Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Notifications, FBI Moneypack Virus and Overheating


  • This topic is locked This topic is locked
28 replies to this topic

#1 Sedadren

Sedadren

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 12 August 2012 - 10:57 PM

A few days ago we had the "FBI Moneypack" thing hijack our computer. I was able to finally access our computer by doing a system restore, but of course it is still hiding somewhere in my system. Since then I keep getting MalwareBytes popups about several viruses or Trojans or something like that. It only happens when I am not doing anything on my computer. When the computer is active I don't get anything happening. I ran a couple full system scans, and they are picking up registry keys, but it does not seem to be effective at fixing the problems. Additionally, I have a computer that tends to run at a temp of 70c on a good day, but now it is running at 88c and above. When I try and play my MMORPG (Runes of Magic) I just crash all the time because it jacks the temp up to 94c and of course it can't run at that heat. The last time it was running that hot it was because a virus was running in the background and causing the computer to be using a lot more processor, so I am hoping that is the case now.

Spybot finds nothing. Malwearbytes found several things and I fixed them, but didn't see a change.

Thank you in advance.

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:35 PM

Posted 13 August 2012 - 01:36 AM

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 13 August 2012 - 03:07 AM

I have been here before, and somehow I never seem to find this starting guide even though I look for it. Thank you for posting it.

Step 6 completed
Step 7 completed and attached
Step 8. . .I had some issues. I waited a long time and it was stopped on

Data\Google\Chrome\Application\chrome.exe[2248]C:\WINDOWS\system32\ntdll.dll

I hope I typed that correctly. It said scan was still going so I waited another 20 minutes with no change. I then closed the program and ended the scan. Upon restarting the program it clocked for several minutes then crashed. I tried opening it again and the same thing happened. Finally on one of my attempts I got it to run for another 3o minutes until it crashed my computer.I don't know if it overheated or what, but it is back to not wanting to run.

When my computer finally did come back up it did something else odd. I run 2 monitors off of this computer, and have different files on different screens. For the last several days when I turn on my computer, all the files are sorted by type and all together instead of where I put them. This time they are back to their proper place.

My wife and I are disabled and we have a personal care attendant. I am fairly certain that whatever happened this time is due to whatever she downloaded one day. She ended up with the same "FBI Money pack" virus a few hours after I did and they just did a reinstall.

Edited to update:
I am editing now as not to bump my post. Today the FBI/Moneypack came back. I spent the better part of 2 hours to get my system to do a restore again. The same thing happened as last time I tried to do a restore. I would load up into safe mode, start the restore and a couple minutes into it, my system would crash and I would have to start over. I probably did that a dozen times before I got it to work finally. Now with the system restore I have no idea how valid the logs I posted are still. I don't know enough about computers to really be able to know how it would effect tem.

Thank you for all your help.

Attached Files


Edited by Sedadren, 13 August 2012 - 04:22 PM.


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 PM

Posted 17 August 2012 - 11:00 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/464973 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 18 August 2012 - 01:07 AM

I got the helpbot message. I am unable to stay on my mmorpg for more than a few minutes, so I am still here and waiting. I refresh a lot to see if there is any help yet, so ignore the number of views. Last I looked I was approaching 400, and I am sure most of them are me :)

Step one: I clicked to let someone know I am still waiting for assistance. Step 2 said to add a reply and repost logs.

Step two: When running the gmer I am still crashing. This time the blue screen froze and said it was an ati2dvag problem that is causing the crash when running it.

I was able to get the dds to run and have attached a new log.

I am running XP, no idea on version or anything like that except I do know it is a 32 bit system. I had the disk at one point, but we moved 250 miles away and I am 100% certain that it is sitting in our storage unit.


Again, thank you in advance for all your help.

Attached Files

  • Attached File  dds.txt   8.29KB   3 downloads


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:35 PM

Posted 18 August 2012 - 10:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

You have two major issues to look after, FBI Moneypak and a ZeroAccess rootkit infection.

You will find removal instructions on the FBI Moneypak here.
http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

If possibly execute the instructions up to step 11 - rebooting your computer.

===


Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this download unless you do not have any Antivirus protection on the computer.
===

Try to run the TDSSKiller and aswMBR tool in regular mode. If not do it in Safe Mode.

Please post the logs and let me know what problem persists.

#7 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 19 August 2012 - 06:50 PM

So far I have been unable to get safe mode to work for more than a couple minutes. I tried to follow the instructions in the first step to get rid of the FBI Moneypack virus, but I load up into safe mode, it starts and runs fine for a few minutes then just totally shuts down and reboots. I can do this over and over and it wont let me get through running anything. I have tried it last night several times and again today several times.

As for the rest of it.

