Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

\\.\globalroot\systemroot\svchost.exe is infected and I'm getting BSODs!


  • This topic is locked This topic is locked
18 replies to this topic

#1 TKTheKid

TKTheKid

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 August 2012 - 05:18 PM

Hi all,

This is my first post and I'm a little upset to be posting here lol; usually Malwarebytes or rkill take care of all my problems! Haha.

But seriously, Malwarebytes and rkill keep finding this infection, but it just keeps coming back. I've gotten many (presumably fake) Blue Screen of Deaths and the computer in general performs horribly.

What steps can I take from here to really clean things up?

Thank you very much!

Tony

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:18 AM

Posted 17 August 2012 - 06:50 PM

Welcome! Its a rootkit and more logs are needed.

Please go here....Preparation Guide .

Create a DDS log and post it in this topic,thanks.
If GMER won't run (it may not on a 64 bit system) skip it and move on.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 TKTheKid

TKTheKid
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 17 August 2012 - 09:28 PM

Here are the text files that DDS created. Thank you in advance!

Tony

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:18 AM

Posted 18 August 2012 - 01:14 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 TKTheKid

TKTheKid
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 August 2012 - 01:57 AM

Hello Gringo!

Here is the log created from running Security Check:

Results of screen317's Security Check version 0.99.45
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
McAfee Anti-Virus and Anti-Spyware
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 31
Java version out of Date!
Adobe Flash Player 11.1.102.55 Flash Player out of Date!
Adobe Reader X 10.1.3 Adobe Reader out of Date!
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````



As for ComboFix, that didn't go well at all. It started to extract files and then a Blue Screen of Death hit me. I booted up in Safe Mode and the same exact thing happened. Then I booted Windows normally again... and I got the Blue Screen of Death again! But the funny thing is, the computer does seem to be quite a bit faster and closer to normalcy. Go figure huh? But what can be done about getting ComboFix to run?

Thank you for your help.

Tony

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:18 AM

Posted 18 August 2012 - 01:59 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 TKTheKid

TKTheKid
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 August 2012 - 08:53 AM

Okay, here is the TDSSKiller log:

