon2 (75ea1a81c9bd03f2a768901ec9db2816) C:\Program Files\TiVo\Desktop\TiVoBeacon.exe
14:53:02.0524 1676 TivoBeacon2 - ok
14:53:02.0555 1676 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
14:53:02.0560 1676 TrkWks - ok
14:53:02.0645 1676 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe
14:53:02.0646 1676 TrustedInstaller - ok
14:53:02.0687 1676 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
14:53:02.0689 1676 tssecsrv - ok
14:53:02.0719 1676 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
14:53:02.0720 1676 tunmp - ok
14:53:02.0786 1676 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
14:53:02.0788 1676 tunnel - ok
14:53:02.0814 1676 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
14:53:02.0816 1676 uagp35 - ok
14:53:02.0892 1676 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
14:53:02.0899 1676 udfs - ok
14:53:02.0947 1676 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
14:53:02.0951 1676 UI0Detect - ok
14:53:02.0968 1676 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
14:53:02.0970 1676 uliagpkx - ok
14:53:03.0011 1676 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
14:53:03.0018 1676 uliahci - ok
14:53:03.0050 1676 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
14:53:03.0051 1676 UlSata - ok
14:53:03.0088 1676 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
14:53:03.0091 1676 ulsata2 - ok
14:53:03.0133 1676 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
14:53:03.0134 1676 umbus - ok
14:53:03.0173 1676 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
14:53:03.0187 1676 upnphost - ok
14:53:03.0266 1676 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
14:53:03.0268 1676 usbaudio - ok
14:53:03.0305 1676 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
14:53:03.0307 1676 usbccgp - ok
14:53:03.0341 1676 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
14:53:03.0342 1676 usbcir - ok
14:53:03.0403 1676 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
14:53:03.0405 1676 usbehci - ok
14:53:03.0477 1676 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
14:53:03.0486 1676 usbhub - ok
14:53:03.0515 1676 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
14:53:03.0516 1676 usbohci - ok
14:53:03.0556 1676 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
14:53:03.0557 1676 usbprint - ok
14:53:03.0571 1676 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
14:53:03.0573 1676 usbscan - ok
14:53:03.0588 1676 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:53:03.0590 1676 USBSTOR - ok
14:53:03.0613 1676 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
14:53:03.0614 1676 usbuhci - ok
14:53:03.0670 1676 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll
14:53:03.0673 1676 UxSms - ok
14:53:03.0756 1676 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe
14:53:03.0774 1676 vds - ok
14:53:03.0836 1676 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
14:53:03.0838 1676 vga - ok
14:53:03.0854 1676 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
14:53:03.0855 1676 VgaSave - ok
14:53:03.0875 1676 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
14:53:03.0877 1676 viaagp - ok
14:53:03.0906 1676 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
14:53:03.0907 1676 ViaC7 - ok
14:53:03.0923 1676 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
14:53:03.0924 1676 viaide - ok
14:53:03.0946 1676 vmci - ok
14:53:03.0954 1676 VMnetAdapter - ok
14:53:03.0988 1676 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
14:53:03.0990 1676 volmgr - ok
14:53:04.0076 1676 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
14:53:04.0081 1676 volmgrx - ok
14:53:04.0152 1676 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
14:53:04.0160 1676 volsnap - ok
14:53:04.0183 1676 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
14:53:04.0185 1676 vsmraid - ok
14:53:04.0306 1676 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe
14:53:04.0335 1676 VSS - ok
14:53:04.0419 1676 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll
14:53:04.0432 1676 W32Time - ok
14:53:04.0479 1676 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
14:53:04.0480 1676 WacomPen - ok
14:53:04.0506 1676 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
14:53:04.0508 1676 Wanarp - ok
14:53:04.0511 1676 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
14:53:04.0512 1676 Wanarpv6 - ok
14:53:04.0544 1676 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll
14:53:04.0562 1676 wcncsvc - ok
14:53:04.0588 1676 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
14:53:04.0594 1676 WcsPlugInService - ok
14:53:04.0629 1676 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
14:53:04.0630 1676 Wd - ok
14:53:04.0692 1676 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
14:53:04.0713 1676 Wdf01000 - ok
14:53:04.0739 1676 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
14:53:04.0743 1676 WdiServiceHost - ok
14:53:04.0746 1676 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
14:53:04.0750 1676 WdiSystemHost - ok
14:53:04.0821 1676 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll
14:53:04.0831 1676 WebClient - ok
14:53:04.0901 1676 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
14:53:04.0912 1676 Wecsvc - ok
14:53:04.0937 1676 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
14:53:04.0941 1676 wercplsupport - ok
14:53:05.0014 1676 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll
14:53:05.0019 1676 WerSvc - ok
14:53:05.0105 1676 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
14:53:05.0120 1676 WinDefend - ok
14:53:05.0128 1676 WinHttpAutoProxySvc - ok
14:53:05.0174 1676 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll
14:53:05.0184 1676 Winmgmt - ok
14:53:05.0313 1676 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
14:53:05.0345 1676 WinRM - ok
14:53:05.0444 1676 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll
14:53:05.0460 1676 Wlansvc - ok
14:53:05.0687 1676 wlidsvc (fb01d4ae207b9efdbabfc55dc95c7e31) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
14:53:05.0768 1676 wlidsvc - ok
14:53:05.0912 1676 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
14:53:05.0913 1676 WmiAcpi - ok
14:53:05.0987 1676 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe
14:53:05.0990 1676 wmiApSrv - ok
14:53:06.0115 1676 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
14:53:06.0139 1676 WMPNetworkSvc - ok
14:53:06.0158 1676 WPCSvc (cfc5a04558f5070cee3e3a7809f3ff52) C:\Windows\System32\wpcsvc.dll
14:53:06.0168 1676 WPCSvc - ok
14:53:06.0245 1676 WPDBusEnum (801fbdb89d472b3c467eb112a0fc9246) C:\Windows\system32\wpdbusenum.dll
14:53:06.0249 1676 WPDBusEnum - ok
14:53:06.0325 1676 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
14:53:06.0326 1676 WpdUsb - ok
14:53:06.0584 1676 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
14:53:06.0601 1676 WPFFontCache_v0400 - ok
14:53:06.0612 1676 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
14:53:06.0613 1676 ws2ifsl - ok
14:53:06.0711 1676 wscsvc (1ca6c40261ddc0425987980d0cd2aaab) C:\Windows\system32\wscsvc.dll
14:53:06.0715 1676 wscsvc - ok
14:53:06.0722 1676 WSearch - ok
14:53:06.0894 1676 wuauserv (fc3ec24fce372c89423e015a2ac1a31e) C:\Windows\system32\wuaueng.dll
14:53:06.0940 1676 wuauserv - ok
14:53:07.0075 1676 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
14:53:07.0077 1676 WUDFRd - ok
14:53:07.0112 1676 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
14:53:07.0116 1676 wudfsvc - ok
14:53:07.0175 1676 MBR (0x1B8) (beedf9b7f43a72a91456f7131afc11b2) \Device\Harddisk0\DR0
14:53:07.0415 1676 \Device\Harddisk0\DR0 - ok
14:53:07.0419 1676 Boot (0x1200) (428d36af032643fda962457ef87aeaf0) \Device\Harddisk0\DR0\Partition0
14:53:07.0421 1676 \Device\Harddisk0\DR0\Partition0 - ok
14:53:07.0421 1676 ============================================================
14:53:07.0421 1676 Scan finished
14:53:07.0421 1676 ============================================================
14:53:07.0431 2644 Detected object count: 0
14:53:07.0431 2644 Actual detected object count: 0