Here is the first log you requested from TDDSKiller

17:29:35.0281 3412 TDSS rootkit removing tool 2.8.6.0 Aug 13 2012 17:24:05
17:29:35.0656 3412 ============================================================
17:29:35.0656 3412 Current date / time: 2012/08/19 17:29:35.0656
17:29:35.0656 3412 SystemInfo:
17:29:35.0656 3412
17:29:35.0656 3412 OS Version: 5.1.2600 ServicePack: 3.0
17:29:35.0656 3412 Product type: Workstation
17:29:35.0656 3412 ComputerName: KI
17:29:35.0656 3412 UserName: Kiren
17:29:35.0656 3412 Windows directory: C:\WINDOWS
17:29:35.0656 3412 System windows directory: C:\WINDOWS
17:29:35.0656 3412 Processor architecture: Intel x86
17:29:35.0656 3412 Number of processors: 2
17:29:35.0656 3412 Page size: 0x1000
17:29:35.0656 3412 Boot type: Normal boot
17:29:35.0656 3412 ============================================================
17:29:36.0937 3412 Drive \Device\Harddisk0\DR0 - Size: 0x7470AFDE00 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:29:36.0937 3412 ============================================================
17:29:36.0937 3412 \Device\Harddisk0\DR0:
17:29:36.0937 3412 MBR partitions:
17:29:36.0937 3412 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A380D41
17:29:36.0937 3412 ============================================================
17:29:36.0953 3412 C: <-> \Device\Harddisk0\DR0\Partition1
17:29:37.0000 3412 ============================================================
17:29:37.0000 3412 Initialize success
17:29:37.0000 3412 ============================================================
17:29:44.0015 3476 ============================================================
17:29:44.0015 3476 Scan started
17:29:44.0015 3476 Mode: Manual;
17:29:44.0015 3476 ============================================================
17:29:44.0437 3476 ================ Scan services =============================
17:29:44.0562 3476 Abiosdsk - ok
17:29:44.0562 3476 abp480n5 - ok
17:29:44.0609 3476 [ 8fd99680a539792a30e97944fdaecf17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:29:44.0625 3476 ACPI - ok
17:29:44.0640 3476 [ 9859c0f6936e723e4892d7141b1327d5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
17:29:44.0640 3476 ACPIEC - ok
17:29:44.0703 3476 [ c1eb9968ec89fba5f3a264e2e57923ab ] Adobe LM Service C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
17:29:44.0718 3476 Adobe LM Service - ok
17:29:44.0750 3476 [ a9d3b95e8466bd58eeb8a1154654e162 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
17:29:44.0765 3476 AdobeFlashPlayerUpdateSvc - ok
17:29:44.0765 3476 adpu160m - ok
17:29:44.0796 3476 [ 8bed39e3c35d6a489438b8141717a557 ] aec C:\WINDOWS\system32\drivers\aec.sys
17:29:44.0812 3476 aec - ok
17:29:44.0828 3476 [ 1e44bc1e83d8fd2305f8d452db109cf9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
17:29:44.0843 3476 AFD - ok
17:29:44.0843 3476 Aha154x - ok
17:29:44.0843 3476 aic78u2 - ok
17:29:44.0859 3476 aic78xx - ok
17:29:44.0875 3476 [ a9a3daa780ca6c9671a19d52456705b4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
17:29:44.0875 3476 Alerter - ok
17:29:44.0890 3476 [ 8c515081584a38aa007909cd02020b3d ] ALG C:\WINDOWS\System32\alg.exe
17:29:44.0890 3476 ALG - ok
17:29:44.0906 3476 AliIde - ok
17:29:44.0937 3476 [ f6af59d6eee5e1c304f7f73706ad11d8 ] Ambfilt C:\WINDOWS\system32\drivers\Ambfilt.sys
17:29:45.0046 3476 Ambfilt - ok
17:29:45.0062 3476 [ efbb0956baed786e137351b5ca272aef ] AmdK8 C:\WINDOWS\system32\DRIVERS\AmdK8.sys
17:29:45.0062 3476 AmdK8 - ok
17:29:45.0062 3476 amsint - ok
17:29:45.0109 3476 [ 9015bc03f62940527ec92d45ee89e46f ] AntiVirSchedulerService C:\Program Files\Avira\AntiVir Desktop\sched.exe
17:29:45.0109 3476 AntiVirSchedulerService - ok
17:29:45.0140 3476 [ b8720a787c1223492e6f319465e996ce ] AntiVirService C:\Program Files\Avira\AntiVir Desktop\avguard.exe
17:29:45.0140 3476 AntiVirService - ok
17:29:45.0203 3476 [ 5aa788d5a2c6737bb9c45933985bc1b8 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
17:29:45.0203 3476 Apple Mobile Device - ok
17:29:45.0218 3476 [ d8849f77c0b66226335a59d26cb4edc6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
17:29:45.0234 3476 AppMgmt - ok
17:29:45.0265 3476 [ b5b8a80875c1dededa8b02765642c32f ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
17:29:45.0265 3476 Arp1394 - ok
17:29:45.0265 3476 asc - ok
17:29:45.0281 3476 asc3350p - ok
17:29:45.0281 3476 asc3550 - ok
17:29:45.0343 3476 [ 776acefa0ca9df0faa51a5fb2f435705 ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
17:29:45.0375 3476 aspnet_state - ok
17:29:45.0390 3476 [ b153affac761e7f5fcfa822b9c4e97bc ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:29:45.0390 3476 AsyncMac - ok
17:29:45.0406 3476 [ 9f3a2f5aa6875c72bf062c712cfa2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
17:29:45.0406 3476 atapi - ok
17:29:45.0406 3476 Atdisk - ok
17:29:45.0437 3476 [ 281d26df656e53dab568214ee282ec46 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
17:29:45.0468 3476 Ati HotKey Poller - ok
17:29:45.0609 3476 [ c2b6f2161abd498d2b453050ffc81812 ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
17:29:45.0640 3476 ati2mtag - ok
17:29:45.0656 3476 [ 9916c1225104ba14794209cfa8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:29:45.0656 3476 Atmarpc - ok
17:29:45.0671 3476 [ def7a7882bec100fe0b2ce2549188f9d ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
17:29:45.0687 3476 AudioSrv - ok
17:29:45.0703 3476 [ d9f724aa26c010a217c97606b160ed68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
17:29:45.0703 3476 audstub - ok
17:29:45.0734 3476 [ 6a646c46b9415e13095aa9b352040a7a ] avgio C:\Program Files\Avira\AntiVir Desktop\avgio.sys
17:29:45.0734 3476 avgio - ok
17:29:45.0750 3476 [ 14fe36d8f2c6a2435275338d061a0b66 ] avgntflt C:\WINDOWS\system32\DRIVERS\avgntflt.sys
17:29:45.0750 3476 avgntflt - ok
17:29:45.0765 3476 [ 452e382340bb0c5e694ed9d3625356d0 ] avipbb C:\WINDOWS\system32\DRIVERS\avipbb.sys
17:29:45.0781 3476 avipbb - ok
17:29:45.0796 3476 [ da1f27d85e0d1525f6621372e7b685e9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
17:29:45.0796 3476 Beep - ok
17:29:45.0843 3476 [ f832f1505ad8b83474bd9a5b1b985e01 ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
17:29:45.0875 3476 Bonjour Service - ok
17:29:45.0890 3476 [ f934d1b230f84e1d19dd00ac5a7a83ed ] Bridge C:\WINDOWS\system32\DRIVERS\bridge.sys
17:29:45.0890 3476 Bridge - ok
17:29:45.0890 3476 [ f934d1b230f84e1d19dd00ac5a7a83ed ] BridgeMP C:\WINDOWS\system32\DRIVERS\bridge.sys
17:29:45.0890 3476 BridgeMP - ok
17:29:45.0906 3476 [ a06ce3399d16db864f55faeb1f1927a9 ] Browser C:\WINDOWS\System32\browser.dll
17:29:45.0921 3476 Browser - ok
17:29:45.0937 3476 [ 248dfa5762dde38dfddbbd44149e9d7a ] BVRPMPR5 C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
17:29:45.0937 3476 BVRPMPR5 - ok
17:29:45.0953 3476 [ 90a673fc8e12a79afbed2576f6a7aaf9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
17:29:45.0953 3476 cbidf2k - ok
17:29:45.0984 3476 [ 0be5aef125be881c4f854c554f2b025c ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
17:29:45.0984 3476 CCDECODE - ok
17:29:45.0984 3476 cd20xrnt - ok
17:29:46.0000 3476 [ c1b486a7658353d33a10cc15211a873b ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
17:29:46.0000 3476 Cdaudio - ok
17:29:46.0015 3476 [ c885b02847f5d2fd45a24e219ed93b32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
17:29:46.0015 3476 Cdfs - ok
17:29:46.0031 3476 [ 1f4260cc5b42272d71f79e570a27a4fe ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:29:46.0031 3476 Cdrom - ok
17:29:46.0031 3476 Changer - ok
17:29:46.0046 3476 [ 1cfe720eb8d93a7158a4ebc3ab178bde ] CiSvc C:\WINDOWS\system32\cisvc.exe
17:29:46.0046 3476 CiSvc - ok
17:29:46.0046 3476 [ 34cbe729f38138217f9c80212a2a0c82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
17:29:46.0062 3476 ClipSrv - ok
17:29:46.0093 3476 [ d87acaed61e417bba546ced5e7e36d9c ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
17:29:46.0140 3476 clr_optimization_v2.0.50727_32 - ok
17:29:46.0156 3476 [ c5a75eb48e2344abdc162bda79e16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
17:29:46.0218 3476 clr_optimization_v4.0.30319_32 - ok
17:29:46.0218 3476 CmdIde - ok
17:29:46.0234 3476 COMSysApp - ok
17:29:46.0234 3476 Cpqarray - ok
17:29:46.0250 3476 [ 3d4e199942e29207970e04315d02ad3b ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
17:29:46.0250 3476 CryptSvc - ok
17:29:46.0265 3476 dac2w2k - ok
17:29:46.0265 3476 dac960nt - ok
17:29:46.0296 3476 [ 6b27a5c03dfb94b4245739065431322c ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
17:29:46.0296 3476 DcomLaunch - ok
17:29:46.0328 3476 [ 5e38d7684a49cacfb752b046357e0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
17:29:46.0328 3476 Dhcp - ok
17:29:46.0328 3476 [ 044452051f3e02e7963599fc8f4f3e25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
17:29:46.0343 3476 Disk - ok
17:29:46.0343 3476 dmadmin - ok
17:29:46.0359 3476 [ d992fe1274bde0f84ad826acae022a41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
17:29:46.0390 3476 dmboot - ok
17:29:46.0406 3476 [ 7c824cf7bbde77d95c08005717a95f6f ] dmio C:\WINDOWS\system32\drivers\dmio.sys
17:29:46.0406 3476 dmio - ok
17:29:46.0406 3476 [ e9317282a63ca4d188c0df5e09c6ac5f ] dmload C:\WINDOWS\system32\drivers\dmload.sys
17:29:46.0421 3476 dmload - ok
17:29:46.0421 3476 [ 57edec2e5f59f0335e92f35184bc8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
17:29:46.0421 3476 dmserver - ok
17:29:46.0437 3476 [ 8a208dfcf89792a484e76c40e5f50b45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
17:29:46.0437 3476 DMusic - ok
17:29:46.0468 3476 [ 5f7e24fa9eab896051ffb87f840730d2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
17:29:46.0468 3476 Dnscache - ok
17:29:46.0484 3476 [ 0f0f6e687e5e15579ef4da8dd6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
17:29:46.0500 3476 Dot3svc - ok
17:29:46.0500 3476 dpti2o - ok
17:29:46.0515 3476 [ 8f5fcff8e8848afac920905fbd9d33c8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
17:29:46.0515 3476 drmkaud - ok
17:29:46.0546 3476 [ 2187855a7703adef0cef9ee4285182cc ] EapHost C:\WINDOWS\System32\eapsvc.dll
17:29:46.0546 3476 EapHost - ok
17:29:46.0578 3476 [ bc93b4a066477954555966d77fec9ecb ] ERSvc C:\WINDOWS\System32\ersvc.dll
17:29:46.0578 3476 ERSvc - ok
17:29:46.0593 3476 [ 65df52f5b8b6e9bbd183505225c37315 ] Eventlog C:\WINDOWS\system32\services.exe
17:29:46.0593 3476 Eventlog - ok
17:29:46.0640 3476 [ d4991d98f2db73c60d042f1aef79efae ] EventSystem C:\WINDOWS\System32\es.dll
17:29:46.0671 3476 EventSystem - ok
17:29:46.0687 3476 [ 38d332a6d56af32635675f132548343e ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
17:29:46.0687 3476 Fastfat - ok
17:29:46.0703 3476 [ 99bc0b50f511924348be19c7c7313bbf ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
17:29:46.0718 3476 FastUserSwitchingCompatibility - ok
17:29:46.0718 3476 [ 92cdd60b6730b9f50f6a1a0c1f8cdc81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
17:29:46.0734 3476 Fdc - ok
17:29:46.0750 3476 [ d45926117eb9fa946a6af572fbe1caa3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
17:29:46.0750 3476 Fips - ok
17:29:46.0750 3476 [ 9d27e7b80bfcdf1cdd9b555862d5e7f0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
17:29:46.0750 3476 Flpydisk - ok
17:29:46.0765 3476 [ b2cf4b0786f8212cb92ed2b50c6db6b0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
17:29:46.0781 3476 FltMgr - ok
17:29:46.0828 3476 [ 8ba7c024070f2b7fdd98ed8a4ba41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
17:29:46.0843 3476 FontCache3.0.0.0 - ok
17:29:46.0859 3476 [ 3e1e2bd4f39b0e2b7dc4f4d2bcc2779a ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:29:46.0859 3476 Fs_Rec - ok
17:29:46.0875 3476 [ 6ac26732762483366c3969c9e4d2259d ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:29:46.0875 3476 Ftdisk - ok
17:29:46.0890 3476 [ c6e3105b8c68c35cc1eb26a00fd1a8c6 ] gdrv C:\WINDOWS\gdrv.sys
17:29:47.0406 3476 gdrv - ok
17:29:47.0437 3476 [ 8182ff89c65e4d38b2de4bb0fb18564e ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
17:29:47.0437 3476 GEARAspiWDM - ok
17:29:47.0468 3476 [ 63677825d08cf4458caae9ef2372e5d6 ] getPlusHelper C:\Program Files\NOS\bin\getPlus_Helper.dll
17:29:47.0500 3476 getPlusHelper - ok
17:29:47.0531 3476 [ 0a02c63c8b144bd8c86b103dee7c86a2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:29:47.0531 3476 Gpc - ok
17:29:47.0546 3476 [ 3fcc124b6e08ee0e9351f717dd136939 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
17:29:47.0546 3476 HDAudBus - ok
17:29:47.0593 3476 [ 4fcca060dfe0c51a09dd5c3843888bcd ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
17:29:47.0593 3476 helpsvc - ok
17:29:47.0625 3476 [ deb04da35cc871b6d309b77e1443c796 ] HidServ C:\WINDOWS\System32\hidserv.dll
17:29:47.0625 3476 HidServ - ok
17:29:47.0656 3476 [ ccf82c5ec8a7326c3066de870c06daf1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:29:47.0656 3476 HidUsb - ok
17:29:47.0671 3476 [ 8878bd685e490239777bfe51320b88e9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
17:29:47.0687 3476 hkmsvc - ok
17:29:47.0687 3476 hpn - ok
17:29:47.0718 3476 [ f80a415ef82cd06ffaf0d971528ead38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
17:29:47.0718 3476 HTTP - ok
17:29:47.0734 3476 [ 6100a808600f44d999cebdef8841c7a3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
17:29:47.0750 3476 HTTPFilter - ok
17:29:47.0750 3476 i2omgmt - ok
17:29:47.0750 3476 i2omp - ok
17:29:47.0765 3476 [ 4a0b06aa8943c1e332520f7440c0aa30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:29:47.0765 3476 i8042prt - ok