08:16:28.0206 0300 TDSS rootkit removing tool 2.8.6.0 Aug 13 2012 17:24:05
08:16:28.0593 0300 ============================================================
08:16:28.0593 0300 Current date / time: 2012/08/18 08:16:28.0593
08:16:28.0593 0300 SystemInfo:
08:16:28.0593 0300
08:16:28.0593 0300 OS Version: 6.1.7601 ServicePack: 1.0
08:16:28.0593 0300 Product type: Workstation
08:16:28.0593 0300 ComputerName: TONY-PC
08:16:28.0594 0300 UserName: Tony
08:16:28.0594 0300 Windows directory: C:\Windows
08:16:28.0594 0300 System windows directory: C:\Windows
08:16:28.0594 0300 Running under WOW64
08:16:28.0594 0300 Processor architecture: Intel x64
08:16:28.0594 0300 Number of processors: 1
08:16:28.0594 0300 Page size: 0x1000
08:16:28.0594 0300 Boot type: Normal boot
08:16:28.0594 0300 ============================================================
08:16:32.0790 0300 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
08:16:33.0000 0300 ============================================================
08:16:33.0000 0300 \Device\Harddisk0\DR0:
08:16:33.0024 0300 MBR partitions:
08:16:33.0024 0300 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x1D9F000
08:16:33.0024 0300 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1DB3000, BlocksNum 0x385D2800
08:16:33.0024 0300 ============================================================
08:16:33.0378 0300 C: <-> \Device\Harddisk0\DR0\Partition2
08:16:33.0572 0300 ============================================================
08:16:33.0572 0300 Initialize success
08:16:33.0572 0300 ============================================================
08:16:44.0756 3272 ============================================================
08:16:44.0756 3272 Scan started
08:16:44.0756 3272 Mode: Manual;
08:16:44.0756 3272 ============================================================
08:17:06.0647 3272 ================ Scan services =============================
08:17:09.0252 3272 [ a87d604aea360176311474c87a63bb88 ] 1394ohci C:\Windows\system32\drivers\1394ohci.sys
08:17:09.0313 3272 1394ohci - ok
08:17:09.0407 3272 [ d81d9e70b8a6dd14d42d7b4efa65d5f2 ] ACPI C:\Windows\system32\drivers\ACPI.sys
08:17:09.0416 3272 ACPI - ok
08:17:09.0501 3272 [ 99f8e788246d495ce3794d7e7821d2ca ] AcpiPmi C:\Windows\system32\drivers\acpipmi.sys
08:17:09.0573 3272 AcpiPmi - ok
08:17:10.0501 3272 [ 62b7936f9036dd6ed36e6a7efa805dc0 ] AdobeARMservice C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
08:17:10.0627 3272 AdobeARMservice - ok
08:17:10.0961 3272 [ 2f6b34b83843f0c5118b63ac634f5bf4 ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
08:17:11.0048 3272 adp94xx - ok
08:17:11.0517 3272 [ 597f78224ee9224ea1a13d6350ced962 ] adpahci C:\Windows\system32\drivers\adpahci.sys
08:17:11.0961 3272 adpahci - ok
08:17:12.0479 3272 [ e109549c90f62fb570b9540c4b148e54 ] adpu320 C:\Windows\system32\drivers\adpu320.sys
08:17:12.0672 3272 adpu320 - ok
08:17:12.0968 3272 [ 4b78b431f225fd8624c5655cb1de7b61 ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
08:17:12.0971 3272 AeLookupSvc - ok
08:17:13.0214 3272 [ 1c7857b62de5994a75b054a9fd4c3825 ] AFD C:\Windows\system32\drivers\afd.sys
08:17:13.0423 3272 AFD - ok
08:17:13.0540 3272 [ 608c14dba7299d8cb6ed035a68a15799 ] agp440 C:\Windows\system32\drivers\agp440.sys
08:17:13.0575 3272 agp440 - ok
08:17:13.0763 3272 [ 3290d6946b5e30e70414990574883ddb ] ALG C:\Windows\System32\alg.exe
08:17:13.0769 3272 ALG - ok
08:17:13.0866 3272 [ 5812713a477a3ad7363c7438ca2ee038 ] aliide C:\Windows\system32\drivers\aliide.sys
08:17:13.0870 3272 aliide - ok
08:17:13.0986 3272 [ a359974eaac83a435497c52f62a2e590 ] AMD External Events Utility C:\Windows\system32\atiesrxx.exe
08:17:14.0042 3272 AMD External Events Utility - ok
08:17:14.0166 3272 [ 1ff8b4431c353ce385c875f194924c0c ] amdide C:\Windows\system32\drivers\amdide.sys
08:17:14.0170 3272 amdide - ok
08:17:14.0326 3272 [ 7024f087cff1833a806193ef9d22cda9 ] AmdK8 C:\Windows\system32\drivers\amdk8.sys
08:17:14.0330 3272 AmdK8 - ok
08:17:15.0939 3272 [ 60216b0e704584de6d5a9f59e9c34c47 ] amdkmdag C:\Windows\system32\DRIVERS\atikmdag.sys
08:17:17.0115 3272 amdkmdag - ok
08:17:17.0417 3272 [ 6b4e9261b613b047a9a145f328889968 ] amdkmdap C:\Windows\system32\DRIVERS\atikmpag.sys
08:17:17.0565 3272 amdkmdap - ok
08:17:18.0218 3272 [ 1e56388b3fe0d031c44144eb8c4d6217 ] AmdPPM C:\Windows\system32\DRIVERS\amdppm.sys
08:17:18.0360 3272 AmdPPM - ok
08:17:18.0618 3272 [ d4121ae6d0c0e7e13aa221aa57ef2d49 ] amdsata C:\Windows\system32\drivers\amdsata.sys
08:17:18.0722 3272 amdsata - ok
08:17:18.0797 3272 [ f67f933e79241ed32ff46a4f29b5120b ] amdsbs C:\Windows\system32\drivers\amdsbs.sys
08:17:18.0813 3272 amdsbs - ok
08:17:18.0960 3272 [ 540daf1cea6094886d72126fd7c33048 ] amdxata C:\Windows\system32\drivers\amdxata.sys
08:17:19.0040 3272 amdxata - ok
08:17:19.0430 3272 [ 85180cf88c5ebad73b452a43a004ca51 ] AOL ACS C:\Program Files (x86)\Common Files\AOL\ACS\AOLAcsd.exe
08:17:19.0580 3272 AOL ACS - ok
08:17:19.0691 3272 [ 89a69c3f2f319b43379399547526d952 ] AppID C:\Windows\system32\drivers\appid.sys
08:17:19.0762 3272 AppID - ok
08:17:19.0868 3272 [ 0bc381a15355a3982216f7172f545de1 ] AppIDSvc C:\Windows\System32\appidsvc.dll
08:17:19.0875 3272 AppIDSvc - ok
08:17:20.0008 3272 [ 3977d4a871ca0d4f2ed1e7db46829731 ] Appinfo C:\Windows\System32\appinfo.dll
08:17:20.0142 3272 Appinfo - ok
08:17:20.0801 3272 [ 3debbecf665dcdde3a95d9b902010817 ] Apple Mobile Device C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
08:17:20.0925 3272 Apple Mobile Device - ok
08:17:21.0201 3272 [ c484f8ceb1717c540242531db7845c4e ] arc C:\Windows\system32\drivers\arc.sys
08:17:21.0205 3272 arc - ok
08:17:21.0944 3272 [ 019af6924aefe7839f61c830227fe79c ] arcsas C:\Windows\system32\drivers\arcsas.sys
08:17:22.0253 3272 arcsas - ok
08:17:23.0026 3272 [ 9217d874131ae6ff8f642f124f00a555 ] aspnet_state C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
08:17:23.0223 3272 aspnet_state - ok
08:17:23.0374 3272 [ 769765ce2cc62867468cea93969b2242 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
08:17:23.0378 3272 AsyncMac - ok
08:17:23.0457 3272 [ 02062c0b390b7729edc9e69c680a6f3c ] atapi C:\Windows\system32\drivers\atapi.sys
08:17:23.0458 3272 atapi - ok
08:17:23.0592 3272 [ fb7602c5c508be281368aae0b61b51c6 ] AtiHdmiService C:\Windows\system32\drivers\AtiHdmi.sys
08:17:23.0662 3272 AtiHdmiService - ok
08:17:25.0437 3272 [ 60216b0e704584de6d5a9f59e9c34c47 ] atikmdag C:\Windows\system32\DRIVERS\atikmdag.sys
08:17:25.0579 3272 atikmdag - ok
08:17:25.0695 3272 [ 7c5d273e29dcc5505469b299c6f29163 ] AtiPcie C:\Windows\system32\drivers\AtiPcie.sys
08:17:25.0779 3272 AtiPcie - ok
08:17:26.0213 3272 [ f23fef6d569fce88671949894a8becf1 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
08:17:26.0337 3272 AudioEndpointBuilder - ok
08:17:26.0473 3272 [ f23fef6d569fce88671949894a8becf1 ] AudioSrv C:\Windows\System32\Audiosrv.dll
08:17:26.0485 3272 AudioSrv - ok
08:17:26.0718 3272 [ a6bf31a71b409dfa8cac83159e1e2aff ] AxInstSV C:\Windows\System32\AxInstSV.dll
08:17:26.0804 3272 AxInstSV - ok
08:17:27.0090 3272 [ 3e5b191307609f7514148c6832bb0842 ] b06bdrv C:\Windows\system32\drivers\bxvbda.sys
08:17:27.0304 3272 b06bdrv - ok
08:17:27.0425 3272 [ b5ace6968304a3900eeb1ebfd9622df2 ] b57nd60a C:\Windows\system32\DRIVERS\b57nd60a.sys
08:17:27.0444 3272 b57nd60a - ok
08:17:27.0575 3272 [ fde360167101b4e45a96f939f388aeb0 ] BDESVC C:\Windows\System32\bdesvc.dll
08:17:27.0616 3272 BDESVC - ok
08:17:27.0808 3272 [ 16a47ce2decc9b099349a5f840654746 ] Beep C:\Windows\system32\drivers\Beep.sys
08:17:27.0814 3272 Beep - ok
08:17:27.0892 3272 BFE - ok
08:17:28.0214 3272 [ 1b63f2b7ca6b5290cc124cdd07520bc9 ] BingDesktopUpdate C:\Program Files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe
08:17:28.0329 3272 BingDesktopUpdate - ok
08:17:28.0466 3272 [ 61583ee3c3a17003c4acd0475646b4d3 ] blbdrive C:\Windows\system32\DRIVERS\blbdrive.sys
08:17:28.0535 3272 blbdrive - ok
08:17:28.0818 3272 [ ebbcd5dfbb1de70e8f4af8fa59e401fd ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
08:17:28.0986 3272 Bonjour Service - ok
08:17:29.0562 3272 [ 6c02a83164f5cc0a262f4199f0871cf5 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
08:17:29.0641 3272 bowser - ok
08:17:29.0803 3272 [ f09eee9edc320b5e1501f749fde686c8 ] BrFiltLo C:\Windows\system32\drivers\BrFiltLo.sys
08:17:29.0818 3272 BrFiltLo - ok
08:17:29.0876 3272 [ b114d3098e9bdb8bea8b053685831be6 ] BrFiltUp C:\Windows\system32\drivers\BrFiltUp.sys
08:17:29.0978 3272 BrFiltUp - ok
08:17:30.0174 3272 [ 5c2f352a4e961d72518261257aae204b ] BridgeMP C:\Windows\system32\DRIVERS\bridge.sys
08:17:30.0178 3272 BridgeMP - ok
08:17:30.0351 3272 [ 8ef0d5c41ec907751b8429162b1239ed ] Browser C:\Windows\System32\browser.dll
08:17:30.0403 3272 Browser - ok
08:17:30.0543 3272 [ 43bea8d483bf1870f018e2d02e06a5bd ] Brserid C:\Windows\System32\Drivers\Brserid.sys