aswMBR log
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-13 14:59:28
-----------------------------
14:59:28.548 OS Version: Windows 6.0.6002 Service Pack 2
14:59:28.549 Number of processors: 2 586 0xF06
14:59:28.549 ComputerName: COREY-PC UserName: COREY
15:00:14.404 Initialize success
15:10:50.872 AVAST engine defs: 12081301
15:55:13.148 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:55:13.151 Disk 0 Vendor: WDC_WD4000KS-19MNB0 07.02E07 Size: 381554MB BusType: 3
15:55:13.160 Disk 0 MBR read successfully
15:55:13.163 Disk 0 MBR scan
15:55:13.168 Disk 0 unknown MBR code
15:55:13.177 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 381552 MB offset 2048
15:55:13.184 Disk 0 scanning sectors +781420544
15:55:13.291 Disk 0 scanning C:\Windows\system32\drivers
15:55:25.393 Service scanning
15:55:37.980 Service MSICDSetup E:\CDriver.sys **LOCKED** 21
15:55:51.589 Modules scanning
15:55:57.712 Disk 0 trace - called modules:
15:55:57.739 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS intelide.sys PCIIDEX.SYS atapi.sys
15:55:57.756 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84e131e8]
15:55:57.763 3 CLASSPNP.SYS[8819f8b3] -> nt!IofCallDriver -> [0x84bea918]
15:55:57.770 5 acpi.sys[8069f6bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x84bdc518]
15:55:59.174 AVAST engine scan C:\Windows
15:56:03.416 AVAST engine scan C:\Windows\system32
15:59:48.902 AVAST engine scan C:\Windows\system32\drivers
16:00:03.848 AVAST engine scan C:\Users\COREY
16:14:26.929 AVAST engine scan C:\ProgramData
16:23:31.331 Scan finished successfully
16:42:27.662 Disk 0 MBR has been saved successfully to "C:\Users\COREY\Desktop\Sherri\MBR.dat"
16:42:27.668 The log file has been saved successfully to "C:\Users\COREY\Desktop\Sherri\aswMBR081312.txt"