17:29:47.0828 3476 [ 6f95324909b502e2651442c1548ab12f ] IDriverT C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
17:29:47.0828 3476 IDriverT - ok
17:29:47.0875 3476 [ c01ac32dc5c03076cfb852cb5da5229c ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
17:29:47.0921 3476 idsvc - ok
17:29:47.0937 3476 [ 083a052659f5310dd8b6a6cb05edcf8e ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
17:29:47.0937 3476 Imapi - ok
17:29:47.0968 3476 [ 30deaf54a9755bb8546168cfe8a6b5e1 ] ImapiService C:\WINDOWS\system32\imapi.exe
17:29:47.0968 3476 ImapiService - ok
17:29:47.0968 3476 ini910u - ok
17:29:48.0093 3476 [ e8656858d8b2da7c9cf59fb4e5ce32ed ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
17:29:48.0125 3476 IntcAzAudAddService - ok
17:29:48.0125 3476 IntelIde - ok
17:29:48.0156 3476 [ 3bb22519a194418d5fec05d800a19ad0 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
17:29:48.0156 3476 ip6fw - ok
17:29:48.0187 3476 [ 731f22ba402ee4b62748adaf6363c182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:29:48.0187 3476 IpFilterDriver - ok
17:29:48.0203 3476 [ b87ab476dcf76e72010632b5550955f5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:29:48.0203 3476 IpInIp - ok
17:29:48.0218 3476 [ cc748ea12c6effde940ee98098bf96bb ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:29:48.0234 3476 IpNat - ok
17:29:48.0265 3476 [ 8e5e5a8cc84da3f683e3bbc045138d52 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
17:29:48.0312 3476 iPod Service - ok
17:29:48.0312 3476 [ 23c74d75e36e7158768dd63d92789a91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:29:48.0328 3476 IPSec - ok
17:29:48.0343 3476 [ c93c9ff7b04d772627a3646d89f7bf89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
17:29:48.0343 3476 IRENUM - ok
17:29:48.0359 3476 [ 05a299ec56e52649b1cf2fc52d20f2d7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:29:48.0359 3476 isapnp - ok
17:29:48.0406 3476 [ fe1a970e7ce330bb844e333c374c6599 ] iWinTrusted C:\Program Files\iWin Games\iWinTrusted.exe
17:29:48.0421 3476 iWinTrusted - ok
17:29:48.0468 3476 [ 5472d771c0197355c1d347f20392b982 ] JavaQuickStarterService C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
17:29:48.0484 3476 JavaQuickStarterService - ok
17:29:48.0515 3476 [ 463c1ec80cd17420a542b7f36a36f128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:29:48.0515 3476 Kbdclass - ok
17:29:48.0515 3476 [ 9ef487a186dea361aa06913a75b3fa99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:29:48.0515 3476 kbdhid - ok
17:29:48.0562 3476 [ 692bcf44383d056aed41b045a323d378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
17:29:48.0578 3476 kmixer - ok
17:29:48.0593 3476 [ b467646c54cc746128904e1654c750c1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
17:29:48.0609 3476 KSecDD - ok
17:29:48.0625 3476 [ 3a7c3cbe5d96b8ae96ce81f0b22fb527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
17:29:48.0640 3476 lanmanserver - ok
17:29:48.0656 3476 [ a8888a5327621856c0cec4e385f69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
17:29:48.0671 3476 lanmanworkstation - ok
17:29:48.0671 3476 lbrtfdc - ok
17:29:48.0718 3476 [ bcdf72dce41874b3ad9143d537b493b2 ] Linksys_adapter_H C:\WINDOWS\system32\DRIVERS\AE2500xp.sys
17:29:48.0781 3476 Linksys_adapter_H - ok
17:29:48.0796 3476 [ a7db739ae99a796d91580147e919cc59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
17:29:48.0796 3476 LmHosts - ok
17:29:48.0828 3476 [ 6dfe7f2e8e8a337263aa5c92a215f161 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
17:29:48.0828 3476 MBAMProtector - ok
17:29:48.0875 3476 [ 43683e970f008c93c9429ef428147a54 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
17:29:48.0906 3476 MBAMService - ok
17:29:48.0953 3476 [ f8b823414a22dbf3bec10dcaa5f93cd8 ] McciCMService C:\Program Files\Common Files\Motive\McciCMService.exe
17:29:48.0984 3476 McciCMService - ok
17:29:49.0000 3476 [ 986b1ff5814366d71e0ac5755c88f2d3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
17:29:49.0015 3476 Messenger - ok
17:29:49.0031 3476 [ 4ae068242760a1fb6e1a44bf4e16afa6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
17:29:49.0031 3476 mnmdd - ok
17:29:49.0031 3476 [ d18f1f0c101d06a1c1adf26eed16fcdd ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
17:29:49.0031 3476 mnmsrvc - ok
17:29:49.0046 3476 [ dfcbad3cec1c5f964962ae10e0bcc8e1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
17:29:49.0046 3476 Modem - ok
17:29:49.0078 3476 [ 9fa7207d1b1adead88ae8eed9cdbbaa5 ] Monfilt C:\WINDOWS\system32\drivers\Monfilt.sys
17:29:49.0140 3476 Monfilt - ok
17:29:49.0156 3476 [ 35c9e97194c8cfb8430125f8dbc34d04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:29:49.0156 3476 Mouclass - ok
17:29:49.0187 3476 [ b1c303e17fb9d46e87a98e4ba6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:29:49.0187 3476 mouhid - ok
17:29:49.0203 3476 [ a80b9a0bad1b73637dbcbba7df72d3fd ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
17:29:49.0203 3476 MountMgr - ok
17:29:49.0234 3476 [ 46297fa8e30a6007f14118fc2b942fbc ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
17:29:49.0250 3476 MozillaMaintenance - ok
17:29:49.0250 3476 mraid35x - ok
17:29:49.0265 3476 [ 9bd4dcb5412921864a7aacdedfbd1923 ] MREMP50 C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
17:29:49.0265 3476 MREMP50 - ok
17:29:49.0265 3476 MREMPR5 - ok
17:29:49.0281 3476 MRENDIS5 - ok
17:29:49.0281 3476 [ 07c02c892e8e1a72d6bf35004f0e9c5e ] MRESP50 C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
17:29:49.0296 3476 MRESP50 - ok
17:29:49.0296 3476 [ 11d42bb6206f33fbb3ba0288d3ef81bd ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:29:49.0312 3476 MRxDAV - ok
17:29:49.0343 3476 [ 7d304a5eb4344ebeeab53a2fe3ffb9f0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:29:49.0359 3476 MRxSmb - ok
17:29:49.0375 3476 [ a137f1470499a205abbb9aafb3b6f2b1 ] MSDTC C:\WINDOWS\System32\msdtc.exe
17:29:49.0375 3476 MSDTC - ok
17:29:49.0375 3476 [ c941ea2454ba8350021d774daf0f1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
17:29:49.0390 3476 Msfs - ok
17:29:49.0390 3476 MSIServer - ok
17:29:49.0390 3476 [ d1575e71568f4d9e14ca56b7b0453bf1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:29:49.0390 3476 MSKSSRV - ok
17:29:49.0406 3476 [ 325bb26842fc7ccc1fcce2c457317f3e ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:29:49.0406 3476 MSPCLOCK - ok
17:29:49.0421 3476 [ bad59648ba099da4a17680b39730cb3d ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
17:29:49.0421 3476 MSPQM - ok
17:29:49.0421 3476 [ af5f4f3f14a8ea2c26de30f7a1e17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:29:49.0421 3476 mssmbios - ok
17:29:49.0453 3476 [ e53736a9e30c45fa9e7b5eac55056d1d ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
17:29:49.0453 3476 MSTEE - ok
17:29:49.0468 3476 [ de6a75f5c270e756c5508d94b6cf68f5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
17:29:49.0468 3476 Mup - ok
17:29:49.0500 3476 [ 5b50f1b2a2ed47d560577b221da734db ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
17:29:49.0500 3476 NABTSFEC - ok
17:29:49.0531 3476 [ 0102140028fad045756796e1c685d695 ] napagent C:\WINDOWS\System32\qagentrt.dll
17:29:49.0546 3476 napagent - ok
17:29:49.0562 3476 [ 1df7f42665c94b825322fae71721130d ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
17:29:49.0578 3476 NDIS - ok
17:29:49.0609 3476 [ 7ff1f1fd8609c149aa432f95a8163d97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
17:29:49.0625 3476 NdisIP - ok
17:29:49.0640 3476 [ 0109c4f3850dfbab279542515386ae22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:29:49.0640 3476 NdisTapi - ok
17:29:49.0640 3476 [ f927a4434c5028758a842943ef1a3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:29:49.0640 3476 Ndisuio - ok
17:29:49.0656 3476 [ edc1531a49c80614b2cfda43ca8659ab ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:29:49.0671 3476 NdisWan - ok
17:29:49.0687 3476 [ 9282bd12dfb069d3889eb3fcc1000a9b ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
17:29:49.0687 3476 NDProxy - ok
17:29:49.0687 3476 [ 5d81cf9a2f1a3a756b66cf684911cdf0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
17:29:49.0687 3476 NetBIOS - ok
17:29:49.0703 3476 [ 74b2b2f5bea5e9a3dc021d685551bd3d ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
17:29:49.0718 3476 NetBT - ok
17:29:49.0750 3476 [ b857ba82860d7ff85ae29b095645563b ] NetDDE C:\WINDOWS\system32\netdde.exe
17:29:49.0750 3476 NetDDE - ok
17:29:49.0750 3476 [ b857ba82860d7ff85ae29b095645563b ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
17:29:49.0765 3476 NetDDEdsdm - ok
17:29:49.0781 3476 [ bf2466b3e18e970d8a976fb95fc1ca85 ] Netlogon C:\WINDOWS\system32\lsass.exe
17:29:49.0781 3476 Netlogon - ok
17:29:49.0812 3476 [ 13e67b55b3abd7bf3fe7aae5a0f9a9de ] Netman C:\WINDOWS\System32\netman.dll
17:29:49.0812 3476 Netman - ok
17:29:49.0828 3476 [ d34612c5d02d026535b3095d620626ae ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
17:29:49.0843 3476 NetTcpPortSharing - ok
17:29:49.0859 3476 [ e9e47cfb2d461fa0fc75b7a74c6383ea ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
17:29:49.0859 3476 NIC1394 - ok
17:29:49.0890 3476 [ 943337d786a56729263071623bbb9de5 ] Nla C:\WINDOWS\System32\mswsock.dll
17:29:49.0890 3476 Nla - ok
17:29:49.0890 3476 [ 3182d64ae053d6fb034f44b6def8034a ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
17:29:49.0890 3476 Npfs - ok
17:29:49.0906 3476 npggsvc - ok
17:29:49.0937 3476 [ 78a08dd6a8d65e697c18e1db01c5cdca ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
17:29:49.0953 3476 Ntfs - ok
17:29:49.0953 3476 [ bf2466b3e18e970d8a976fb95fc1ca85 ] NtLmSsp C:\WINDOWS\System32\lsass.exe
17:29:49.0953 3476 NtLmSsp - ok
17:29:49.0984 3476 [ 156f64a3345bd23c600655fb4d10bc08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
17:29:50.0015 3476 NtmsSvc - ok
17:29:50.0015 3476 [ 73c1e1f395918bc2c6dd67af7591a3ad ] Null C:\WINDOWS\system32\drivers\Null.sys
17:29:50.0015 3476 Null - ok
17:29:50.0031 3476 [ b305f3fad35083837ef46a0bbce2fc57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:29:50.0031 3476 NwlnkFlt - ok
17:29:50.0046 3476 [ c99b3415198d1aab7227f2c88fd664b9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:29:50.0046 3476 NwlnkFwd - ok
17:29:50.0062 3476 [ ca33832df41afb202ee7aeb05145922f ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
17:29:50.0062 3476 ohci1394 - ok
17:29:50.0109 3476 [ 0e2fde2689340f06e7005bcdc45a5f5a ] OverwolfUpdaterService C:\Program Files\Overwolf\OverwolfUpdater.exe
17:29:50.0109 3476 OverwolfUpdaterService - ok
17:29:50.0125 3476 [ 2085d5168fc0c56bb13304d180d244b6 ] PAC7311 C:\WINDOWS\system32\DRIVERS\PA707UCM.SYS
17:29:50.0140 3476 PAC7311 - ok
17:29:50.0156 3476 [ 5575faf8f97ce5e713d108c2a58d7c7c ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
17:29:50.0156 3476 Parport - ok
17:29:50.0156 3476 [ beb3ba25197665d82ec7065b724171c6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
17:29:50.0156 3476 PartMgr - ok
17:29:50.0187 3476 [ 70e98b3fd8e963a6a46a2e6247e0bea1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
17:29:50.0187 3476 ParVdm - ok
17:29:50.0187 3476 [ a219903ccf74233761d92bef471a07b1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
17:29:50.0187 3476 PCI - ok
17:29:50.0203 3476 PCIDump - ok
17:29:50.0203 3476 [ ccf5f451bb1a5a2a522a76e670000ff0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
17:29:50.0203 3476 PCIIde - ok
17:29:50.0234 3476 [ 9e89ef60e9ee05e3f2eef2da7397f1c1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
17:29:50.0234 3476 Pcmcia - ok
17:29:50.0234 3476 PDCOMP - ok
17:29:50.0234 3476 PDFRAME - ok
17:29:50.0250 3476 PDRELI - ok
17:29:50.0250 3476 PDRFRAME - ok
17:29:50.0250 3476 perc2 - ok
17:29:50.0250 3476 perc2hib - ok
17:29:50.0265 3476 [ 65df52f5b8b6e9bbd183505225c37315 ] PlugPlay C:\WINDOWS\system32\services.exe
17:29:50.0281 3476 PlugPlay - ok
17:29:50.0281 3476 [ bf2466b3e18e970d8a976fb95fc1ca85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
17:29:50.0281 3476 PolicyAgent - ok
17:29:50.0312 3476 [ efeec01b1d3cf84f16ddd24d9d9d8f99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:29:50.0312 3476 PptpMiniport - ok
17:29:50.0328 3476 [ a32bebaf723557681bfc6bd93e98bd26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
17:29:50.0343 3476 Processor - ok
17:29:50.0343 3476 [ bf2466b3e18e970d8a976fb95fc1ca85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
17:29:50.0343 3476 ProtectedStorage - ok
17:29:50.0343 3476 [ 09298ec810b07e5d582cb3a3f9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
17:29:50.0343 3476 PSched - ok
17:29:50.0359 3476 [ 80d317bd1c3dbc5d4fe7b1678c60cadd ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:29:50.0359 3476 Ptilink - ok
17:29:50.0375 3476 [ e42e3433dbb4cffe8fdd91eab29aea8e ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:29:50.0375 3476 PxHelp20 - ok
17:29:50.0375 3476 ql1080 - ok
17:29:50.0390 3476 Ql10wnt - ok
17:29:50.0390 3476 ql12160 - ok
17:29:50.0390 3476 ql1240 - ok
17:29:50.0390 3476 ql1280 - ok
17:29:50.0390 3476 [ fe0d99d6f31e4fad8159f690d68ded9c ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:29:50.0406 3476 RasAcd - ok
17:29:50.0421 3476 [ ad188be7bdf94e8df4ca0a55c00a5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
17:29:50.0421 3476 RasAuto - ok
17:29:50.0437 3476 [ 11b4a627bc9614b885c4969bfa5ff8a6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:29:50.0437 3476 Rasl2tp - ok
17:29:50.0453 3476 [ 76a9a3cbeadd68cc57cda5e1d7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
17:29:50.0453 3476 RasMan - ok
17:29:50.0468 3476 [ 5bc962f2654137c9909c3d4603587dee ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:29:50.0484 3476 RasPppoe - ok