08:17:30.0552 3272 Brserid - ok
08:17:30.0628 3272 [ a6eca2151b08a09caceca35c07f05b42 ] BrSerWdm C:\Windows\System32\Drivers\BrSerWdm.sys
08:17:30.0634 3272 BrSerWdm - ok
08:17:30.0678 3272 [ b79968002c277e869cf38bd22cd61524 ] BrUsbMdm C:\Windows\System32\Drivers\BrUsbMdm.sys
08:17:30.0714 3272 BrUsbMdm - ok
08:17:30.0787 3272 [ a87528880231c54e75ea7a44943b38bf ] BrUsbSer C:\Windows\System32\Drivers\BrUsbSer.sys
08:17:30.0790 3272 BrUsbSer - ok
08:17:30.0830 3272 [ 9da669f11d1f894ab4eb69bf546a42e8 ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
08:17:30.0833 3272 BTHMODEM - ok
08:17:30.0977 3272 [ 95f9c2976059462cbbf227f7aab10de9 ] bthserv C:\Windows\system32\bthserv.dll
08:17:30.0979 3272 bthserv - ok
08:17:31.0102 3272 catchme - ok
08:17:31.0164 3272 [ b8bd2bb284668c84865658c77574381a ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
08:17:31.0171 3272 cdfs - ok
08:17:31.0483 3272 [ f036ce71586e93d94dab220d7bdf4416 ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
08:17:31.0638 3272 cdrom - ok
08:17:32.0061 3272 [ f17d1d393bbc69c5322fbfafaca28c7f ] CertPropSvc C:\Windows\System32\certprop.dll
08:17:32.0150 3272 CertPropSvc - ok
08:17:32.0416 3272 [ ed0263b2eb24f0f4e3898036fa1d28a1 ] cfwids C:\Windows\system32\drivers\cfwids.sys
08:17:32.0580 3272 cfwids - ok
08:17:32.0685 3272 [ d7cd5c4e1b71fa62050515314cfb52cf ] circlass C:\Windows\system32\drivers\circlass.sys
08:17:32.0692 3272 circlass - ok
08:17:32.0984 3272 [ fe1ec06f2253f691fe36217c592a0206 ] CLFS C:\Windows\system32\CLFS.sys
08:17:32.0995 3272 CLFS - ok
08:17:33.0897 3272 [ d88040f816fda31c3b466f0fa0918f29 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
08:17:34.0410 3272 clr_optimization_v2.0.50727_32 - ok
08:17:34.0493 3272 [ d1ceea2b47cb998321c579651ce3e4f8 ] clr_optimization_v2.0.50727_64 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
08:17:34.0504 3272 clr_optimization_v2.0.50727_64 - ok
08:17:35.0917 3272 [ c5a75eb48e2344abdc162bda79e16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
08:17:37.0831 3272 clr_optimization_v4.0.30319_32 - ok
08:17:38.0019 3272 [ c6f9af94dcd58122a4d7e89db6bed29d ] clr_optimization_v4.0.30319_64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
08:17:39.0420 3272 clr_optimization_v4.0.30319_64 - ok
08:17:39.0515 3272 [ 0840155d0bddf1190f84a663c284bd33 ] CmBatt C:\Windows\system32\drivers\CmBatt.sys
08:17:39.0551 3272 CmBatt - ok
08:17:39.0578 3272 [ e19d3f095812725d88f9001985b94edd ] cmdide C:\Windows\system32\drivers\cmdide.sys
08:17:39.0581 3272 cmdide - ok
08:17:39.0740 3272 [ 9ac4f97c2d3e93367e2148ea940cd2cd ] CNG C:\Windows\system32\Drivers\cng.sys
08:17:39.0830 3272 CNG - ok
08:17:39.0903 3272 [ 102de219c3f61415f964c88e9085ad14 ] Compbatt C:\Windows\system32\drivers\compbatt.sys
08:17:39.0929 3272 Compbatt - ok
08:17:40.0019 3272 [ 03edb043586cceba243d689bdda370a8 ] CompositeBus C:\Windows\system32\DRIVERS\CompositeBus.sys
08:17:40.0090 3272 CompositeBus - ok
08:17:40.0142 3272 COMSysApp - ok
08:17:40.0196 3272 [ 1c827878a998c18847245fe1f34ee597 ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
08:17:40.0233 3272 crcdisk - ok
08:17:40.0469 3272 [ 4f5414602e2544a4554d95517948b705 ] CryptSvc C:\Windows\system32\cryptsvc.dll
08:17:40.0788 3272 CryptSvc - ok
08:17:41.0452 3272 [ 72794d112cbaff3bc0c29bf7350d4741 ] cvhsvc C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
08:17:41.0579 3272 cvhsvc - ok
08:17:41.0824 3272 [ 5c627d1b1138676c0a7ab2c2c190d123 ] DcomLaunch C:\Windows\system32\rpcss.dll
08:17:42.0005 3272 DcomLaunch - ok
08:17:42.0130 3272 [ 3cec7631a84943677aa8fa8ee5b6b43d ] defragsvc C:\Windows\System32\defragsvc.dll
08:17:42.0148 3272 defragsvc - ok
08:17:42.0209 3272 [ 9bb2ef44eaa163b29c4a4587887a0fe4 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
08:17:42.0283 3272 DfsC - ok
08:17:42.0533 3272 [ 43d808f5d9e1a18e5eeb5ebc83969e4e ] Dhcp C:\Windows\system32\dhcpcore.dll
08:17:42.0644 3272 Dhcp - ok
08:17:42.0683 3272 [ 13096b05847ec78f0977f2c0f79e9ab3 ] discache C:\Windows\system32\drivers\discache.sys
08:17:42.0690 3272 discache - ok
08:17:42.0749 3272 [ 9819eee8b5ea3784ec4af3b137a5244c ] Disk C:\Windows\system32\drivers\disk.sys
08:17:42.0755 3272 Disk - ok
08:17:42.0925 3272 [ 16835866aaa693c7d7fceba8fff706e4 ] Dnscache C:\Windows\System32\dnsrslvr.dll
08:17:42.0968 3272 Dnscache - ok
08:17:43.0106 3272 [ b1fb3ddca0fdf408750d5843591afbc6 ] dot3svc C:\Windows\System32\dot3svc.dll
08:17:43.0251 3272 dot3svc - ok
08:17:43.0365 3272 [ b26f4f737e8f9df4f31af6cf31d05820 ] DPS C:\Windows\system32\dps.dll
08:17:43.0447 3272 DPS - ok
08:17:43.0524 3272 [ 9b19f34400d24df84c858a421c205754 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
08:17:43.0535 3272 drmkaud - ok
08:17:43.0749 3272 [ f5bee30450e18e6b83a5012c100616fd ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
08:17:43.0922 3272 DXGKrnl - ok
08:17:44.0068 3272 [ e2dda8726da9cb5b2c4000c9018a9633 ] EapHost C:\Windows\System32\eapsvc.dll
08:17:44.0079 3272 EapHost - ok
08:17:45.0173 3272 [ dc5d737f51be844d8c82c695eb17372f ] ebdrv C:\Windows\system32\drivers\evbda.sys
08:17:45.0829 3272 ebdrv - ok
08:17:45.0917 3272 [ c118a82cd78818c29ab228366ebf81c3 ] EFS C:\Windows\System32\lsass.exe
08:17:46.0054 3272 EFS - ok
08:17:46.0886 3272 [ c4002b6b41975f057d98c439030cea07 ] ehRecvr C:\Windows\ehome\ehRecvr.exe
08:17:47.0456 3272 ehRecvr - ok
08:17:47.0606 3272 [ 4705e8ef9934482c5bb488ce28afc681 ] ehSched C:\Windows\ehome\ehsched.exe
08:17:47.0640 3272 ehSched - ok
08:17:47.0821 3272 [ 0e5da5369a0fcaea12456dd852545184 ] elxstor C:\Windows\system32\drivers\elxstor.sys
08:17:47.0855 3272 elxstor - ok
08:17:47.0864 3272 [ 34a3c54752046e79a126e15c51db409b ] ErrDev C:\Windows\system32\drivers\errdev.sys
08:17:47.0868 3272 ErrDev - ok
08:17:47.0968 3272 [ 4166f82be4d24938977dd1746be9b8a0 ] EventSystem C:\Windows\system32\es.dll
08:17:47.0978 3272 EventSystem - ok
08:17:48.0116 3272 [ a510c654ec00c1e9bdd91eeb3a59823b ] exfat C:\Windows\system32\drivers\exfat.sys
08:17:48.0145 3272 exfat - ok
08:17:48.0254 3272 [ 0adc83218b66a6db380c330836f3e36d ] fastfat C:\Windows\system32\drivers\fastfat.sys
08:17:48.0270 3272 fastfat - ok
08:17:48.0459 3272 [ dbefd454f8318a0ef691fdd2eaab44eb ] Fax C:\Windows\system32\fxssvc.exe
08:17:48.0625 3272 Fax - ok
08:17:48.0665 3272 [ d765d19cd8ef61f650c384f62fac00ab ] fdc C:\Windows\system32\drivers\fdc.sys
08:17:48.0669 3272 fdc - ok
08:17:48.0742 3272 [ 0438cab2e03f4fb61455a7956026fe86 ] fdPHost C:\Windows\system32\fdPHost.dll
08:17:48.0749 3272 fdPHost - ok
08:17:48.0798 3272 [ 802496cb59a30349f9a6dd22d6947644 ] FDResPub C:\Windows\system32\fdrespub.dll
08:17:48.0801 3272 FDResPub - ok
08:17:48.0901 3272 [ 655661be46b5f5f3fd454e2c3095b930 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
08:17:48.0927 3272 FileInfo - ok
08:17:49.0004 3272 [ 5f671ab5bc87eea04ec38a6cd5962a47 ] Filetrace C:\Windows\system32\drivers\filetrace.sys
08:17:49.0044 3272 Filetrace - ok
08:17:49.0208 3272 [ c172a0f53008eaeb8ea33fe10e177af5 ] flpydisk C:\Windows\system32\drivers\flpydisk.sys
08:17:49.0213 3272 flpydisk - ok
08:17:49.0353 3272 [ da6b67270fd9db3697b20fce94950741 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
08:17:49.0411 3272 FltMgr - ok
08:17:49.0947 3272 [ 5c4cb4086fb83115b153e47add961a0c ] FontCache C:\Windows\system32\FntCache.dll
08:17:50.0022 3272 FontCache - ok
08:17:50.0244 3272 [ a8b7f3818ab65695e3a0bb3279f6dce6 ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
08:17:50.0381 3272 FontCache3.0.0.0 - ok
08:17:50.0530 3272 [ d43703496149971890703b4b1b723eac ] FsDepends C:\Windows\system32\drivers\FsDepends.sys
08:17:50.0540 3272 FsDepends - ok
08:17:50.0662 3272 [ 6bd9295cc032dd3077c671fccf579a7b ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
08:17:50.0791 3272 Fs_Rec - ok
08:17:51.0001 3272 [ 1f7b25b858fa27015169fe95e54108ed ] fvevol C:\Windows\system32\DRIVERS\fvevol.sys
08:17:51.0062 3272 fvevol - ok
08:17:51.0163 3272 [ 8c778d335c9d272cfd3298ab02abe3b6 ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
08:17:51.0169 3272 gagp30kx - ok
08:17:51.0400 3272 [ e403aacf8c7bb11375122d2464560311 ] GEARAspiWDM C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
08:17:51.0490 3272 GEARAspiWDM - ok
08:17:51.0847 3272 [ d3316f6e3c011435f36e3d6e49b3196c ] GoToAssist C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
08:17:52.0093 3272 GoToAssist - ok
08:17:52.0486 3272 [ 277bbc7e1aa1ee957f573a10eca7ef3a ] gpsvc C:\Windows\System32\gpsvc.dll
08:17:52.0700 3272 gpsvc - ok
08:17:52.0772 3272 [ f2523ef6460fc42405b12248338ab2f0 ] hcw85cir C:\Windows\system32\drivers\hcw85cir.sys
08:17:52.0779 3272 hcw85cir - ok
08:17:52.0838 3272 [ 97bfed39b6b79eb12cddbfeed51f56bb ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
08:17:52.0840 3272 HDAudBus - ok