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 AM

Posted 13 August 2012 - 09:54 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 Shadowz85

Shadowz85
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:43 AM

Posted 14 August 2012 - 12:38 AM

No problem running Combofix. Computer seems to be running fine.

ComboFix Log

ComboFix 12-08-13.01 - COREY 08/13/2012 22:18:06.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2047.1130 [GMT -7:00]
Running from: c:\download\AV\ComboFix.exe
Command switches used :: c:\users\COREY\Desktop\Sherri\cfscript.txt
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-14 to 2012-08-14 )))))))))))))))))))))))))))))))
.
.
2012-08-14 05:25 . 2012-08-14 05:25 -------- d-----w- c:\users\COREY\AppData\Local\temp
2012-08-14 05:25 . 2012-08-14 05:25 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-14 05:25 . 2012-08-14 05:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-12 22:35 . 2012-08-13 02:03 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-12 16:35 . 2012-08-12 16:35 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-09 02:04 . 2012-08-09 02:04 -------- d--h--r- c:\users\COREY\AppData\Roaming\SecuROM
2012-08-09 01:33 . 2012-08-09 01:35 -------- d-----w- c:\program files\Origin Games
2012-08-09 01:33 . 2012-08-09 01:34 -------- d-----w- c:\users\COREY\AppData\Roaming\Origin
2012-08-09 01:29 . 2012-08-09 01:29 -------- d-----w- c:\users\COREY\AppData\Local\Origin
2012-08-09 01:28 . 2012-08-09 01:35 -------- d-----w- c:\programdata\Origin
2012-08-09 01:28 . 2012-08-09 01:29 -------- d-----w- c:\program files\Origin
2012-08-08 00:19 . 2012-08-08 00:19 -------- d-----w- c:\program files\Belkin
2012-08-08 00:18 . 2012-08-08 00:18 -------- d-----w- c:\windows\{7EBEACC7-A0C9-4DA4-9A63-3DC7D244B051}
2012-08-04 19:31 . 2012-08-06 05:50 -------- d-----w- c:\program files\GetFLV
2012-08-04 19:09 . 2012-08-04 19:09 -------- d-----w- c:\users\COREY\AppData\Local\Coupon Companion
2012-08-04 19:09 . 2012-08-06 06:06 -------- d-----w- c:\program files\Coupon Companion
2012-08-04 19:08 . 2012-08-12 17:55 -------- d-----w- c:\program files\Yontoo
2012-08-04 19:08 . 2012-08-04 19:08 -------- d-----w- c:\programdata\Tarma Installer
2012-08-04 18:51 . 2012-08-06 05:51 -------- d-----w- c:\program files\Hulu Downloader
2012-07-30 16:47 . 2012-07-30 16:47 197560 ----a-w- c:\windows\system32\g2ax_credential_provider_428.dll
2012-07-25 19:02 . 2012-07-25 19:02 -------- d-----w- c:\program files\Conduit
2012-07-25 19:02 . 2012-07-25 19:10 -------- d-----w- c:\users\COREY\AppData\Local\Conduit
2012-07-24 02:44 . 2012-07-24 08:41 -------- d-----w- C:\game of thrones
2012-07-21 07:44 . 2012-08-13 17:07 -------- d-----w- c:\users\pics
2012-07-21 07:11 . 2012-07-21 07:11 -------- d-----w- c:\windows\en
2012-07-21 07:10 . 2012-03-09 01:32 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2012-07-21 07:05 . 2012-07-21 07:05 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-07-21 07:00 . 2012-07-21 07:00 89944 ----a-w- c:\program files\Common Files\Windows Live\.cache\92256f311cd670e02\DSETUP.dll
2012-07-21 07:00 . 2012-07-21 07:00 537432 ----a-w- c:\program files\Common Files\Windows Live\.cache\92256f311cd670e02\DXSETUP.exe
2012-07-21 07:00 . 2012-07-21 07:00 1801048 ----a-w- c:\program files\Common Files\Windows Live\.cache\92256f311cd670e02\dsetup32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-03 05:39 . 2012-03-30 22:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-03 05:39 . 2011-05-13 20:50 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:40 . 2012-07-11 01:26 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-11 18:17 . 2012-06-11 18:17 65536 ----a-w- c:\windows\system32\frapsvid.dll