17:29:50.0484 3476 [ fdbb1d60066fcfbb7452fd8f9829b242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
17:29:50.0484 3476 Raspti - ok
17:29:50.0515 3476 [ 7ad224ad1a1437fe28d89cf22b17780a ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:29:50.0531 3476 Rdbss - ok
17:29:50.0531 3476 [ 4912d5b403614ce99c28420f75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:29:50.0531 3476 RDPCDD - ok
17:29:50.0562 3476 [ 15cabd0f7c00c47c70124907916af3f1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
17:29:50.0578 3476 rdpdr - ok
17:29:50.0593 3476 [ 5b3055daa788bd688594d2f5981f2a83 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
17:29:50.0609 3476 RDPWD - ok
17:29:50.0609 3476 [ 3c37bf86641bda977c3bf8a840f3b7fa ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
17:29:50.0625 3476 RDSessMgr - ok
17:29:50.0640 3476 [ f828dd7e1419b6653894a8f97a0094c5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
17:29:50.0640 3476 redbook - ok
17:29:50.0687 3476 [ 7e699ff5f59b5d9de5390e3c34c67cf5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
17:29:50.0703 3476 RemoteAccess - ok
17:29:50.0718 3476 [ 5b19b557b0c188210a56a6b699d90b8f ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
17:29:50.0734 3476 RemoteRegistry - ok
17:29:50.0750 3476 [ aaed593f84afa419bbae8572af87cf6a ] RpcLocator C:\WINDOWS\System32\locator.exe
17:29:50.0750 3476 RpcLocator - ok
17:29:50.0765 3476 [ 6b27a5c03dfb94b4245739065431322c ] RpcSs C:\WINDOWS\System32\rpcss.dll
17:29:50.0765 3476 RpcSs - ok
17:29:50.0781 3476 [ 471b3f9741d762abe75e9deea4787e47 ] RSVP C:\WINDOWS\System32\rsvp.exe
17:29:50.0796 3476 RSVP - ok
17:29:50.0875 3476 [ a5a9f4b77d7ff2b02633999ff71a7e9b ] RTHDMIAzAudService C:\WINDOWS\system32\drivers\RtKHDMI.sys
17:29:51.0031 3476 RTHDMIAzAudService - ok
17:29:51.0093 3476 [ 6ebfbbf24fed8285928b825a46618f8a ] RTLE8023xp C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
17:29:51.0109 3476 RTLE8023xp - ok
17:29:51.0140 3476 [ 376218d4209b1e749953f9edef0cef2e ] RTLTEAMING C:\WINDOWS\system32\DRIVERS\RTLTEAMING.SYS
17:29:51.0140 3476 RTLTEAMING - ok
17:29:51.0156 3476 [ 6ec43dc18746bb9b6ddec4c99b15b6fc ] RTLVLAN C:\WINDOWS\system32\DRIVERS\RTLVLAN.SYS
17:29:51.0171 3476 RTLVLAN - ok
17:29:51.0187 3476 [ 5ffd2aaf467b80fab34929afb7702060 ] RtNdPt5x C:\WINDOWS\system32\DRIVERS\RtNdPt5x.sys
17:29:51.0187 3476 RtNdPt5x - ok
17:29:51.0203 3476 [ bf2466b3e18e970d8a976fb95fc1ca85 ] SamSs C:\WINDOWS\system32\lsass.exe
17:29:51.0203 3476 SamSs - ok
17:29:51.0203 3476 [ 86d007e7a654b9a71d1d7d856b104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
17:29:51.0218 3476 SCardSvr - ok
17:29:51.0234 3476 [ 0a9a7365a1ca4319aa7c1d6cd8e4eafa ] Schedule C:\WINDOWS\system32\schedsvc.dll
17:29:51.0250 3476 Schedule - ok
17:29:51.0281 3476 [ 90a3935d05b494a5a39d37e71f09a677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:29:51.0281 3476 Secdrv - ok
17:29:51.0296 3476 [ cbe612e2bb6a10e3563336191eda1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
17:29:51.0312 3476 seclogon - ok
17:29:51.0312 3476 [ 7fdd5d0684eca8c1f68b4d99d124dcd0 ] SENS C:\WINDOWS\system32\sens.dll
17:29:51.0312 3476 SENS - ok
17:29:51.0328 3476 [ 0f29512ccd6bead730039fb4bd2c85ce ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
17:29:51.0328 3476 serenum - ok
17:29:51.0343 3476 [ cca207a8896d4c6a0c9ce29a4ae411a7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
17:29:51.0343 3476 Serial - ok
17:29:51.0359 3476 [ 8e6b8c671615d126fdc553d1e2de5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
17:29:51.0359 3476 Sfloppy - ok
17:29:51.0375 3476 [ 99bc0b50f511924348be19c7c7313bbf ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
17:29:51.0390 3476 ShellHWDetection - ok
17:29:51.0390 3476 Simbad - ok
17:29:51.0406 3476 [ 866d538ebe33709a5c9f5c62b73b7d14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
17:29:51.0406 3476 SLIP - ok
17:29:51.0406 3476 Sparrow - ok
17:29:51.0421 3476 [ ab8b92451ecb048a4d1de7c3ffcb4a9f ] splitter C:\WINDOWS\system32\drivers\splitter.sys
17:29:51.0421 3476 splitter - ok
17:29:51.0437 3476 [ 60784f891563fb1b767f70117fc2428f ] Spooler C:\WINDOWS\system32\spoolsv.exe
17:29:51.0453 3476 Spooler - ok
17:29:51.0453 3476 sptd - ok
17:29:51.0453 3476 [ 76bb022c2fb6902fd5bdd4f78fc13a5d ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
17:29:51.0468 3476 sr - ok
17:29:51.0468 3476 [ 3805df0ac4296a34ba4bf93b346cc378 ] srservice C:\WINDOWS\system32\srsvc.dll
17:29:51.0484 3476 srservice - ok
17:29:51.0500 3476 [ 47ddfc2f003f7f9f0592c6874962a2e7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
17:29:51.0500 3476 Srv - ok
17:29:51.0531 3476 [ 0a5679b3714edab99e357057ee88fca6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
17:29:51.0531 3476 SSDPSRV - ok
17:29:51.0546 3476 [ 654dfea96bc82b4acda4f37e5e4a3bbf ] ssmdrv C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
17:29:51.0546 3476 ssmdrv - ok
17:29:51.0578 3476 [ ed78dfad8efcdfbc89500492c4d14645 ] STI Simulator C:\WINDOWS\System32\PAStiSvc.exe
17:29:51.0578 3476 STI Simulator - ok
17:29:51.0593 3476 [ 8bad69cbac032d4bbacfce0306174c30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
17:29:51.0609 3476 stisvc - ok
17:29:51.0625 3476 [ 77813007ba6265c4b6098187e6ed79d2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
17:29:51.0625 3476 streamip - ok
17:29:51.0640 3476 [ 3941d127aef12e93addf6fe6ee027e0f ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
17:29:51.0656 3476 swenum - ok
17:29:51.0671 3476 [ 8ce882bcc6cf8a62f2b2323d95cb3d01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
17:29:51.0687 3476 swmidi - ok
17:29:51.0687 3476 SwPrv - ok
17:29:51.0687 3476 symc810 - ok
17:29:51.0687 3476 symc8xx - ok
17:29:51.0687 3476 sym_hi - ok
17:29:51.0703 3476 sym_u3 - ok
17:29:51.0734 3476 [ 8b83f3ed0f1688b4958f77cd6d2bf290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
17:29:51.0750 3476 sysaudio - ok
17:29:51.0781 3476 [ c7abbc59b43274b1109df6b24d617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
17:29:51.0781 3476 SysmonLog - ok
17:29:51.0796 3476 [ 3cb78c17bb664637787c9a1c98f79c38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
17:29:51.0796 3476 TapiSrv - ok
17:29:51.0828 3476 [ 9aefa14bd6b182d61e3119fa5f436d3d ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:29:51.0859 3476 Tcpip - ok
17:29:51.0875 3476 [ 6471a66807f5e104e4885f5b67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
17:29:51.0875 3476 TDPIPE - ok
17:29:51.0890 3476 [ c56b6d0402371cf3700eb322ef3aaf61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
17:29:51.0890 3476 TDTCP - ok
17:29:51.0906 3476 [ 88155247177638048422893737429d9e ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
17:29:51.0921 3476 TermDD - ok
17:29:51.0953 3476 [ ff3477c03be7201c294c35f684b3479f ] TermService C:\WINDOWS\System32\termsrv.dll
17:29:51.0953 3476 TermService - ok
17:29:51.0968 3476 [ 99bc0b50f511924348be19c7c7313bbf ] Themes C:\WINDOWS\System32\shsvcs.dll
17:29:51.0968 3476 Themes - ok
17:29:51.0984 3476 [ db7205804759ff62c34e3efd8a4cc76a ] TlntSvr C:\WINDOWS\System32\tlntsvr.exe
17:29:51.0984 3476 TlntSvr - ok
17:29:52.0000 3476 TosIde - ok
17:29:52.0000 3476 [ 55bca12f7f523d35ca3cb833c725f54e ] TrkWks C:\WINDOWS\system32\trkwks.dll
17:29:52.0000 3476 TrkWks - ok
17:29:52.0031 3476 [ 5787b80c2e3c5e2f56c2a233d91fa2c9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
17:29:52.0031 3476 Udfs - ok
17:29:52.0031 3476 ultra - ok
17:29:52.0046 3476 [ 402ddc88356b1bac0ee3dd1580c76a31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
17:29:52.0078 3476 Update - ok
17:29:52.0093 3476 [ 1ebafeb9a3fbdc41b8d9c7f0f687ad91 ] upnphost C:\WINDOWS\System32\upnphost.dll
17:29:52.0109 3476 upnphost - ok
17:29:52.0109 3476 [ 05365fb38fca1e98f7a566aaaf5d1815 ] UPS C:\WINDOWS\System32\ups.exe
17:29:52.0109 3476 UPS - ok
17:29:52.0125 3476 [ 5c2bdc152bbab34f36473deaf7713f22 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
17:29:52.0140 3476 USBAAPL - ok
17:29:52.0156 3476 [ e919708db44ed8543a7c017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
17:29:52.0156 3476 usbaudio - ok
17:29:52.0171 3476 [ 173f317ce0db8e21322e71b7e60a27e8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:29:52.0171 3476 usbccgp - ok
17:29:52.0187 3476 [ 65dcf09d0e37d4c6b11b5b0b76d470a7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:29:52.0187 3476 usbehci - ok
17:29:52.0218 3476 [ 1ab3cdde553b6e064d2e754efe20285c ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:29:52.0218 3476 usbhub - ok
17:29:52.0250 3476 [ 0daecce65366ea32b162f85f07c6753b ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys
17:29:52.0250 3476 usbohci - ok
17:29:52.0265 3476 [ a717c8721046828520c9edf31288fc00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:29:52.0265 3476 usbprint - ok
17:29:52.0281 3476 [ a0b8cf9deb1184fbdd20784a58fa75d4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:29:52.0281 3476 usbscan - ok
17:29:52.0296 3476 [ a32426d9b14a089eaa1d922e0c5801a9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:29:52.0296 3476 USBSTOR - ok
17:29:52.0312 3476 [ 0d3a8fafceacd8b7625cd549757a7df1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
17:29:52.0312 3476 VgaSave - ok
17:29:52.0328 3476 ViaIde - ok
17:29:52.0343 3476 [ 4c8fcb5cc53aab716d810740fe59d025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
17:29:52.0343 3476 VolSnap - ok
17:29:52.0343 3476 [ 7a9db3a67c333bf0bd42e42b8596854b ] VSS C:\WINDOWS\System32\vssvc.exe
17:29:52.0359 3476 VSS - ok
17:29:52.0375 3476 [ 54af4b1d5459500ef0937f6d33b1914f ] W32Time C:\WINDOWS\system32\w32time.dll
17:29:52.0390 3476 W32Time - ok
17:29:52.0406 3476 [ e20b95baedb550f32dd489265c1da1f6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:29:52.0406 3476 Wanarp - ok
17:29:52.0406 3476 WDICA - ok
17:29:52.0421 3476 [ 6768acf64b18196494413695f0c3a00f ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
17:29:52.0437 3476 wdmaud - ok
17:29:52.0437 3476 [ 77a354e28153ad2d5e120a5a8687bc06 ] WebClient C:\WINDOWS\System32\webclnt.dll
17:29:52.0453 3476 WebClient - ok
17:29:52.0500 3476 [ 2d0e4ed081963804ccc196a0929275b5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
17:29:52.0515 3476 winmgmt - ok
17:29:52.0546 3476 WinRing0_1_2_0 - ok
17:29:52.0593 3476 [ 18f347402da544a780949b8fdf83351b ] WinRM C:\WINDOWS\system32\WsmSvc.dll
17:29:52.0656 3476 WinRM - ok
17:29:52.0718 3476 [ 5144ae67d60ec653f97ddf3feed29e77 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
17:29:52.0812 3476 wlidsvc - ok
17:29:52.0843 3476 [ c51b4a5c05a5475708e3c81c7765b71d ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
17:29:52.0859 3476 WmdmPmSN - ok
17:29:52.0875 3476 [ e76f8807070ed04e7408a86d6d3a6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
17:29:52.0890 3476 Wmi - ok
17:29:52.0890 3476 [ c42584fd66ce9e17403aebca199f7bdb ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
17:29:52.0890 3476 WmiAcpi - ok
17:29:52.0906 3476 [ e0673f1106e62a68d2257e376079f821 ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
17:29:52.0921 3476 WmiApSrv - ok
17:29:52.0984 3476 [ f74e3d9a7fa9556c3bbb14d4e5e63d3b ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
17:29:53.0031 3476 WMPNetworkSvc - ok
17:29:53.0093 3476 [ dcf3e3edf5109ee8bc02fe6e1f045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
17:29:53.0125 3476 WPFFontCache_v0400 - ok
17:29:53.0140 3476 [ 6abe6e225adb5a751622a9cc3bc19ce8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
17:29:53.0156 3476 WS2IFSL - ok
17:29:53.0171 3476 [ c98b39829c2bbd34e454150633c62c78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
17:29:53.0171 3476 WSTCODEC - ok
17:29:53.0187 3476 [ f15feafffbb3644ccc80c5da584e6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:29:53.0203 3476 WudfPf - ok
17:29:53.0203 3476 [ 28b524262bce6de1f7ef9f510ba3985b ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:29:53.0203 3476 WudfRd - ok
17:29:53.0234 3476 [ 05231c04253c5bc30b26cbaae680ed89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
17:29:53.0234 3476 WudfSvc - ok
17:29:53.0265 3476 [ 81dc3f549f44b1c1fff022dec9ecf30b ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
17:29:53.0281 3476 WZCSVC - ok
17:29:53.0296 3476 [ 295d21f14c335b53cb8154e5b1f892b9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
17:29:53.0312 3476 xmlprov - ok
17:29:53.0328 3476 ================ Scan global ===============================
17:29:53.0343 3476 (42f1f4c0afb08410e5f02d4b13ebb623) C:\WINDOWS\system32\basesrv.dll
17:29:53.0359 3476 (8c7dca4b158bf16894120786a7a5f366) C:\WINDOWS\system32\winsrv.dll
17:29:53.0390 3476 (8c7dca4b158bf16894120786a7a5f366) C:\WINDOWS\system32\winsrv.dll
17:29:53.0406 3476 (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
17:29:53.0406 3476 [Global] - ok
17:29:53.0406 3476 ================ Scan MBR ==================================
17:29:53.0406 3476 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
17:29:53.0593 3476 \Device\Harddisk0\DR0 - ok
17:29:53.0593 3476 ================ Scan VBR ==================================
17:29:53.0593 3476 Boot (0x1200) (45ff4072b6a20d9c0e2dbf608c5aa01c) \Device\Harddisk0\DR0\Partition1
17:29:53.0593 3476 \Device\Harddisk0\DR0\Partition1 - ok
17:29:53.0593 3476 ============================================================
17:29:53.0593 3476 Scan finished
17:29:53.0593 3476 ============================================================
17:29:53.0609 3468 Detected object count: 0
17:29:53.0609 3468 Actual detected object count: 0