08:17:52.0867 3272 [ 78e86380454a7b10a5eb255dc44a355f ] HidBatt C:\Windows\system32\drivers\HidBatt.sys
08:17:52.0871 3272 HidBatt - ok
08:17:52.0902 3272 [ 7fd2a313f7afe5c4dab14798c48dd104 ] HidBth C:\Windows\system32\drivers\hidbth.sys
08:17:52.0906 3272 HidBth - ok
08:17:52.0954 3272 [ 0a77d29f311b88cfae3b13f9c1a73825 ] HidIr C:\Windows\system32\drivers\hidir.sys
08:17:52.0968 3272 HidIr - ok
08:17:53.0023 3272 [ bd9eb3958f213f96b97b1d897dee006d ] hidserv C:\Windows\System32\hidserv.dll
08:17:53.0030 3272 hidserv - ok
08:17:53.0162 3272 [ 9592090a7e2b61cd582b612b6df70536 ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
08:17:53.0214 3272 HidUsb - ok
08:17:53.0273 3272 [ 387e72e739e15e3d37907a86d9ff98e2 ] hkmsvc C:\Windows\system32\kmsvc.dll
08:17:53.0339 3272 hkmsvc - ok
08:17:53.0429 3272 [ efdfb3dd38a4376f93e7985173813abd ] HomeGroupListener C:\Windows\system32\ListSvc.dll
08:17:53.0475 3272 HomeGroupListener - ok
08:17:53.0566 3272 [ 908acb1f594274965a53926b10c81e89 ] HomeGroupProvider C:\Windows\system32\provsvc.dll
08:17:53.0656 3272 HomeGroupProvider - ok
08:17:53.0706 3272 [ 39d2abcd392f3d8a6dce7b60ae7b8efc ] HpSAMD C:\Windows\system32\drivers\HpSAMD.sys
08:17:53.0806 3272 HpSAMD - ok
08:17:54.0044 3272 [ 0ea7de1acb728dd5a369fd742d6eee28 ] HTTP C:\Windows\system32\drivers\HTTP.sys
08:17:54.0220 3272 HTTP - ok
08:17:54.0281 3272 [ a5462bd6884960c9dc85ed49d34ff392 ] hwpolicy C:\Windows\system32\drivers\hwpolicy.sys
08:17:54.0341 3272 hwpolicy - ok
08:17:54.0398 3272 [ fa55c73d4affa7ee23ac4be53b4592d3 ] i8042prt C:\Windows\system32\drivers\i8042prt.sys
08:17:54.0448 3272 i8042prt - ok
08:17:54.0637 3272 [ aaaf44db3bd0b9d1fb6969b23ecc8366 ] iaStorV C:\Windows\system32\drivers\iaStorV.sys
08:17:54.0848 3272 iaStorV - ok
08:17:55.0145 3272 [ 5988fc40f8db5b0739cd1e3a5d0d78bd ] idsvc C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
08:17:55.0507 3272 idsvc - ok
08:17:55.0529 3272 [ 5c18831c61933628f5bb0ea2675b9d21 ] iirsp C:\Windows\system32\drivers\iirsp.sys
08:17:55.0535 3272 iirsp - ok
08:17:55.0834 3272 [ fcd84c381e0140af901e58d48882d26b ] IKEEXT C:\Windows\System32\ikeext.dll
08:17:56.0281 3272 IKEEXT - ok
08:17:56.0833 3272 [ 9526f32b8a76f8dc25a1587400e30084 ] IntcAzAudAddService C:\Windows\system32\drivers\RTKVHD64.sys
08:17:57.0419 3272 IntcAzAudAddService - ok
08:17:57.0480 3272 [ f00f20e70c6ec3aa366910083a0518aa ] intelide C:\Windows\system32\drivers\intelide.sys
08:17:57.0485 3272 intelide - ok
08:17:57.0531 3272 [ ada036632c664caa754079041cf1f8c1 ] intelppm C:\Windows\system32\drivers\intelppm.sys
08:17:57.0537 3272 intelppm - ok
08:17:57.0604 3272 [ 098a91c54546a3b878dad6a7e90a455b ] IPBusEnum C:\Windows\system32\ipbusenum.dll
08:17:57.0625 3272 IPBusEnum - ok
08:17:57.0656 3272 [ c9f0e1bd74365a8771590e9008d22ab6 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
08:17:57.0709 3272 IpFilterDriver - ok
08:17:57.0782 3272 [ 0fc1aea580957aa8817b8f305d18ca3a ] IPMIDRV C:\Windows\system32\drivers\IPMIDrv.sys
08:17:57.0842 3272 IPMIDRV - ok
08:17:57.0918 3272 [ af9b39a7e7b6caa203b3862582e9f2d0 ] IPNAT C:\Windows\system32\drivers\ipnat.sys
08:17:57.0936 3272 IPNAT - ok
08:17:58.0373 3272 [ 4472c8825b5e41d8697d5962f47ab1c9 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
08:17:58.0625 3272 iPod Service - ok
08:17:58.0746 3272 [ 3abf5e7213eb28966d55d58b515d5ce9 ] IRENUM C:\Windows\system32\drivers\irenum.sys
08:17:58.0772 3272 IRENUM - ok
08:17:58.0818 3272 [ 2f7b28dc3e1183e5eb418df55c204f38 ] isapnp C:\Windows\system32\drivers\isapnp.sys
08:17:58.0821 3272 isapnp - ok
08:17:58.0943 3272 [ d931d7309deb2317035b07c9f9e6b0bd ] iScsiPrt C:\Windows\system32\drivers\msiscsi.sys
08:17:59.0690 3272 iScsiPrt - ok
08:17:59.0971 3272 [ d85f3f18e44f7447b5f1ba5c85baeb7c ] k57nd60a C:\Windows\system32\DRIVERS\k57nd60a.sys
08:18:00.0103 3272 k57nd60a - ok
08:18:00.0187 3272 [ bc02336f1cba7dcc7d1213bb588a68a5 ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
08:18:00.0194 3272 kbdclass - ok
08:18:00.0251 3272 [ 0705eff5b42a9db58548eec3b26bb484 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
08:18:00.0334 3272 kbdhid - ok
08:18:00.0359 3272 [ c118a82cd78818c29ab228366ebf81c3 ] KeyIso C:\Windows\system32\lsass.exe
08:18:00.0360 3272 KeyIso - ok
08:18:00.0410 3272 [ 97a7070aea4c058b6418519e869a63b4 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
08:18:00.0475 3272 KSecDD - ok
08:18:00.0553 3272 [ 26c43a7c2862447ec59deda188d1da07 ] KSecPkg C:\Windows\system32\Drivers\ksecpkg.sys
08:18:00.0685 3272 KSecPkg - ok
08:18:00.0822 3272 [ 6869281e78cb31a43e969f06b57347c4 ] ksthunk C:\Windows\system32\drivers\ksthunk.sys
08:18:00.0827 3272 ksthunk - ok
08:18:00.0987 3272 [ 6ab66e16aa859232f64deb66887a8c9c ] KtmRm C:\Windows\system32\msdtckrm.dll
08:18:01.0002 3272 KtmRm - ok
08:18:01.0163 3272 [ d9f42719019740baa6d1c6d536cbdaa6 ] LanmanServer C:\Windows\System32\srvsvc.dll
08:18:01.0205 3272 LanmanServer - ok
08:18:01.0386 3272 [ 851a1382eed3e3a7476db004f4ee3e1a ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
08:18:01.0462 3272 LanmanWorkstation - ok
08:18:01.0545 3272 [ 1538831cf8ad2979a04c423779465827 ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
08:18:01.0551 3272 lltdio - ok
08:18:01.0714 3272 [ c1185803384ab3feed115f79f109427f ] lltdsvc C:\Windows\System32\lltdsvc.dll
08:18:01.0722 3272 lltdsvc - ok
08:18:01.0771 3272 [ f993a32249b66c9d622ea5592a8b76b8 ] lmhosts C:\Windows\System32\lmhsvc.dll
08:18:01.0778 3272 lmhosts - ok
08:18:01.0865 3272 [ 1a93e54eb0ece102495a51266dcdb6a6 ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
08:18:01.0871 3272 LSI_FC - ok
08:18:01.0925 3272 [ 1047184a9fdc8bdbff857175875ee810 ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
08:18:01.0928 3272 LSI_SAS - ok
08:18:01.0992 3272 [ 30f5c0de1ee8b5bc9306c1f0e4a75f93 ] LSI_SAS2 C:\Windows\system32\drivers\lsi_sas2.sys
08:18:01.0995 3272 LSI_SAS2 - ok
08:18:02.0178 3272 [ 0504eacaff0d3c8aed161c4b0d369d4a ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
08:18:02.0183 3272 LSI_SCSI - ok
08:18:02.0251 3272 [ 43d0f98e1d56ccddb0d5254cff7b356e ] luafv C:\Windows\system32\drivers\luafv.sys
08:18:02.0255 3272 luafv - ok
08:18:02.0911 3272 [ 9504f1dda1b67fb8d526fd4f8cc882f3 ] McAWFwk c:\PROGRA~1\mcafee\msc\mcawfwk.exe
08:18:03.0079 3272 McAWFwk - ok
08:18:03.0480 3272 [ acb01bf1a905356ab7f978c7fe852209 ] McMPFSvc C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
08:18:03.0567 3272 McMPFSvc - ok
08:18:03.0607 3272 [ acb01bf1a905356ab7f978c7fe852209 ] mcmscsvc C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
08:18:03.0609 3272 mcmscsvc - ok
08:18:03.0646 3272 [ acb01bf1a905356ab7f978c7fe852209 ] McNaiAnn C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
08:18:03.0647 3272 McNaiAnn - ok
08:18:03.0689 3272 [ acb01bf1a905356ab7f978c7fe852209 ] McNASvc C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
08:18:03.0692 3272 McNASvc - ok
08:18:03.0949 3272 [ c6232488cdbf063ce077fc7f8f8c248c ] McODS C:\Program Files\mcafee\VirusScan\mcods.exe
08:18:04.0157 3272 McODS - ok
08:18:04.0334 3272 [ acb01bf1a905356ab7f978c7fe852209 ] McOobeSv C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
08:18:04.0336 3272 McOobeSv - ok
08:18:04.0369 3272 [ acb01bf1a905356ab7f978c7fe852209 ] McProxy C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe
08:18:04.0371 3272 McProxy - ok
08:18:04.0634 3272 [ 325b166bf78d8a8ad93e44ca7a6fc332 ] McShield C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
08:18:04.0747 3272 McShield - ok
08:18:04.0875 3272 [ 0be09cd858abf9df6ed259d57a1a1663 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
08:18:05.0151 3272 Mcx2Svc - ok
08:18:05.0222 3272 [ a55805f747c6edb6a9080d7c633bd0f4 ] megasas C:\Windows\system32\drivers\megasas.sys
08:18:05.0261 3272 megasas - ok
08:18:05.0407 3272 [ baf74ce0072480c3b6b7c13b2a94d6b3 ] MegaSR C:\Windows\system32\drivers\MegaSR.sys
08:18:05.0416 3272 MegaSR - ok
08:18:05.0692 3272 [ ef3acfb7e3f82d5f7cde9ef5f0a4e2e2 ] mfeapfk C:\Windows\system32\drivers\mfeapfk.sys
08:18:05.0808 3272 mfeapfk - ok
08:18:06.0095 3272 [ e7a60bdb4365b561d896019b82fb7dd0 ] mfeavfk C:\Windows\system32\drivers\mfeavfk.sys
08:18:06.0190 3272 mfeavfk - ok
08:18:06.0258 3272 mfeavfk01 - ok
08:18:06.0475 3272 [ 7d8fdc43972d059907e09ee4022f77e8 ] mfefire C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
08:18:06.0529 3272 mfefire - ok
08:18:06.0794 3272 [ 670dffe55e2f9ab99d9169c428bcece9 ] mfefirek C:\Windows\system32\drivers\mfefirek.sys
08:18:06.0856 3272 mfefirek - ok
08:18:07.0932 3272 [ 1892616b7f9291fd77c3fa0a5811fe9f ] mfehidk C:\Windows\system32\drivers\mfehidk.sys
08:18:08.0230 3272 mfehidk - ok
08:18:08.0325 3272 [ 1721261c77f6e7a9e0cb51b7d9f31b60 ] mfenlfk C:\Windows\system32\DRIVERS\mfenlfk.sys
08:18:08.0393 3272 mfenlfk - ok
08:18:08.0526 3272 [ 65776bd8029e409935b90de30bf99526 ] mferkdet C:\Windows\system32\drivers\mferkdet.sys