2012-06-05 16:47 . 2012-07-11 01:17 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:47 . 2012-07-11 01:17 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:26 . 2012-07-11 01:17 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-24 18:10 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-24 18:12 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-24 18:12 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-24 18:10 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-24 18:10 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-24 18:12 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-24 18:12 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-24 18:10 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-06-24 18:10 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 00:04 . 2012-07-11 01:17 278528 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:03 . 2012-07-11 01:17 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-17 171448]
"TivoServer"="c:\program files\TiVo\Desktop\TiVoServer.exe" [2010-08-25 2264336]
"TivoTransfer"="c:\program files\TiVo\Desktop\TiVoTransfer.exe" [2010-08-25 608528]
"TivoNotify"="c:\program files\TiVo\Desktop\TiVoNotify.exe" [2010-08-25 437520]
"TranscodingService"="c:\program files\TiVo\Desktop\Plus\\TranscodingService.exe" [2010-08-25 856336]
"Steam"="c:\program files\Steam\Steam.exe" [2012-08-04 1353080]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 4349952]
"Creative Mouse Software"="c:\program files\Creative\Shared Files\CIDS\CTStray.exe" [2005-10-24 65536]
"Creative Keyboard Software"="c:\program files\Creative\Shared Files\CIDS\CTStray.exe" [2005-10-24 65536]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-10-17 1197648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"CLMLServer"="c:\program files\Cyberlink\Power2Go\CLMLSvc.exe" [2009-06-04 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\users\COREY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2012-5-26 0]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist Express Customer]
2012-07-30 16:47 609208 ----a-w- c:\program files\Citrix\GoToAssist Remote Support Customer\428\g2ax_winlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Live Update 5]
2011-12-15 22:13 1935888 ----a-w- c:\program files\MSI\Live Update 5\LU5.exe
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 52700852
*Deregistered* - 52700852
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 05:39]
.
2012-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-352308663-582380511-1965928383-1002Core.job
- c:\users\COREY\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-20 22:37]
.
2012-08-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-352308663-582380511-1965928383-1002UA.job
- c:\users\COREY\AppData\Local\Google\Update\GoogleUpdate.exe [2012-01-20 22:37]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\COREY\AppData\Roaming\Mozilla\Firefox\Profiles\plnplmne.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.search.selectedEngine - FreeMake Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3214568&SearchSource=2&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: WebMail Notifier: {37fa1426-b82d-11db-8314-0800200c9a66} - %profile%\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
FF - Ext: Yontoo: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: extentions.y2layers.installId - 6ecae33c-e29e-4af3-815b-c7233b2d1e0a
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-13 22:25
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-352308663-582380511-1965928383-1002\Software\SecuROM\License information*]
"datasecu"=hex:c6,ad,e6,d6,7f,c5,49,9f,bc,4e,66,d3,89,98,d6,fa,d1,bd,1e,85,34,
2f,70,4b,bb,eb,b7,12,13,e5,ba,c5,7d,58,50,03,2e,f0,2b,9c,9a,8f,d0,c8,74,80,\
"rkeysecu"=hex:3b,e5,e4,e3,26,0b,00,27,cf,f0,f3,a6,83,7c,95,2d
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2012-08-13 22:27:59
ComboFix-quarantined-files.txt 2012-08-14 05:27
ComboFix2.txt 2012-08-13 17:06
ComboFix3.txt 2012-04-21 05:04
ComboFix4.txt 2012-04-20 15:27
.
Pre-Run: 190,975,569,920 bytes free
Post-Run: 191,071,014,912 bytes free
.
- - End Of File - - EFD572E714DB4DB42F8689DF13A21311

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 AM

Posted 14 August 2012 - 12:33 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 Shadowz85

Shadowz85
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:43 AM

Posted 14 August 2012 - 12:49 PM

Thanks Gringo, here you go...


Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.3)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 6 FREE
ASUS E-Green Uninstall
ATI Catalyst Install Manager
Belarc Advisor 7.2
Belkin USB Wireless Adaptor
Bonjour
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Navigator 3.0
Canon MP160
Canon MP160 User Registration
Canon My Printer
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Catalyst Control Center InstallProxy
CCleaner
Counter-Strike: Source
Coupon Companion
Creative Keyboard Software
Creative Mouse Software
CyberLink Power2Go
D3DX10
Debut Video Capture Software
Diablo III
Disney Pirates of the Caribbean Online
Easy Audio Editor
EMC 10 Content
Fraps
Google Chrome
Google Toolbar for Internet Explorer
GoToAssist Customer 1.6.0.428
GoToAssist Expert 1.6.0.330
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java™ 6 Update 31
Junk Mail filter update
LightScribe 1.4.136.1
Live Update 5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Age of Empires II
Microsoft Application Error Reporting
Microsoft Default Manager
Microsoft Office Excel Viewer
Microsoft Office XP Professional
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft UI Engine
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Works
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.6.28)
MSI Afterburner 2.1.0
MSI Kombustor 2.0.0
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
neroxml
OpenOffice.org 3.1
Opti Drive Control 1.50
Origin
Prism Video File Converter
QuickTime
Realtek High Definition Audio Driver
Revo Uninstaller 1.93
ScanSoft OmniPage SE 4.0
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Segoe UI
Skype™ 5.5
SmartSound Quicktracks Plugin
Software Suite
Spelling Dictionaries Support For Adobe Reader 9
StarCraft II
Steam
Stronghold Legends
The Sims 2 Open For Business
The Sims Medieval
The Sims™ 2 Double Deluxe
The Sims™ 2 Fun with Pets Collection
The Sims™ 2 IKEA® Home Stuff
The Sims™ 2 Kitchen & Bath Interior Design Stuff
TiVo Desktop 2.8.2
Unigine Heaven DX11 Benchmark 2.5 version 2.5
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VCRedistSetup
VideoPad Video Editor
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
World of Warcraft
Xvid 1.2.2 final uninstall
Yontoo 1.10.02
YouTube Downloader Toolbar v5.4
YTD Video Downloader 3.9

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 AM

Posted 14 August 2012 - 07:10 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Java™ 6 Update 31
Mozilla Firefox (3.6.28) <-- needs to update !
Yontoo 1.10.02
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.


Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Shadowz85

Shadowz85
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:43 AM

Posted 14 August 2012 - 09:32 PM

Not having any troubles. Computer seems to be fine. I will install Firefox now, but am waiting for your okay to reinstall MSE



MBAM log
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.14.07

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
COREY :: COREY-PC [administrator]

8/14/2012 7:08:48 PM
mbam-log-2012-08-14 (19-08-48).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201090
Time elapsed: 8 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:28:05 PM, on 8/14/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoNotify.exe
C:\Program Files\Citrix\GoToAssist Remote Support Customer\428\g2ax_user_customer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\mobsync.exe
C:\Users\COREY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\COREY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\COREY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\COREY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\COREY\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Creative Mouse Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [Creative Keyboard Software] C:\Program Files\Creative\Shared Files\CIDS\CTStray.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe"
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [TivoServer] C:\Program Files\TiVo\Desktop\TiVoServer.exe /service /registry /auto:TivoServer
O4 - HKCU\..\Run: [TivoTransfer] C:\Program Files\TiVo\Desktop\TiVoTransfer.exe
O4 - HKCU\..\Run: [TivoNotify] C:\Program Files\TiVo\Desktop\TiVoNotify.exe /service /registry /auto:TivoNotify
O4 - HKCU\..\Run: [TranscodingService] C:\Program Files\TiVo\Desktop\Plus\\TranscodingService.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: CurseClientStartup.ccip
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Remote Support Customer\428\g2ax_winlogon.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GoToAssist Remote Support Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Remote Support Customer\428\g2ax_service.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TiVo Beacon Service (TivoBeacon2) - TiVo Inc. - C:\Program Files\TiVo\Desktop\TiVoBeacon.exe

--
End of file - 8328 bytes

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 AM

Posted 14 August 2012 - 09:59 PM

Yes install MSE now



These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
      O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
      O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [CLMLServer] "C:\Program Files\Cyberlink\Power2Go\CLMLSvc.exe"
      O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
      O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
      O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Shadowz85

Shadowz85
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:43 AM

Posted 15 August 2012 - 09:06 AM

Good Morning Gringo,

I removed the items you listed. That went okay. I reinstalled Firefox and now it's at the current version. It wanted to reinstall the Yontoo add-in and I told it not to.

I ran the ESET online scanner. It didn't find anything.

I installed MSE. When it tried to update the virus definitions, that failed. The message is:

Virus and spyware definitions update failed
Security Essentials couldn't check for virus and spyware definition updates. Check your Internet or network connection and try again.


#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:43 AM

Posted 15 August 2012 - 09:54 AM

I want you to see if windows update is working


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users