The contents of aswMBR log

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-19 17:31:39
-----------------------------
17:31:39.421 OS Version: Windows 5.1.2600 Service Pack 3
17:31:39.421 Number of processors: 2 586 0x4303
17:31:39.421 ComputerName: KI UserName:
17:31:40.531 Initialize success
17:32:49.546 AVAST engine defs: 12081900
17:32:52.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12
17:32:52.484 Disk 0 Vendor: WDC_WD5000AAKB-00YSA0 12.01C02 Size: 476938MB BusType: 3
17:32:52.500 Disk 0 MBR read successfully
17:32:52.500 Disk 0 MBR scan
17:32:52.546 Disk 0 Windows XP default MBR code
17:32:52.546 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476929 MB offset 63
17:32:52.546 Disk 0 scanning sectors +976752000
17:32:52.625 Disk 0 scanning C:\WINDOWS\system32\drivers
17:33:01.843 Service scanning
17:33:13.359 Modules scanning
17:33:16.437 Disk 0 trace - called modules:
17:33:16.437 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:33:16.437 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ba7cab8]
17:33:16.437 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000071[0x8bb118a8]
17:33:16.437 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-12[0x8ba7ed98]
17:33:17.687 AVAST engine scan C:\WINDOWS
17:33:29.984 AVAST engine scan C:\WINDOWS\system32
17:37:09.406 AVAST engine scan C:\WINDOWS\system32\drivers
17:37:30.703 AVAST engine scan C:\Documents and Settings\Kiren
18:01:31.218 File: C:\Documents and Settings\Kiren\Local Settings\temp\install_0_msi.exe **INFECTED** Win32:Reveton-CO [Trj]
18:04:31.187 AVAST engine scan C:\Documents and Settings\All Users.WINDOWS
18:08:33.015 Scan finished successfully
18:41:09.078 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Kiren\Desktop\MBR.dat"
18:41:09.078 The log file has been saved successfully to "C:\Documents and Settings\Kiren\Desktop\aswMBR.txt"


attached is the zip file.

These were run in normal mode without issue. The first log did have at least 1 red string of text. I did not correct it of course.