08:18:08.0616 3272 mferkdet - ok
08:18:08.0777 3272 [ 8a78905057308b084eaa29a9fe1b4f58 ] mfevtp C:\Windows\system32\mfevtps.exe
08:18:08.0858 3272 mfevtp - ok
08:18:09.0045 3272 [ 4f17d8b85b903d96ef7033bb6ef50516 ] mfewfpk C:\Windows\system32\drivers\mfewfpk.sys
08:18:09.0143 3272 mfewfpk - ok
08:18:09.0305 3272 [ e40e80d0304a73e8d269f7141d77250b ] MMCSS C:\Windows\system32\mmcss.dll
08:18:09.0313 3272 MMCSS - ok
08:18:09.0369 3272 [ 800ba92f7010378b09f9ed9270f07137 ] Modem C:\Windows\system32\drivers\modem.sys
08:18:09.0385 3272 Modem - ok
08:18:09.0487 3272 [ b03d591dc7da45ece20b3b467e6aadaa ] monitor C:\Windows\system32\DRIVERS\monitor.sys
08:18:09.0488 3272 monitor - ok
08:18:09.0585 3272 [ 7d27ea49f3c1f687d357e77a470aea99 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
08:18:09.0591 3272 mouclass - ok
08:18:09.0666 3272 [ d3bf052c40b0c4166d9fd86a4288c1e6 ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
08:18:09.0675 3272 mouhid - ok
08:18:09.0748 3272 [ 32e7a3d591d671a6df2db515a5cbe0fa ] mountmgr C:\Windows\system32\drivers\mountmgr.sys
08:18:09.0825 3272 mountmgr - ok
08:18:10.0104 3272 [ 46297fa8e30a6007f14118fc2b942fbc ] MozillaMaintenance C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
08:18:10.0163 3272 MozillaMaintenance - ok
08:18:10.0227 3272 [ a44b420d30bd56e145d6a2bc8768ec58 ] mpio C:\Windows\system32\drivers\mpio.sys
08:18:10.0320 3272 mpio - ok
08:18:10.0431 3272 [ 6c38c9e45ae0ea2fa5e551f2ed5e978f ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
08:18:10.0563 3272 mpsdrv - ok
08:18:10.0687 3272 [ dc722758b8261e1abafd31a3c0a66380 ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
08:18:10.0799 3272 MRxDAV - ok
08:18:10.0937 3272 [ a5d9106a73dc88564c825d317cac68ac ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
08:18:11.0128 3272 mrxsmb - ok
08:18:11.0263 3272 [ d711b3c1d5f42c0c2415687be09fc163 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
08:18:11.0343 3272 mrxsmb10 - ok
08:18:11.0365 3272 [ 9423e9d355c8d303e76b8cfbd8a5c30c ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
08:18:11.0427 3272 mrxsmb20 - ok
08:18:11.0494 3272 [ c25f0bafa182cbca2dd3c851c2e75796 ] msahci C:\Windows\system32\drivers\msahci.sys
08:18:11.0621 3272 msahci - ok
08:18:11.0883 3272 [ db801a638d011b9633829eb6f663c900 ] msdsm C:\Windows\system32\drivers\msdsm.sys
08:18:11.0951 3272 msdsm - ok
08:18:12.0140 3272 [ de0ece52236cfa3ed2dbfc03f28253a8 ] MSDTC C:\Windows\System32\msdtc.exe
08:18:12.0147 3272 MSDTC - ok
08:18:12.0211 3272 [ aa3fb40e17ce1388fa1bedab50ea8f96 ] Msfs C:\Windows\system32\drivers\Msfs.sys
08:18:12.0215 3272 Msfs - ok
08:18:12.0295 3272 [ f9d215a46a8b9753f61767fa72a20326 ] mshidkmdf C:\Windows\System32\drivers\mshidkmdf.sys
08:18:12.0301 3272 mshidkmdf - ok
08:18:12.0334 3272 [ d916874bbd4f8b07bfb7fa9b3ccae29d ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
08:18:12.0337 3272 msisadrv - ok
08:18:12.0465 3272 [ 808e98ff49b155c522e6400953177b08 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
08:18:12.0477 3272 MSiSCSI - ok
08:18:12.0486 3272 msiserver - ok
08:18:12.0544 3272 [ acb01bf1a905356ab7f978c7fe852209 ] MSK80Service C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
08:18:12.0546 3272 MSK80Service - ok
08:18:12.0674 3272 [ 49ccf2c4fea34ffad8b1b59d49439366 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
08:18:12.0683 3272 MSKSSRV - ok
08:18:12.0756 3272 [ bdd71ace35a232104ddd349ee70e1ab3 ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
08:18:12.0767 3272 MSPCLOCK - ok
08:18:12.0824 3272 [ 4ed981241db27c3383d72092b618a1d0 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
08:18:12.0828 3272 MSPQM - ok
08:18:12.0981 3272 [ 759a9eeb0fa9ed79da1fb7d4ef78866d ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
08:18:13.0036 3272 MsRPC - ok
08:18:13.0069 3272 [ 0eed230e37515a0eaee3c2e1bc97b288 ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
08:18:13.0071 3272 mssmbios - ok
08:18:13.0132 3272 [ 2e66f9ecb30b4221a318c92ac2250779 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
08:18:13.0140 3272 MSTEE - ok
08:18:13.0174 3272 [ 7ea404308934e675bffde8edf0757bcd ] MTConfig C:\Windows\system32\drivers\MTConfig.sys
08:18:13.0185 3272 MTConfig - ok
08:18:13.0245 3272 [ f9a18612fd3526fe473c1bda678d61c8 ] Mup C:\Windows\system32\Drivers\mup.sys
08:18:13.0250 3272 Mup - ok
08:18:13.0310 3272 [ 582ac6d9873e31dfa28a4547270862dd ] napagent C:\Windows\system32\qagentRT.dll
08:18:13.0362 3272 napagent - ok
08:18:13.0512 3272 [ 1ea3749c4114db3e3161156ffffa6b33 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
08:18:13.0525 3272 NativeWifiP - ok
08:18:13.0864 3272 [ c38b8ae57f78915905064a9a24dc1586 ] NDIS C:\Windows\system32\drivers\ndis.sys
08:18:13.0883 3272 NDIS - ok
08:18:13.0956 3272 [ 9f9a1f53aad7da4d6fef5bb73ab811ac ] NdisCap C:\Windows\system32\DRIVERS\ndiscap.sys
08:18:13.0964 3272 NdisCap - ok
08:18:14.0034 3272 [ 30639c932d9fef22b31268fe25a1b6e5 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
08:18:14.0040 3272 NdisTapi - ok
08:18:14.0102 3272 [ 136185f9fb2cc61e573e676aa5402356 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
08:18:14.0201 3272 Ndisuio - ok
08:18:14.0263 3272 [ 53f7305169863f0a2bddc49e116c2e11 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
08:18:14.0378 3272 NdisWan - ok
08:18:14.0413 3272 [ 015c0d8e0e0421b4cfd48cffe2825879 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
08:18:14.0513 3272 NDProxy - ok
08:18:14.0648 3272 [ 86743d9f5d2b1048062b14b1d84501c4 ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
08:18:14.0653 3272 NetBIOS - ok
08:18:14.0832 3272 [ 09594d1089c523423b32a4229263f068 ] NetBT C:\Windows\system32\DRIVERS\netbt.sys
08:18:14.0907 3272 NetBT - ok
08:18:14.0941 3272 [ c118a82cd78818c29ab228366ebf81c3 ] Netlogon C:\Windows\system32\lsass.exe
08:18:14.0943 3272 Netlogon - ok
08:18:15.0335 3272 [ 847d3ae376c0817161a14a82c8922a9e ] Netman C:\Windows\System32\netman.dll
08:18:15.0343 3272 Netman - ok
08:18:15.0462 3272 [ d22cd77d4f0d63d1169bb35911bff12d ] NetMsmqActivator C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
08:18:16.0656 3272 NetMsmqActivator - ok
08:18:16.0696 3272 [ d22cd77d4f0d63d1169bb35911bff12d ] NetPipeActivator C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
08:18:16.0697 3272 NetPipeActivator - ok
08:18:16.0913 3272 [ 5f28111c648f1e24f7dbc87cdeb091b8 ] netprofm C:\Windows\System32\netprofm.dll
08:18:16.0928 3272 netprofm - ok
08:18:16.0941 3272 [ d22cd77d4f0d63d1169bb35911bff12d ] NetTcpActivator C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
08:18:16.0942 3272 NetTcpActivator - ok
08:18:16.0952 3272 [ d22cd77d4f0d63d1169bb35911bff12d ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
08:18:16.0953 3272 NetTcpPortSharing - ok
08:18:17.0044 3272 [ 77889813be4d166cdab78ddba990da92 ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
08:18:17.0056 3272 nfrd960 - ok
08:18:17.0266 3272 [ 1ee99a89cc788ada662441d1e9830529 ] NlaSvc C:\Windows\System32\nlasvc.dll
08:18:17.0270 3272 NlaSvc - ok
08:18:18.0722 3272 [ b9b72faaaa41d59b73b88fe3dd737ed1 ] NOBU C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
08:18:19.0026 3272 NOBU - ok
08:18:19.0095 3272 [ 1e4c4ab5c9b8dd13179bbdc75a2a01f7 ] Npfs C:\Windows\system32\drivers\Npfs.sys
08:18:19.0098 3272 Npfs - ok
08:18:19.0165 3272 [ d54bfdf3e0c953f823b3d0bfe4732528 ] nsi C:\Windows\system32\nsisvc.dll
08:18:19.0223 3272 nsi - ok
08:18:19.0253 3272 [ e7f5ae18af4168178a642a9247c63001 ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
08:18:19.0259 3272 nsiproxy - ok
08:18:19.0598 3272 [ a2f74975097f52a00745f9637451fdd8 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
08:18:19.0699 3272 Ntfs - ok
08:18:19.0754 3272 [ 9899284589f75fa8724ff3d16aed75c1 ] Null C:\Windows\system32\drivers\Null.sys
08:18:19.0760 3272 Null - ok
08:18:19.0817 3272 [ 0a92cb65770442ed0dc44834632f66ad ] nvraid C:\Windows\system32\drivers\nvraid.sys
08:18:19.0880 3272 nvraid - ok
08:18:19.0996 3272 [ dab0e87525c10052bf65f06152f37e4a ] nvstor C:\Windows\system32\drivers\nvstor.sys
08:18:20.0048 3272 nvstor - ok
08:18:20.0136 3272 [ 270d7cd42d6e3979f6dd0146650f0e05 ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
08:18:20.0144 3272 nv_agp - ok
08:18:20.0238 3272 [ 3589478e4b22ce21b41fa1bfc0b8b8a0 ] ohci1394 C:\Windows\system32\drivers\ohci1394.sys
08:18:20.0249 3272 ohci1394 - ok
08:18:20.0341 3272 [ 9d10f99a6712e28f8acd5641e3a7ea6b ] ose C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
08:18:20.0411 3272 ose - ok
08:18:21.0783 3272 [ 61bffb5f57ad12f83ab64b7181829b34 ] osppsvc C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
08:18:23.0122 3272 osppsvc - ok
08:18:23.0237 3272 [ 3eac4455472cc2c97107b5291e0dcafe ] p2pimsvc C:\Windows\system32\pnrpsvc.dll
08:18:23.0247 3272 p2pimsvc - ok
08:18:23.0452 3272 [ 927463ecb02179f88e4b9a17568c63c3 ] p2psvc C:\Windows\system32\p2psvc.dll