I think that was all you asked for. My vision isn't great, so I may have accidentally skipped something, and my help isn't here to double check me.

Thank youAttached File  MBR.zip   499bytes   0 downloads

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:35 PM

Posted 20 August 2012 - 07:24 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    P.S. The Microsoft site is down at the moment. Ignore the prompts to install the Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

#9 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 20 August 2012 - 03:04 PM

I had some issues with this one. I disabled avira about 20 times. It showed disabled in every way, but combofix insisted that it was still active and running. I don't have a system trey icon so I had to go find the program to shut it off, but it did say it was off, even though combofix insisted it was on. I eventually ran combofix anyhow.

Here is the log as requested, and as always please know I appreciate the help.

ComboFix 12-08-20.02 - Kiren 08/20/2012 14:49:05.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2518 [GMT -5:00]
Running from: c:\documents and settings\Kiren\Desktop\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users.WINDOWS\Application Data\ism_0_llatsni.pad
c:\documents and settings\All Users.WINDOWS\Application Data\ras_0oed.pad
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\Kiren\Local Settings\Application Data\assembly\tmp
c:\documents and settings\you\Application Data\.#
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-20 to 2012-08-20 )))))))))))))))))))))))))))))))
.
.
2012-08-13 19:45 . 2012-08-13 21:15 -------- d-s---w- c:\documents and settings\Administrator.KI.008
2012-08-13 19:41 . 2012-08-13 21:15 -------- d-s---w- c:\documents and settings\Administrator.KI.007
2012-08-01 23:43 . 2012-08-01 23:43 -------- d-----w- c:\documents and settings\Kiren\.thinupload
2012-08-01 21:40 . 2012-08-01 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-01 21:40 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-01 21:13 . 2012-08-01 21:13 -------- d-----w- c:\program files\PC Tools
2012-08-01 21:12 . 2012-08-13 21:14 -------- d-----w- c:\program files\Common Files\PC Tools
2012-08-01 21:12 . 2012-06-22 20:34 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-08-01 21:04 . 2012-08-01 22:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2012-08-01 21:04 . 2012-08-01 21:04 -------- d-----w- c:\documents and settings\Kiren\Application Data\TestApp
2012-08-01 20:56 . 2012-08-01 20:56 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-01 20:43 . 2012-08-01 20:50 -------- d-s---w- c:\documents and settings\Administrator.KI.006
2012-08-01 20:40 . 2012-08-01 20:50 -------- d-s---w- c:\documents and settings\Administrator.KI.005
2012-08-01 20:39 . 2012-08-01 20:50 -------- d-s---w- c:\documents and settings\Administrator.KI.004
2012-08-01 20:23 . 2012-08-01 20:50 -------- d-s---w- c:\documents and settings\Administrator.KI.003
2012-08-01 20:12 . 2012-08-01 20:50 -------- d-s---w- c:\documents and settings\Administrator.KI.002
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 01:36 . 2012-04-11 04:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 01:36 . 2011-05-28 20:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-25 21:25 . 2010-01-19 19:48 94208 ----a-w- c:\windows\DUMPaf2b.tmp
2012-06-02 21:55 . 2012-06-02 19:15 286720 ------w- c:\windows\Setup1.exe
2012-06-02 21:55 . 2012-06-02 19:15 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-05-26 04:51 . 2012-05-26 04:51 545280 ----a-w- c:\windows\flashax.exe
2012-05-26 04:51 . 2012-05-26 04:51 12288 ----a-w- c:\windows\impborl.dll
2012-07-18 13:19 . 2011-05-06 21:34 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPUThermometer"="c:\documents and settings\Kiren\My Documents\Downloads\CPU Thermometer\CPUThermometer.exe" [2011-01-14 127488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^Delta AutoLoad.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\Delta AutoLoad.lnk
backup=c:\windows\pss\Delta AutoLoad.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-04-04 05:53 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2009-03-02 21:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-03-13 23:38 39264 -c--a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
2002-12-12 05:14 46592 ----a-w- c:\windows\system32\dxdllreg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-25 00:45 136176 ----atw- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 21:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-07-03 18:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-02-23 02:49 6591800 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCsoft Launcher]
2012-06-19 08:59 38744 ----a-w- c:\program files\NCSoft\Launcher\NCLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iWinTrusted"=2 (0x2)
"wlidsvc"=2 (0x2)
"McciCMService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"npggsvc"=3 (0x3)
"McComponentHostService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"OverwolfUpdaterService"=3 (0x3)
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/16/2010 4:31 PM 108289]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [1/20/2010 10:48 PM 22016]
R3 WinRing0_1_2_0;WinRing0_1_2_0;\??\c:\documents and settings\Kiren\Local Settings\Temp\tmp1.tmp --> c:\documents and settings\Kiren\Local Settings\Temp\tmp1.tmp [?]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/10/2012 11:10 PM 250056]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/21/2010 5:02 PM 1684736]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [9/28/2011 2:27 PM 1034240]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/1/2012 4:40 PM 22344]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 12:47 AM 113120]
S3 PAC7311;Trust WB-3300p Mini HiRes Webcam;c:\windows\system32\drivers\PA707UCM.SYS [10/18/2005 11:48 AM 154752]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [1/20/2010 10:48 PM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [1/20/2010 10:48 PM 17536]
S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [4/8/2011 10:17 AM 176848]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/1/2012 4:40 PM 655944]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 OverwolfUpdaterService;Overwolf Updater Service;c:\program files\Overwolf\OverwolfUpdater.exe [6/14/2012 5:11 AM 18360]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WINRING0_1_2_0
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 01:36]
.
2012-08-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-682003330-1003Core.job
- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-25 00:45]
.
2012-08-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-682003330-1003UA.job
- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-25 00:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kiren\Application Data\Mozilla\Firefox\Profiles\n9wfir94.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
AddRemove-FastCAD - c:\documents and settings\Kiren\Desktop\Campaign Cart\UNINST.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-20 14:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\WinRing0_1_2_0]
"ImagePath"="\??\c:\documents and settings\Kiren\Local Settings\Temp\tmp1.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1292428093-1960408961-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1292428093-1960408961-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:a7,3c,55,88,9b,6e,2d,66,f9,fe,ac,74,6e,a4,6b,81,f1,b7,eb,f5,90,
af,ce,9d,87,2e,d1,2f,9d,5f,0c,fe,f7,9f,91,fb,c1,f6,ff,73,4a,09,58,33,b0,b6,\
"rkeysecu"=hex:a3,26,81,76,7a,fa,42,be,41,09,2b,04,ae,42,3f,cc
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:wjY*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\16?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"c:\\documents and settings\\kiren\\desktop\\xp32\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2012-08-20 15:00:54
ComboFix-quarantined-files.txt 2012-08-20 20:00
.
Pre-Run: 294,771,838,976 bytes free
Post-Run: 297,795,350,528 bytes free
.
- - End Of File - - D5E37C39C11C5DED33510706CCB3EDC3

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:35 PM

Posted 21 August 2012 - 07:15 AM

Open notepad and copy/paste the text in the quote box below into it:


Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet007\Services\npggsvc]
[-HKEY_LOCAL_MACHINE\System\ControlSet007\Services\WinRing0_1_2_0]

ClearJavaCache::



Save this as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===


Your Hosts file was compromised and must be reset back to the default.
How To:
http://support.microsoft.com/kb/972034

Use the Fix it button on the page.
===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

Please post the logs and let me know of any remaining issues with this computer.

#11 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 21 August 2012 - 06:19 PM

Here is the combofix log

ComboFix 12-08-21.02 - Kiren 08/21/2012 17:41:44.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2757 [GMT -5:00]
Running from: c:\documents and settings\Kiren\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kiren\Desktop\CFScript.txt
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-21 to 2012-08-21 )))))))))))))))))))))))))))))))
.
.
2012-08-13 19:45 . 2012-08-13 21:15 -------- d-s---w- c:\documents and settings\Administrator.KI.008
2012-08-13 19:41 . 2012-08-13 21:15 -------- d-s---w- c:\documents and settings\Administrator.KI.007
2012-08-01 23:43 . 2012-08-01 23:43 -------- d-----w- c:\documents and settings\Kiren\.thinupload
2012-08-01 21:40 . 2012-08-01 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-01 21:40 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-01 21:13 . 2012-08-01 21:13 -------- d-----w- c:\program files\PC Tools
2012-08-01 21:12 . 2012-08-13 21:14 -------- d-----w- c:\program files\Common Files\PC Tools
2012-08-01 21:12 . 2012-06-22 20:34 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-08-01 21:04 . 2012-08-01 22:00 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2012-08-01 21:04 . 2012-08-01 21:04 -------- d-----w- c:\documents and settings\Kiren\Application Data\TestApp
2012-08-01 20:56 . 2012-08-01 20:56 -------- d-----w- c:\windows\system32\wbem\Repository
2012-08-01 20:43 . 2012-08-01 20:50 -------- d-s---w- c:\documents and settings\Administrator.KI.006
2012-08-01 20:40 . 2012-08-01 20:50 -------- d-s---w- c:\documents and settings\Administrator.KI.005
2012-08-01 20:39 . 2012-08-01 20:50 -------- d-s---w- c:\documents and settings\Administrator.KI.004
2012-08-01 20:23 . 2012-08-01 20:50 -------- d-s---w- c:\documents and settings\Administrator.KI.003
2012-08-01 20:12 . 2012-08-01 20:50 -------- d-s---w- c:\documents and settings\Administrator.KI.002
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-15 01:36 . 2012-04-11 04:10 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-15 01:36 . 2011-05-28 20:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-25 21:25 . 2010-01-19 19:48 94208 ----a-w- c:\windows\DUMPaf2b.tmp
2012-06-02 21:55 . 2012-06-02 19:15 286720 ------w- c:\windows\Setup1.exe
2012-06-02 21:55 . 2012-06-02 19:15 73216 ----a-w- c:\windows\ST6UNST.EXE
2012-05-26 04:51 . 2012-05-26 04:51 545280 ----a-w- c:\windows\flashax.exe
2012-05-26 04:51 . 2012-05-26 04:51 12288 ----a-w- c:\windows\impborl.dll
2012-07-18 13:19 . 2011-05-06 21:34 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPUThermometer"="c:\documents and settings\Kiren\My Documents\Downloads\CPU Thermometer\CPUThermometer.exe" [2011-01-14 127488]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-14 18702336]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^Delta AutoLoad.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\Delta AutoLoad.lnk
backup=c:\windows\pss\Delta AutoLoad.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kiren^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Kiren\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-04-04 05:53 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2009-03-02 21:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2007-03-13 23:38 39264 -c--a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DXDllRegExe]
2002-12-12 05:14 46592 ----a-w- c:\windows\system32\dxdllreg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-25 00:45 136176 ----atw- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 21:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-07-03 18:46 462920 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-02-23 02:49 6591800 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCsoft Launcher]
2012-06-19 08:59 38744 ----a-w- c:\program files\NCSoft\Launcher\NCLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-17 16:07 252296 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iWinTrusted"=2 (0x2)
"wlidsvc"=2 (0x2)
"McciCMService"=2 (0x2)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"npggsvc"=3 (0x3)
"McComponentHostService"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"OverwolfUpdaterService"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [1/16/2010 4:31 PM 108289]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [1/20/2010 10:48 PM 22016]
S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/10/2012 11:10 PM 250056]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [1/21/2010 5:02 PM 1684736]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [9/28/2011 2:27 PM 1034240]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/1/2012 4:40 PM 22344]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 12:47 AM 113120]
S3 PAC7311;Trust WB-3300p Mini HiRes Webcam;c:\windows\system32\drivers\PA707UCM.SYS [10/18/2005 11:48 AM 154752]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [1/20/2010 10:48 PM 29440]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [1/20/2010 10:48 PM 17536]
S4 iWinTrusted;iWinTrusted;c:\program files\iWin Games\iWinTrusted.exe [4/8/2011 10:17 AM 176848]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/1/2012 4:40 PM 655944]
S4 OverwolfUpdaterService;Overwolf Updater Service;c:\program files\Overwolf\OverwolfUpdater.exe [6/14/2012 5:11 AM 18360]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WINRING0_1_2_0
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-11 01:36]
.
2012-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-682003330-1003Core.job
- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-25 00:45]
.
2012-08-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1292428093-1960408961-682003330-1003UA.job
- c:\documents and settings\Kiren\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-25 00:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Kiren\Application Data\Mozilla\Firefox\Profiles\n9wfir94.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-21 17:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1292428093-1960408961-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-1292428093-1960408961-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:a7,3c,55,88,9b,6e,2d,66,f9,fe,ac,74,6e,a4,6b,81,f1,b7,eb,f5,90,
af,ce,9d,87,2e,d1,2f,9d,5f,0c,fe,f7,9f,91,fb,c1,f6,ff,73,4a,09,58,33,b0,b6,\
"rkeysecu"=hex:a3,26,81,76,7a,fa,42,be,41,09,2b,04,ae,42,3f,cc
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\:õwjY*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\16?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.8"
"DeviceInstanceIds"=multi:"c:\\documents and settings\\kiren\\desktop\\xp32\\sbdrv\\smbus\\smbusati.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(540)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-08-21 17:59:51
ComboFix-quarantined-files.txt 2012-08-21 22:59
ComboFix2.txt 2012-08-20 20:00
.
Pre-Run: 297,576,742,912 bytes free
Post-Run: 297,562,198,016 bytes free
.
- - End Of File - - 7D4E88CF2976424175D9CE5C412831E0





Here is the Security Check log

Results of screen317's Security Check version 0.99.46
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
AntiVir Desktop
Antivirus out of date!
`````````Anti-malware/Other Utilities Check:`````````
Out of date HijackThis installed!
Spybot - Search & Destroy
Malwarebytes Anti-Malware version 1.62.0.1300
HijackThis 2.0.2
CCleaner
JavaFX 2.1.0
Java™ 7 Update 4
Java version out of Date!
Adobe Flash Player 11.3.300.271
Adobe Reader X 10.1.3 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avguard.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 0%
````````````````````End of Log``````````````````````



AdwCleaner log

# AdwCleaner v1.801 - Logfile created 08/21/2012 at 18:13:38
# Updated 14/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Kiren - KI
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Kiren\My Documents\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Documents and Settings\Kiren\Application Data\Mozilla\Firefox\Profiles\n9wfir94.default\Conduit
Folder Found : C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallMate
Folder Found : C:\Documents and Settings\All Users.WINDOWS\Application Data\Trymedia
Folder Found : C:\Documents and Settings\All Users.WINDOWS\Application Data\Premium

***** [Registry] *****

Key Found : HKCU\Software\Headlight
Key Found : HKLM\SOFTWARE\Conduit

***** [Registre - GUID] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Kiren\Application Data\Mozilla\Firefox\Profiles\n9wfir94.default\prefs.js

Found : user_pref("CT2612669.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Found : user_pref("CT2612669.CTID", "CT2612669");
Found : user_pref("CT2612669.CurrentServerDate", "15-12-2010");
Found : user_pref("CT2612669.DialogsAlignMode", "LTR");
Found : user_pref("CT2612669.DownloadReferralCookieData", "{\"BannerName\":\"\",\"BannerTypeId\":\"\",\"Bann[...]
Found : user_pref("CT2612669.FeedLastCount129206864782289142", 20);
Found : user_pref("CT2612669.FeedPollDate129206864782914144", "Tue Dec 14 2010 18:56:34 GMT-0600 (Central St[...]
Found : user_pref("CT2612669.FeedTTL129206864782914144", 40);
Found : user_pref("CT2612669.FirstServerDate", "15-12-2010");
Found : user_pref("CT2612669.FirstTime", true);
Found : user_pref("CT2612669.FirstTimeFF3", true);
Found : user_pref("CT2612669.FirstTimeSettingsDone", true);
Found : user_pref("CT2612669.FixPageNotFoundErrors", true);
Found : user_pref("CT2612669.GroupingServerCheckInterval", 1440);
Found : user_pref("CT2612669.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Found : user_pref("CT2612669.Initialize", true);
Found : user_pref("CT2612669.InitializeCommonPrefs", true);
Found : user_pref("CT2612669.InstallationAndCookieDataSentCount", 1);
Found : user_pref("CT2612669.InstalledDate", "Tue Dec 14 2010 18:56:35 GMT-0600 (Central Standard Time)");
Found : user_pref("CT2612669.IsGrouping", false);
Found : user_pref("CT2612669.IsMulticommunity", false);
Found : user_pref("CT2612669.IsOpenThankYouPage", true);
Found : user_pref("CT2612669.IsOpenUninstallPage", true);
Found : user_pref("CT2612669.LanguagePackLastCheckTime", "Tue Dec 14 2010 18:56:35 GMT-0600 (Central Standar[...]
Found : user_pref("CT2612669.LanguagePackReloadIntervalMM", 1440);
Found : user_pref("CT2612669.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
Found : user_pref("CT2612669.LastLogin_2.7.2.0", "Tue Dec 14 2010 18:56:46 GMT-0600 (Central Standard Time)"[...]
Found : user_pref("CT2612669.LatestVersion", "2.7.2.0");
Found : user_pref("CT2612669.Locale", "en");
Found : user_pref("CT2612669.LoginCache", 4);
Found : user_pref("CT2612669.MCDetectTooltipHeight", "83");
Found : user_pref("CT2612669.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Found : user_pref("CT2612669.MCDetectTooltipWidth", "295");
Found : user_pref("CT2612669.SearchEngine", "Search||hxxp://search.conduit.com/Results.aspx?q=UCM_SEARCH_TER[...]
Found : user_pref("CT2612669.SearchFromAddressBarIsInit", true);
Found : user_pref("CT2612669.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT261[...]
Found : user_pref("CT2612669.SearchInNewTabEnabled", true);
Found : user_pref("CT2612669.SearchInNewTabIntervalMM", 1440);
Found : user_pref("CT2612669.SearchInNewTabLastCheckTime", "Tue Dec 14 2010 18:56:46 GMT-0600 (Central Stand[...]
Found : user_pref("CT2612669.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
Found : user_pref("CT2612669.SearchInNewTabUsageUrl", "hxxp://Usage.Hosting.conduit-services.com/UsageServic[...]
Found : user_pref("CT2612669.SearchInNewTabUserEnabled", false);
Found : user_pref("CT2612669.SettingsCheckIntervalMin", 120);
Found : user_pref("CT2612669.SettingsLastCheckTime", "Tue Dec 14 2010 18:56:33 GMT-0600 (Central Standard Ti[...]
Found : user_pref("CT2612669.SettingsLastUpdate", "1291812328");
Found : user_pref("CT2612669.ThirdPartyComponentsInterval", 504);
Found : user_pref("CT2612669.ThirdPartyComponentsLastCheck", "Tue Dec 14 2010 18:56:33 GMT-0600 (Central Sta[...]
Found : user_pref("CT2612669.ThirdPartyComponentsLastUpdate", "1246790578");
Found : user_pref("CT2612669.TrusteLinkUrl", "hxxp://www.truste.org/pvr.php?page=validate&softwareProgramId=[...]
Found : user_pref("CT2612669.Uninstall", true);
Found : user_pref("CT2612669.UserID", "UN32631271082104823");
Found : user_pref("CT2612669.alertChannelId", "1005466");
Found : user_pref("CT2612669.clientLogIsEnabled", false);
Found : user_pref("CT2612669.clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asm[...]
Found : user_pref("CT2612669.myStuffEnabled", true);
Found : user_pref("CT2612669.myStuffPublihserMinWidth", 400);
Found : user_pref("CT2612669.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
Found : user_pref("CT2612669.myStuffServiceIntervalMM", 1440);
Found : user_pref("CT2612669.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
Found : user_pref("CT2612669.uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Reg[...]
Found : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.pr[...]
Found : user_pref("CommunityToolbar.ToolbarsList", "CT2612669");
Found : user_pref("CommunityToolbar.ToolbarsList2", "CT2612669");
Found : user_pref("CommunityToolbar.alert.alertInfoInterval", 60);
Found : user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Tue Dec 14 2010 18:56:34 GMT-0600 (Centr[...]
Found : user_pref("CommunityToolbar.alert.clientsServerUrl", "hxxp://alert.client.conduit.com");
Found : user_pref("CommunityToolbar.alert.locale", "en");
Found : user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);
Found : user_pref("CommunityToolbar.alert.loginLastCheckTime", "Tue Dec 14 2010 18:56:33 GMT-0600 (Central S[...]
Found : user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1291052234");
Found : user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);
Found : user_pref("CommunityToolbar.alert.servicesServerUrl", "hxxp://alert.services.conduit.com");
Found : user_pref("CommunityToolbar.alert.showTrayIcon", false);
Found : user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);
Found : user_pref("CommunityToolbar.alert.userId", "{95457290-3b7e-4fe8-88bf-04f4036eabac}");
Found : user_pref("CommunityToolbar.twitter.user_20566976.LastCheckTime", "Tue Dec 14 2010 18:56:36 GMT-0600[...]

-\\ Google Chrome v16.0.912.75

File : C:\Documents and Settings\Kiren\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [7446 octets] - [21/08/2012 18:13:38]

########## EOF - C:\AdwCleaner[R1].txt - [7574 octets] ##########



Honestly, I have no idea what is going on with my computer at this point. I been using it to play games on Kongragate in the absence of the ability to play my MMORPG, and it sort of freezes from time to time for a few seconds, or at times makes my left click act like a right click, but nothing major. Because I have not been on my MMO, I have not been watching the temperature, so I am unsure how the fixes are effecting things. I have not noticed any notices from avira, but we turned it off, so I didn't expect any.

The only other odd things is that somehow firefox keeps being reset as my default browser. It is after I run things you have me run, so I assume it has something to do with that.

Again, thank you for all your help, it is really appreciated.

Edited by Sedadren, 21 August 2012 - 07:19 PM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:35 PM

Posted 22 August 2012 - 08:53 AM

The only other odd things is that somehow firefox keeps being reset as my default browser. It is after I run things you have me run, so I assume it has something to do with that.