08:18:23.0483 3272 p2psvc - ok
08:18:23.0557 3272 [ 0086431c29c35be1dbc43f52cc273887 ] Parport C:\Windows\system32\drivers\parport.sys
08:18:23.0562 3272 Parport - ok
08:18:23.0623 3272 [ e9766131eeade40a27dc27d2d68fba9c ] partmgr C:\Windows\system32\drivers\partmgr.sys
08:18:23.0684 3272 partmgr - ok
08:18:23.0894 3272 [ 3aeaa8b561e63452c655dc0584922257 ] PcaSvc C:\Windows\System32\pcasvc.dll
08:18:23.0906 3272 PcaSvc - ok
08:18:24.0531 3272 [ 7317a0b550f7ac0223b7070897670476 ] PCDSRVC{1E208CE0-FB7451FF-06020101}_0 c:\program files\dell support center\pcdsrvc_x64.pkms
08:18:25.0602 3272 PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - ok
08:18:25.0737 3272 [ 94575c0571d1462a0f70bde6bd6ee6b3 ] pci C:\Windows\system32\drivers\pci.sys
08:18:25.0815 3272 pci - ok
08:18:25.0871 3272 [ b5b8b5ef2e5cb34df8dcf8831e3534fa ] pciide C:\Windows\system32\drivers\pciide.sys
08:18:25.0876 3272 pciide - ok
08:18:26.0145 3272 [ b2e81d4e87ce48589f98cb8c05b01f2f ] pcmcia C:\Windows\system32\drivers\pcmcia.sys
08:18:26.0151 3272 pcmcia - ok
08:18:26.0265 3272 [ d6b9c2e1a11a3a4b26a182ffef18f603 ] pcw C:\Windows\system32\drivers\pcw.sys
08:18:26.0268 3272 pcw - ok
08:18:26.0492 3272 [ 68769c3356b3be5d1c732c97b9a80d6e ] PEAUTH C:\Windows\system32\drivers\peauth.sys
08:18:26.0506 3272 PEAUTH - ok
08:18:27.0217 3272 [ e495e408c93141e8fc72dc0c6046ddfa ] PerfHost C:\Windows\SysWow64\perfhost.exe
08:18:27.0222 3272 PerfHost - ok
08:18:28.0271 3272 [ c7cf6a6e137463219e1259e3f0f0dd6c ] pla C:\Windows\system32\pla.dll
08:18:28.0345 3272 pla - ok
08:18:28.0829 3272 [ 25fbdef06c4d92815b353f6e792c8129 ] PlugPlay C:\Windows\system32\umpnpmgr.dll
08:18:28.0937 3272 PlugPlay - ok
08:18:29.0222 3272 [ 7195581cec9bb7d12abe54036acc2e38 ] PNRPAutoReg C:\Windows\system32\pnrpauto.dll
08:18:29.0228 3272 PNRPAutoReg - ok
08:18:29.0404 3272 [ 3eac4455472cc2c97107b5291e0dcafe ] PNRPsvc C:\Windows\system32\pnrpsvc.dll
08:18:29.0408 3272 PNRPsvc - ok
08:18:29.0700 3272 [ 4f15d75adf6156bf56eced6d4a55c389 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
08:18:29.0801 3272 PolicyAgent - ok
08:18:29.0938 3272 [ 6ba9d927dded70bd1a9caded45f8b184 ] Power C:\Windows\system32\umpo.dll
08:18:29.0945 3272 Power - ok
08:18:30.0051 3272 [ f92a2c41117a11a00be01ca01a7fcde9 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
08:18:30.0155 3272 PptpMiniport - ok
08:18:30.0215 3272 [ 0d922e23c041efb1c3fac2a6f943c9bf ] Processor C:\Windows\system32\drivers\processr.sys
08:18:30.0218 3272 Processor - ok
08:18:30.0334 3272 [ 53e83f1f6cf9d62f32801cf66d8352a8 ] ProfSvc C:\Windows\system32\profsvc.dll
08:18:30.0375 3272 ProfSvc - ok
08:18:30.0416 3272 [ c118a82cd78818c29ab228366ebf81c3 ] ProtectedStorage C:\Windows\system32\lsass.exe
08:18:30.0417 3272 ProtectedStorage - ok
08:18:30.0651 3272 [ 0557cf5a2556bd58e26384169d72438d ] Psched C:\Windows\system32\DRIVERS\pacer.sys
08:18:30.0714 3272 Psched - ok
08:18:30.0923 3272 [ 87b04878a6d59d6c79251dc960c674c1 ] PxHlpa64 C:\Windows\system32\Drivers\PxHlpa64.sys
08:18:31.0010 3272 PxHlpa64 - ok
08:18:31.0512 3272 [ a53a15a11ebfd21077463ee2c7afeef0 ] ql2300 C:\Windows\system32\drivers\ql2300.sys
08:18:32.0259 3272 ql2300 - ok
08:18:32.0401 3272 [ 4f6d12b51de1aaeff7dc58c4d75423c8 ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
08:18:32.0464 3272 ql40xx - ok
08:18:32.0716 3272 [ 906191634e99aea92c4816150bda3732 ] QWAVE C:\Windows\system32\qwave.dll
08:18:32.0799 3272 QWAVE - ok
08:18:32.0870 3272 [ 76707bb36430888d9ce9d705398adb6c ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
08:18:32.0875 3272 QWAVEdrv - ok
08:18:32.0942 3272 [ 5a0da8ad5762fa2d91678a8a01311704 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
08:18:32.0945 3272 RasAcd - ok
08:18:33.0073 3272 [ 7ecff9b22276b73f43a99a15a6094e90 ] RasAgileVpn C:\Windows\system32\DRIVERS\AgileVpn.sys
08:18:33.0076 3272 RasAgileVpn - ok
08:18:33.0189 3272 [ 8f26510c5383b8dbe976de1cd00fc8c7 ] RasAuto C:\Windows\System32\rasauto.dll
08:18:33.0198 3272 RasAuto - ok
08:18:33.0295 3272 [ 471815800ae33e6f1c32fb1b97c490ca ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
08:18:33.0401 3272 Rasl2tp - ok
08:18:33.0585 3272 [ ee867a0870fc9e4972ba9eaad35651e2 ] RasMan C:\Windows\System32\rasmans.dll
08:18:33.0643 3272 RasMan - ok
08:18:33.0870 3272 [ 855c9b1cd4756c5e9a2aa58a15f58c25 ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
08:18:33.0883 3272 RasPppoe - ok
08:18:33.0938 3272 [ e8b1e447b008d07ff47d016c2b0eeecb ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
08:18:33.0942 3272 RasSstp - ok
08:18:34.0070 3272 [ 77f665941019a1594d887a74f301fa2f ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
08:18:34.0208 3272 rdbss - ok
08:18:34.0368 3272 [ 302da2a0539f2cf54d7c6cc30c1f2d8d ] rdpbus C:\Windows\system32\drivers\rdpbus.sys
08:18:34.0373 3272 rdpbus - ok
08:18:34.0433 3272 [ cea6cc257fc9b7715f1c2b4849286d24 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
08:18:34.0436 3272 RDPCDD - ok
08:18:34.0623 3272 [ bb5971a4f00659529a5c44831af22365 ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
08:18:34.0626 3272 RDPENCDD - ok
08:18:34.0768 3272 [ 216f3fa57533d98e1f74ded70113177a ] RDPREFMP C:\Windows\system32\drivers\rdprefmp.sys
08:18:34.0779 3272 RDPREFMP - ok
08:18:34.0906 3272 [ e61608aa35e98999af9aaeeea6114b0a ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
08:18:35.0011 3272 RDPWD - ok
08:18:35.0228 3272 [ 34ed295fa0121c241bfef24764fc4520 ] rdyboost C:\Windows\system32\drivers\rdyboost.sys
08:18:35.0368 3272 rdyboost - ok
08:18:35.0508 3272 [ 254fb7a22d74e5511c73a3f6d802f192 ] RemoteAccess C:\Windows\System32\mprdim.dll
08:18:35.0514 3272 RemoteAccess - ok
08:18:35.0720 3272 [ e4d94f24081440b5fc5aa556c7c62702 ] RemoteRegistry C:\Windows\system32\regsvc.dll
08:18:35.0725 3272 RemoteRegistry - ok
08:18:36.0443 3272 [ 3c957189b31c34d3ad21967b12b6aed7 ] RoxMediaDB12OEM C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe
08:18:37.0463 3272 RoxMediaDB12OEM - ok
08:18:37.0654 3272 [ 2b73088cc2ca757a172b425c9398e5bc ] RoxWatch12 C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe
08:18:38.0027 3272 RoxWatch12 - ok
08:18:38.0166 3272 [ e4dc58cf7b3ea515ae917ff0d402a7bb ] RpcEptMapper C:\Windows\System32\RpcEpMap.dll
08:18:38.0172 3272 RpcEptMapper - ok
08:18:38.0274 3272 [ d5ba242d4cf8e384db90e6a8ed850b8c ] RpcLocator C:\Windows\system32\locator.exe
08:18:38.0362 3272 RpcLocator - ok
08:18:39.0287 3272 [ 5c627d1b1138676c0a7ab2c2c190d123 ] RpcSs C:\Windows\system32\rpcss.dll
08:18:39.0297 3272 RpcSs - ok
08:18:39.0744 3272 [ ddc86e4f8e7456261e637e3552e804ff ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
08:18:39.0749 3272 rspndr - ok
08:18:39.0803 3272 [ c118a82cd78818c29ab228366ebf81c3 ] SamSs C:\Windows\system32\lsass.exe
08:18:39.0806 3272 SamSs - ok
08:18:39.0880 3272 [ ac03af3329579fffb455aa2daabbe22b ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
08:18:39.0976 3272 sbp2port - ok
08:18:40.0072 3272 [ 9b7395789e3791a3b6d000fe6f8b131e ] SCardSvr C:\Windows\System32\SCardSvr.dll
08:18:40.0085 3272 SCardSvr - ok
08:18:40.0162 3272 [ 253f38d0d7074c02ff8deb9836c97d2b ] scfilter C:\Windows\system32\DRIVERS\scfilter.sys
08:18:40.0292 3272 scfilter - ok
08:18:40.0668 3272 [ 262f6592c3299c005fd6bec90fc4463a ] Schedule C:\Windows\system32\schedsvc.dll
08:18:40.0814 3272 Schedule - ok
08:18:40.0877 3272 [ f17d1d393bbc69c5322fbfafaca28c7f ] SCPolicySvc C:\Windows\System32\certprop.dll
08:18:40.0879 3272 SCPolicySvc - ok
08:18:41.0005 3272 [ 6ea4234dc55346e0709560fe7c2c1972 ] SDRSVC C:\Windows\System32\SDRSVC.dll
08:18:41.0352 3272 SDRSVC - ok
08:18:41.0531 3272 [ 3ea8a16169c26afbeb544e0e48421186 ] secdrv C:\Windows\system32\drivers\secdrv.sys
08:18:41.0542 3272 secdrv - ok
08:18:41.0662 3272 [ bc617a4e1b4fa8df523a061739a0bd87 ] seclogon C:\Windows\system32\seclogon.dll
08:18:41.0784 3272 seclogon - ok
08:18:41.0870 3272 [ c32ab8fa018ef34c0f113bd501436d21 ] SENS C:\Windows\system32\sens.dll
08:18:41.0872 3272 SENS - ok
08:18:41.0934 3272 [ 0336cffafaab87a11541f1cf1594b2b2 ] SensrSvc C:\Windows\system32\sensrsvc.dll
08:18:41.0938 3272 SensrSvc - ok
08:18:42.0000 3272 [ cb624c0035412af0debec78c41f5ca1b ] Serenum C:\Windows\system32\drivers\serenum.sys
08:18:42.0005 3272 Serenum - ok
08:18:42.0151 3272 [ c1d8e28b2c2adfaec4ba89e9fda69bd6 ] Serial C:\Windows\system32\drivers\serial.sys
08:18:42.0163 3272 Serial - ok
08:18:42.0193 3272 [ 1c545a7d0691cc4a027396535691c3e3 ] sermouse C:\Windows\system32\drivers\sermouse.sys
08:18:42.0266 3272 sermouse - ok
08:18:42.0701 3272 [ 0b6231bf38174a1628c4ac812cc75804 ] SessionEnv C:\Windows\system32\sessenv.dll
08:18:42.0813 3272 SessionEnv - ok
08:18:42.0978 3272 [ a554811bcd09279536440c964ae35bbf ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
08:18:42.0987 3272 sffdisk - ok