I think that ComboFix is the culprit here. Normally the previous Browser is reset.
===

Please reset your HOSTS file.
How To:
http://support.microsoft.com/kb/972034

Use the Fix it button on the page.
===

Most forum now are asking for a DDS log.
Remove this old version of HijackThis 2.0.2 using the Add/Remove Programs applet.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java 7 Update 4


===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.
===

Remove the AdWare.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
===

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
===

Please post a fresh DDS log and include the logs requested here.

Let me know if you see any improvement.

#13 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 23 August 2012 - 06:25 PM

I am very sorry for the long delay in responding. We had some hospital time that kept me away from the computer and unable to respond any faster. I know your time is important, and will strive to be more prompt.

I reset the Hosts file again, but I did that last time also. Did it not work?

I have uninstalled HijackThis

Removed Java and followed the link to add Java again.

Updated Adobe reader

I have removed AdWare

The following is the log file that was produced.

# AdwCleaner v1.801 - Logfile created 08/23/2012 at 15:13:33
# Updated 14/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Kiren - KI
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Kiren\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\Kiren\Application Data\Mozilla\Firefox\Profiles\n9wfir94.default\Conduit
Folder Deleted : C:\Documents and Settings\All Users.WINDOWS\Application Data\InstallMate
Folder Deleted : C:\Documents and Settings\All Users.WINDOWS\Application Data\Trymedia
Folder Deleted : C:\Documents and Settings\All Users.WINDOWS\Application Data\Premium

***** [Registry] *****

Key Deleted : HKCU\Software\Headlight
Key Deleted : HKLM\SOFTWARE\Conduit

***** [Registre - GUID] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Kiren\Application Data\Mozilla\Firefox\Profiles\n9wfir94.default\prefs.js

C:\Documents and Settings\Kiren\Application Data\Mozilla\Firefox\Profiles\n9wfir94.default\user.js ... Deleted !

Deleted : user_pref("CT2612669.AboutPrivacyUrl", "hxxp://www.conduit.com/privacy/Default.aspx");
Deleted : user_pref("CT2612669.CTID", "CT2612669");
Deleted : user_pref("CT2612669.CurrentServerDate", "15-12-2010");
Deleted : user_pref("CT2612669.DialogsAlignMode", "LTR");
Deleted : user_pref("CT2612669.DownloadReferralCookieData", "{\"BannerName\":\"\",\"BannerTypeId\":\"\",\"Bann[...]
Deleted : user_pref("CT2612669.FeedLastCount129206864782289142", 20);
Deleted : user_pref("CT2612669.FeedPollDate129206864782914144", "Tue Dec 14 2010 18:56:34 GMT-0600 (Central St[...]
Deleted : user_pref("CT2612669.FeedTTL129206864782914144", 40);
Deleted : user_pref("CT2612669.FirstServerDate", "15-12-2010");
Deleted : user_pref("CT2612669.FirstTime", true);
Deleted : user_pref("CT2612669.FirstTimeFF3", true);
Deleted : user_pref("CT2612669.FirstTimeSettingsDone", true);
Deleted : user_pref("CT2612669.FixPageNotFoundErrors", true);
Deleted : user_pref("CT2612669.GroupingServerCheckInterval", 1440);
Deleted : user_pref("CT2612669.GroupingServiceUrl", "hxxp://grouping.services.conduit.com/");
Deleted : user_pref("CT2612669.Initialize", true);
Deleted : user_pref("CT2612669.InitializeCommonPrefs", true);
Deleted : user_pref("CT2612669.InstallationAndCookieDataSentCount", 1);
Deleted : user_pref("CT2612669.InstalledDate", "Tue Dec 14 2010 18:56:35 GMT-0600 (Central Standard Time)");
Deleted : user_pref("CT2612669.IsGrouping", false);
Deleted : user_pref("CT2612669.IsMulticommunity", false);
Deleted : user_pref("CT2612669.IsOpenThankYouPage", true);
Deleted : user_pref("CT2612669.IsOpenUninstallPage", true);
Deleted : user_pref("CT2612669.LanguagePackLastCheckTime", "Tue Dec 14 2010 18:56:35 GMT-0600 (Central Standar[...]
Deleted : user_pref("CT2612669.LanguagePackReloadIntervalMM", 1440);
Deleted : user_pref("CT2612669.LanguagePackServiceUrl", "hxxp://translation.users.conduit.com/Translation.ashx[...]
Deleted : user_pref("CT2612669.LastLogin_2.7.2.0", "Tue Dec 14 2010 18:56:46 GMT-0600 (Central Standard Time)"[...]
Deleted : user_pref("CT2612669.LatestVersion", "2.7.2.0");
Deleted : user_pref("CT2612669.Locale", "en");
Deleted : user_pref("CT2612669.LoginCache", 4);
Deleted : user_pref("CT2612669.MCDetectTooltipHeight", "83");
Deleted : user_pref("CT2612669.MCDetectTooltipUrl", "hxxp://@EB_INSTALL_LINK@/rank/tooltip/?version=1");
Deleted : user_pref("CT2612669.MCDetectTooltipWidth", "295");
Deleted : user_pref("CT2612669.SearchEngine", "Search||hxxp://search.conduit.com/Results.aspx?q=UCM_SEARCH_TER[...]
Deleted : user_pref("CT2612669.SearchFromAddressBarIsInit", true);
Deleted : user_pref("CT2612669.SearchFromAddressBarUrl", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT261[...]
Deleted : user_pref("CT2612669.SearchInNewTabEnabled", true);
Deleted : user_pref("CT2612669.SearchInNewTabIntervalMM", 1440);
Deleted : user_pref("CT2612669.SearchInNewTabLastCheckTime", "Tue Dec 14 2010 18:56:46 GMT-0600 (Central Stand[...]
Deleted : user_pref("CT2612669.SearchInNewTabServiceUrl", "hxxp://newtab.conduit-hosting.com/newtab/?ctid=EB_T[...]
Deleted : user_pref("CT2612669.SearchInNewTabUsageUrl", "hxxp://Usage.Hosting.conduit-services.com/UsageServic[...]
Deleted : user_pref("CT2612669.SearchInNewTabUserEnabled", false);
Deleted : user_pref("CT2612669.SettingsCheckIntervalMin", 120);
Deleted : user_pref("CT2612669.SettingsLastCheckTime", "Tue Dec 14 2010 18:56:33 GMT-0600 (Central Standard Ti[...]
Deleted : user_pref("CT2612669.SettingsLastUpdate", "1291812328");
Deleted : user_pref("CT2612669.ThirdPartyComponentsInterval", 504);
Deleted : user_pref("CT2612669.ThirdPartyComponentsLastCheck", "Tue Dec 14 2010 18:56:33 GMT-0600 (Central Sta[...]
Deleted : user_pref("CT2612669.ThirdPartyComponentsLastUpdate", "1246790578");
Deleted : user_pref("CT2612669.TrusteLinkUrl", "hxxp://www.truste.org/pvr.php?page=validate&softwareProgramId=[...]
Deleted : user_pref("CT2612669.Uninstall", true);
Deleted : user_pref("CT2612669.UserID", "UN32631271082104823");
Deleted : user_pref("CT2612669.alertChannelId", "1005466");
Deleted : user_pref("CT2612669.clientLogIsEnabled", false);
Deleted : user_pref("CT2612669.clientLogServiceUrl", "hxxp://clientlog.users.conduit.com/ClientDiagnostics.asm[...]
Deleted : user_pref("CT2612669.myStuffEnabled", true);
Deleted : user_pref("CT2612669.myStuffPublihserMinWidth", 400);
Deleted : user_pref("CT2612669.myStuffSearchUrl", "hxxp://Apps.conduit.com/search?q=SEARCH_TERM&SearchSourceOr[...]
Deleted : user_pref("CT2612669.myStuffServiceIntervalMM", 1440);
Deleted : user_pref("CT2612669.myStuffServiceUrl", "hxxp://mystuff.conduit-services.com/MyStuffService.ashx?Co[...]
Deleted : user_pref("CT2612669.uninstallLogServiceUrl", "hxxp://uninstall.users.conduit.com/Uninstall.asmx/Reg[...]
Deleted : user_pref("CommunityToolbar.SearchFromAddressBarSavedUrl", "chrome://browser-region/locale/region.pr[...]
Deleted : user_pref("CommunityToolbar.ToolbarsList", "CT2612669");
Deleted : user_pref("CommunityToolbar.ToolbarsList2", "CT2612669");
Deleted : user_pref("CommunityToolbar.alert.alertInfoInterval", 60);
Deleted : user_pref("CommunityToolbar.alert.alertInfoLastCheckTime", "Tue Dec 14 2010 18:56:34 GMT-0600 (Centr[...]
Deleted : user_pref("CommunityToolbar.alert.clientsServerUrl", "hxxp://alert.client.conduit.com");
Deleted : user_pref("CommunityToolbar.alert.locale", "en");
Deleted : user_pref("CommunityToolbar.alert.loginIntervalMin", 1440);
Deleted : user_pref("CommunityToolbar.alert.loginLastCheckTime", "Tue Dec 14 2010 18:56:33 GMT-0600 (Central S[...]
Deleted : user_pref("CommunityToolbar.alert.loginLastUpdateTime", "1291052234");
Deleted : user_pref("CommunityToolbar.alert.messageShowTimeSec", 20);
Deleted : user_pref("CommunityToolbar.alert.servicesServerUrl", "hxxp://alert.services.conduit.com");
Deleted : user_pref("CommunityToolbar.alert.showTrayIcon", false);
Deleted : user_pref("CommunityToolbar.alert.userCloseIntervalMin", 300);
Deleted : user_pref("CommunityToolbar.alert.userId", "{95457290-3b7e-4fe8-88bf-04f4036eabac}");
Deleted : user_pref("CommunityToolbar.twitter.user_20566976.LastCheckTime", "Tue Dec 14 2010 18:56:36 GMT-0600[...]

-\\ Google Chrome v16.0.912.75

File : C:\Documents and Settings\Kiren\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [7575 octets] - [21/08/2012 18:13:38]
AdwCleaner[S1].txt - [7786 octets] - [23/08/2012 15:13:33]

########## EOF - C:\AdwCleaner[S1].txt - [7914 octets] ##########



ESAT.. . I gave up after the 5th time it crashed my computer without finishing. I am not sure if it is causing it to overheat, or if there is another problem, but it isn't getting anywhere near close to finished when it reboots my machine and then I am back to square one.

#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:35 PM

Posted 25 August 2012 - 06:19 AM

Before we go any further I think you should be looking at some Hardware problem.

I suggest you start a new topic here and see what they can find.
Internal hardware forum
http://www.bleepingcomputer.com/forums/forum7.html

This topic will be left open for 5 days.
Keep me posted.

#15 Sedadren

Sedadren
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:35 PM

Posted 25 August 2012 - 06:27 AM

Alright, I posted there. I will keep you updated.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users