08:18:42.0996 3272 [ ff414f0baefeba59bc6c04b3db0b87bf ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
08:18:43.0000 3272 sffp_mmc - ok
08:18:43.0241 3272 [ dd85b78243a19b59f0637dcf284da63c ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
08:18:43.0541 3272 sffp_sd - ok
08:18:43.0592 3272 [ a9d601643a1647211a1ee2ec4e433ff4 ] sfloppy C:\Windows\system32\drivers\sfloppy.sys
08:18:43.0601 3272 sfloppy - ok
08:18:44.0391 3272 [ c6cc9297bd53e5229653303e556aa539 ] Sftfs C:\Windows\system32\DRIVERS\Sftfslh.sys
08:18:45.0198 3272 Sftfs - ok
08:18:45.0724 3272 [ 13693b6354dd6e72dc5131da7d764b90 ] sftlist C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
08:18:45.0871 3272 sftlist - ok
08:18:46.0216 3272 [ 390aa7bc52cee43f6790cdea1e776703 ] Sftplay C:\Windows\system32\DRIVERS\Sftplaylh.sys
08:18:46.0570 3272 Sftplay - ok
08:18:46.0598 3272 [ 617e29a0b0a2807466560d4c4e338d3e ] Sftredir C:\Windows\system32\DRIVERS\Sftredirlh.sys
08:18:46.0651 3272 Sftredir - ok
08:18:48.0636 3272 [ 1968e6ebbeecf61d5f7d8603467e2ad0 ] SftService C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
08:18:50.0415 3272 SftService - ok
08:18:50.0552 3272 [ 8f571f016fa1976f445147e9e6c8ae9b ] Sftvol C:\Windows\system32\DRIVERS\Sftvollh.sys
08:18:50.0758 3272 Sftvol - ok
08:18:50.0935 3272 [ c3cddd18f43d44ab713cf8c4916f7696 ] sftvsa C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
08:18:51.0125 3272 sftvsa - ok
08:18:51.0411 3272 [ aaf932b4011d14052955d4b212a4da8d ] ShellHWDetection C:\Windows\System32\shsvcs.dll
08:18:51.0951 3272 ShellHWDetection - ok
08:18:52.0588 3272 [ 843caf1e5fde1ffd5ff768f23a51e2e1 ] SiSRaid2 C:\Windows\system32\drivers\SiSRaid2.sys
08:18:52.0798 3272 SiSRaid2 - ok
08:18:52.0858 3272 [ 6a6c106d42e9ffff8b9fcb4f754f6da4 ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
08:18:52.0863 3272 SiSRaid4 - ok
08:18:52.0968 3272 [ 548260a7b8654e024dc30bf8a7c5baa4 ] Smb C:\Windows\system32\DRIVERS\smb.sys
08:18:52.0976 3272 Smb - ok
08:18:53.0130 3272 [ 6313f223e817cc09aa41811daa7f541d ] SNMPTRAP C:\Windows\System32\snmptrap.exe
08:18:53.0150 3272 SNMPTRAP - ok
08:18:53.0189 3272 [ b9e31e5cacdfe584f34f730a677803f9 ] spldr C:\Windows\system32\drivers\spldr.sys
08:18:53.0193 3272 spldr - ok
08:18:53.0340 3272 [ b96c17b5dc1424d56eea3a99e97428cd ] Spooler C:\Windows\System32\spoolsv.exe
08:18:53.0459 3272 Spooler - ok
08:18:56.0236 3272 [ e17e0188bb90fae42d83e98707efa59c ] sppsvc C:\Windows\system32\sppsvc.exe
08:18:56.0279 3272 sppsvc - ok
08:18:56.0407 3272 [ 93d7d61317f3d4bc4f4e9f8a96a7de45 ] sppuinotify C:\Windows\system32\sppuinotify.dll
08:18:57.0086 3272 sppuinotify - ok
08:18:57.0819 3272 [ 441fba48bff01fdb9d5969ebc1838f0b ] srv C:\Windows\system32\DRIVERS\srv.sys
08:18:58.0144 3272 srv - ok
08:18:58.0340 3272 [ b4adebbf5e3677cce9651e0f01f7cc28 ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
08:18:58.0413 3272 srv2 - ok
08:18:58.0488 3272 [ 27e461f0be5bff5fc737328f749538c3 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
08:18:58.0574 3272 srvnet - ok
08:18:58.0820 3272 [ 51b52fbd583cde8aa9ba62b8b4298f33 ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
08:18:58.0827 3272 SSDPSRV - ok
08:18:58.0956 3272 [ ab7aebf58dad8daab7a6c45e6a8885cb ] SstpSvc C:\Windows\system32\sstpsvc.dll
08:18:58.0961 3272 SstpSvc - ok
08:18:59.0073 3272 [ f3817967ed533d08327dc73bc4d5542a ] stexstor C:\Windows\system32\drivers\stexstor.sys
08:18:59.0077 3272 stexstor - ok
08:18:59.0291 3272 [ 8dd52e8e6128f4b2da92ce27402871c1 ] stisvc C:\Windows\System32\wiaservc.dll
08:18:59.0391 3272 stisvc - ok
08:19:00.0147 3272 [ 7731f46ec0d687a931cba063e8f90ef0 ] stllssvr C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
08:19:00.0699 3272 stllssvr - ok
08:19:00.0892 3272 [ d01ec09b6711a5f8e7e6564a4d0fbc90 ] swenum C:\Windows\system32\DRIVERS\swenum.sys
08:19:00.0906 3272 swenum - ok
08:19:01.0161 3272 [ e08e46fdd841b7184194011ca1955a0b ] swprv C:\Windows\System32\swprv.dll
08:19:01.0175 3272 swprv - ok
08:19:02.0817 3272 [ bf9ccc0bf39b418c8d0ae8b05cf95b7d ] SysMain C:\Windows\system32\sysmain.dll
08:19:03.0698 3272 SysMain - ok
08:19:03.0920 3272 [ e3c61fd7b7c2557e1f1b0b4cec713585 ] TabletInputService C:\Windows\System32\TabSvc.dll
08:19:04.0241 3272 TabletInputService - ok
08:19:04.0956 3272 [ 40f0849f65d13ee87b9a9ae3c1dd6823 ] TapiSrv C:\Windows\System32\tapisrv.dll
08:19:05.0060 3272 TapiSrv - ok
08:19:05.0201 3272 [ 1be03ac720f4d302ea01d40f588162f6 ] TBS C:\Windows\System32\tbssvc.dll
08:19:05.0205 3272 TBS - ok
08:19:06.0370 3272 [ acb82bda8f46c84f465c1afa517dc4b9 ] Tcpip C:\Windows\system32\drivers\tcpip.sys
08:19:07.0411 3272 Tcpip - ok
08:19:08.0646 3272 [ acb82bda8f46c84f465c1afa517dc4b9 ] TCPIP6 C:\Windows\system32\DRIVERS\tcpip.sys
08:19:08.0664 3272 TCPIP6 - ok
08:19:08.0762 3272 [ df687e3d8836bfb04fcc0615bf15a519 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
08:19:09.0116 3272 tcpipreg - ok
08:19:09.0283 3272 [ 3371d21011695b16333a3934340c4e7c ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
08:19:09.0289 3272 TDPIPE - ok
08:19:09.0342 3272 [ 51c5eceb1cdee2468a1748be550cfbc8 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
08:19:09.0404 3272 TDTCP - ok
08:19:09.0866 3272 [ ddad5a7ab24d8b65f8d724f5c20fd806 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
08:19:10.0006 3272 tdx - ok
08:19:10.0159 3272 [ 561e7e1f06895d78de991e01dd0fb6e5 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
08:19:10.0239 3272 TermDD - ok
08:19:10.0401 3272 [ 2e648163254233755035b46dd7b89123 ] TermService C:\Windows\System32\termsrv.dll
08:19:10.0518 3272 TermService - ok
08:19:10.0627 3272 [ f0344071948d1a1fa732231785a0664c ] Themes C:\Windows\system32\themeservice.dll
08:19:10.0637 3272 Themes - ok
08:19:10.0801 3272 [ e40e80d0304a73e8d269f7141d77250b ] THREADORDER C:\Windows\system32\mmcss.dll
08:19:10.0803 3272 THREADORDER - ok
08:19:11.0046 3272 [ 7e7afd841694f6ac397e99d75cead49d ] TrkWks C:\Windows\System32\trkwks.dll
08:19:11.0053 3272 TrkWks - ok
08:19:11.0404 3272 [ 773212b2aaa24c1e31f10246b15b276c ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
08:19:11.0474 3272 TrustedInstaller - ok
08:19:11.0752 3272 [ ce18b2cdfc837c99e5fae9ca6cba5d30 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
08:19:11.0915 3272 tssecsrv - ok
08:19:11.0993 3272 [ d11c783e3ef9a3c52c0ebe83cc5000e9 ] TsUsbFlt C:\Windows\system32\drivers\tsusbflt.sys
08:19:12.0168 3272 TsUsbFlt - ok
08:19:12.0398 3272 [ 9cc2ccae8a84820eaecb886d477cbcb8 ] TsUsbGD C:\Windows\system32\drivers\TsUsbGD.sys
08:19:12.0596 3272 TsUsbGD - ok
08:19:12.0973 3272 [ 3566a8daafa27af944f5d705eaa64894 ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
08:19:13.0044 3272 tunnel - ok
08:19:13.0074 3272 [ b4dd609bd7e282bfc683cec7eaaaad67 ] uagp35 C:\Windows\system32\drivers\uagp35.sys
08:19:13.0078 3272 uagp35 - ok
08:19:13.0297 3272 [ ff4232a1a64012baa1fd97c7b67df593 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
08:19:13.0386 3272 udfs - ok
08:19:13.0545 3272 [ 3cbdec8d06b9968aba702eba076364a1 ] UI0Detect C:\Windows\system32\UI0Detect.exe
08:19:13.0551 3272 UI0Detect - ok
08:19:13.0720 3272 [ 4bfe1bc28391222894cbf1e7d0e42320 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
08:19:13.0723 3272 uliagpkx - ok
08:19:13.0958 3272 [ dc54a574663a895c8763af0fa1ff7561 ] umbus C:\Windows\system32\DRIVERS\umbus.sys
08:19:14.0049 3272 umbus - ok
08:19:14.0206 3272 [ b2e8e8cb557b156da5493bbddcc1474d ] UmPass C:\Windows\system32\drivers\umpass.sys
08:19:14.0297 3272 UmPass - ok
08:19:14.0774 3272 [ d47ec6a8e81633dd18d2436b19baf6de ] upnphost C:\Windows\System32\upnphost.dll
08:19:14.0783 3272 upnphost - ok
08:19:14.0923 3272 [ aa33fc47ed58c34e6e9261e4f850b7eb ] USBAAPL64 C:\Windows\system32\Drivers\usbaapl64.sys
08:19:15.0044 3272 USBAAPL64 - ok
08:19:15.0203 3272 [ 82e8f44688e6fac57b5b7c6fc7adbc2a ] usbaudio C:\Windows\system32\drivers\usbaudio.sys
08:19:15.0369 3272 usbaudio - ok
08:19:15.0540 3272 [ 19ad7990c0b67e48dac5b26f99628223 ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
08:19:15.0592 3272 usbccgp - ok
08:19:16.0454 3272 [ af0892a803fdda7492f595368e3b68e7 ] usbcir C:\Windows\system32\drivers\usbcir.sys
08:19:16.0466 3272 usbcir - ok
08:19:16.0825 3272 [ c025055fe7b87701eb042095df1a2d7b ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
08:19:16.0912 3272 usbehci - ok
08:19:17.0029 3272 [ 287c6c9410b111b68b52ca298f7b8c24 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
08:19:17.0088 3272 usbhub - ok
08:19:17.0174 3272 [ 9840fc418b4cbd632d3d0a667a725c31 ] usbohci C:\Windows\system32\DRIVERS\usbohci.sys
08:19:17.0474 3272 usbohci - ok
08:19:17.0550 3272 [ 73188f58fb384e75c4063d29413cee3d ] usbprint C:\Windows\system32\drivers\usbprint.sys
08:19:17.0553 3272 usbprint - ok
08:19:17.0623 3272 [ fed648b01349a3c8395a5169db5fb7d6 ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
08:19:17.0698 3272 USBSTOR - ok
08:19:17.0819 3272 [ 62069a34518bcf9c1fd9e74b3f6db7cd ] usbuhci C:\Windows\system32\drivers\usbuhci.sys
08:19:17.0931 3272 usbuhci - ok
08:19:18.0035 3272 [ edbb23cbcf2cdf727d64ff9b51a6070e ] UxSms C:\Windows\System32\uxsms.dll
08:19:18.0046 3272 UxSms - ok
08:19:18.0099 3272 [ c118a82cd78818c29ab228366ebf81c3 ] VaultSvc C:\Windows\system32\lsass.exe
08:19:18.0100 3272 VaultSvc - ok
08:19:18.0202 3272 [ c5c876ccfc083ff3b128f933823e87bd ] vdrvroot C:\Windows\system32\drivers\vdrvroot.sys
08:19:18.0208 3272 vdrvroot - ok
08:19:18.0642 3272 [ 8d6b481601d01a456e75c3210f1830be ] vds C:\Windows\System32\vds.exe
08:19:18.0963 3272 vds - ok
08:19:19.0099 3272 [ da4da3f5e02943c2dc8c6ed875de68dd ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
08:19:19.0153 3272 vga - ok
08:19:19.0288 3272 [ 53e92a310193cb3c03bea963de7d9cfc ] VgaSave C:\Windows\System32\drivers\vga.sys
08:19:19.0302 3272 VgaSave - ok
08:19:19.0491 3272 [ 2ce2df28c83aeaf30084e1b1eb253cbb ] vhdmp C:\Windows\system32\drivers\vhdmp.sys
08:19:20.0327 3272 vhdmp - ok
08:19:20.0766 3272 [ e5689d93ffe4e5d66c0178761240dd54 ] viaide C:\Windows\system32\drivers\viaide.sys
08:19:20.0773 3272 viaide - ok
08:19:20.0874 3272 [ d2aafd421940f640b407aefaaebd91b0 ] volmgr C:\Windows\system32\drivers\volmgr.sys
08:19:21.0008 3272 volmgr - ok
08:19:21.0244 3272 [ a255814907c89be58b79ef2f189b843b ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
08:19:21.0471 3272 volmgrx - ok
08:19:21.0730 3272 [ 0d08d2f3b3ff84e433346669b5e0f639 ] volsnap C:\Windows\system32\drivers\volsnap.sys
08:19:22.0098 3272 volsnap - ok
08:19:22.0292 3272 [ 5e2016ea6ebaca03c04feac5f330d997 ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
08:19:22.0299 3272 vsmraid - ok
08:19:23.0231 3272 [ b60ba0bc31b0cb414593e169f6f21cc2 ] VSS C:\Windows\system32\vssvc.exe
08:19:23.0488 3272 VSS - ok
08:19:23.0692 3272 [ 36d4720b72b5c5d9cb2b9c29e9df67a1 ] vwifibus C:\Windows\System32\drivers\vwifibus.sys
08:19:23.0699 3272 vwifibus - ok
08:19:24.0127 3272 [ 1c9d80cc3849b3788048078c26486e1a ] W32Time C:\Windows\system32\w32time.dll
08:19:24.0137 3272 W32Time - ok
08:19:24.0301 3272 [ 4e9440f4f152a7b944cb1663d3935a3e ] WacomPen C:\Windows\system32\drivers\wacompen.sys
08:19:24.0308 3272 WacomPen - ok
08:19:24.0522 3272 [ 356afd78a6ed4457169241ac3965230c ] WANARP C:\Windows\system32\DRIVERS\wanarp.sys
08:19:24.0608 3272 WANARP - ok
08:19:24.0638 3272 [ 356afd78a6ed4457169241ac3965230c ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
08:19:24.0639 3272 Wanarpv6 - ok
08:19:24.0912 3272 [ eceb715bece47e101ddec06b11126066 ] wanatw C:\Windows\system32\DRIVERS\wanatw64.sys
08:19:25.0006 3272 wanatw - ok
08:19:26.0740 3272 [ 3cec96de223e49eaae3651fcf8faea6c ] WatAdminSvc C:\Windows\system32\Wat\WatAdminSvc.exe
08:19:27.0664 3272 WatAdminSvc - ok
08:19:28.0135 3272 [ 78f4e7f5c56cb9716238eb57da4b6a75 ] wbengine C:\Windows\system32\wbengine.exe
08:19:28.0509 3272 wbengine - ok
08:19:28.0586 3272 [ 3aa101e8edab2db4131333f4325c76a3 ] WbioSrvc C:\Windows\System32\wbiosrvc.dll
08:19:28.0594 3272 WbioSrvc - ok
08:19:28.0778 3272 [ 7368a2afd46e5a4481d1de9d14848edd ] wcncsvc C:\Windows\System32\wcncsvc.dll
08:19:28.0948 3272 wcncsvc - ok
08:19:29.0044 3272 [ 20f7441334b18cee52027661df4a6129 ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
08:19:29.0047 3272 WcsPlugInService - ok
08:19:29.0179 3272 [ 72889e16ff12ba0f235467d6091b17dc ] Wd C:\Windows\system32\drivers\wd.sys
08:19:29.0184 3272 Wd - ok
08:19:29.0244 3272 [ 441bd2d7b4f98134c3a4f9fa570fd250 ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
08:19:29.0259 3272 Wdf01000 - ok
08:19:29.0422 3272 [ bf1fc3f79b863c914687a737c2f3d681 ] WdiServiceHost C:\Windows\system32\wdi.dll
08:19:29.0429 3272 WdiServiceHost - ok
08:19:29.0437 3272 [ bf1fc3f79b863c914687a737c2f3d681 ] WdiSystemHost C:\Windows\system32\wdi.dll
08:19:29.0439 3272 WdiSystemHost - ok
08:19:29.0508 3272 [ 3db6d04e1c64272f8b14eb8bc4616280 ] WebClient C:\Windows\System32\webclnt.dll
08:19:29.0615 3272 WebClient - ok
08:19:29.0910 3272 [ c749025a679c5103e575e3b48e092c43 ] Wecsvc C:\Windows\system32\wecsvc.dll
08:19:30.0099 3272 Wecsvc - ok
08:19:30.0434 3272 [ 7e591867422dc788b9e5bd337a669a08 ] wercplsupport C:\Windows\System32\wercplsupport.dll
08:19:30.0501 3272 wercplsupport - ok
08:19:30.0538 3272 [ 6d137963730144698cbd10f202e9f251 ] WerSvc C:\Windows\System32\WerSvc.dll
08:19:30.0541 3272 WerSvc - ok
08:19:30.0926 3272 [ 611b23304bf067451a9fdee01fbdd725 ] WfpLwf C:\Windows\system32\DRIVERS\wfplwf.sys
08:19:31.0033 3272 WfpLwf - ok
08:19:31.0142 3272 [ b14ef15bd757fa488f9c970eee9c0d35 ] WimFltr C:\Windows\system32\DRIVERS\wimfltr.sys
08:19:31.0400 3272 WimFltr - ok
08:19:31.0486 3272 [ 05ecaec3e4529a7153b3136ceb49f0ec ] WIMMount C:\Windows\system32\drivers\wimmount.sys
08:19:31.0554 3272 WIMMount - ok
08:19:31.0728 3272 WinHttpAutoProxySvc - ok
08:19:34.0208 3272 [ 19b07e7e8915d701225da41cb3877306 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
08:19:35.0840 3272 Winmgmt - ok
08:19:36.0457 3272 [ bcb1310604aa415c4508708975b3931e ] WinRM C:\Windows\system32\WsmSvc.dll
08:19:36.0617 3272 WinRM - ok
08:19:36.0881 3272 [ fe88b288356e7b47b74b13372add906d ] WinUsb C:\Windows\system32\DRIVERS\WinUsb.sys
08:19:36.0982 3272 WinUsb - ok
08:19:37.0186 3272 [ 4fada86e62f18a1b2f42ba18ae24e6aa ] Wlansvc C:\Windows\System32\wlansvc.dll
08:19:37.0204 3272 Wlansvc - ok
08:19:37.0451 3272 [ 06c8fa1cf39de6a735b54d906ba791c6 ] wlcrasvc C:\Program Files\Windows Live\Mesh\wlcrasvc.exe
08:19:37.0514 3272 wlcrasvc - ok
08:19:39.0244 3272 [ 2bacd71123f42cea603f4e205e1ae337 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
08:19:39.0441 3272 wlidsvc - ok
08:19:39.0518 3272 [ f6ff8944478594d0e414d3f048f0d778 ] WmiAcpi C:\Windows\system32\drivers\wmiacpi.sys
08:19:39.0523 3272 WmiAcpi - ok
08:19:39.0656 3272 [ 38b84c94c5a8af291adfea478ae54f93 ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
08:19:39.0663 3272 wmiApSrv - ok
08:19:39.0813 3272 WMPNetworkSvc - ok
08:19:39.0945 3272 [ 96c6e7100d724c69fcf9e7bf590d1dca ] WPCSvc C:\Windows\System32\wpcsvc.dll
08:19:39.0967 3272 WPCSvc - ok
08:19:40.0029 3272 [ 93221146d4ebbf314c29b23cd6cc391d ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
08:19:40.0070 3272 WPDBusEnum - ok
08:19:40.0220 3272 [ 6bcc1d7d2fd2453957c5479a32364e52 ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
08:19:40.0224 3272 ws2ifsl - ok
08:19:40.0232 3272 WSearch - ok
08:19:40.0262 3272 [ d3381dc54c34d79b22cee0d65ba91b7c ] WudfPf C:\Windows\system32\drivers\WudfPf.sys
08:19:40.0377 3272 WudfPf - ok
08:19:40.0701 3272 [ cf8d590be3373029d57af80914190682 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
08:19:40.0915 3272 WUDFRd - ok
08:19:41.0068 3272 [ 7a95c95b6c4cf292d689106bcae49543 ] wudfsvc C:\Windows\System32\WUDFSvc.dll
08:19:41.0183 3272 wudfsvc - ok
08:19:41.0496 3272 [ 9a3452b3c2a46c073166c5cf49fad1ae ] WwanSvc C:\Windows\System32\wwansvc.dll
08:19:42.0785 3272 WwanSvc - ok
08:19:42.0988 3272 ================ Scan global ===============================
08:19:43.0332 3272 (ba0cd8c393e8c9f83354106093832c7b) C:\Windows\system32\basesrv.dll
08:19:43.0470 3272 (eb6a48cc998e1090e44e8e7f1009a640) C:\Windows\system32\winsrv.dll
08:19:43.0529 3272 (eb6a48cc998e1090e44e8e7f1009a640) C:\Windows\system32\winsrv.dll
08:19:43.0748 3272 (d6160f9d869ba3af0b787f971db56368) C:\Windows\system32\sxssrv.dll
08:19:44.0354 3272 (014a9cb92514e27c0107614df764bc06) C:\Windows\system32\services.exe
08:19:44.0454 3272 C:\Windows\system32\services.exe ( Virus.Win64.ZAccess.b ) - infected
08:19:44.0454 3272 C:\Windows\system32\services.exe - detected Virus.Win64.ZAccess.b (0)
08:19:44.0457 3272 ================ Scan MBR ==================================
08:19:44.0538 3272 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
08:19:44.0539 3272 Suspicious mbr (Forged): \Device\Harddisk0\DR0
08:19:44.0884 3272 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
08:19:44.0884 3272 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
08:19:44.0887 3272 ================ Scan VBR ==================================
08:19:44.0921 3272 Boot (0x1200) (3de05de539a4c549b7b32ac47b6f7cc0) \Device\Harddisk0\DR0\Partition1
08:19:44.0924 3272 \Device\Harddisk0\DR0\Partition1 - ok
08:19:45.0000 3272 Boot (0x1200) (fdb42d52ad1b531670dfee0f3d54114c) \Device\Harddisk0\DR0\Partition2
08:19:45.0004 3272 \Device\Harddisk0\DR0\Partition2 - ok
08:19:45.0008 3272 ============================================================
08:19:45.0008 3272 Scan finished
08:19:45.0008 3272 ============================================================
08:19:45.0024 0944 Detected object count: 2
08:19:45.0024 0944 Actual detected object count: 2
08:20:01.0569 0944 C:\Windows\system32\services.exe - copied to quarantine
08:20:26.0258 0944 C:\Windows\assembly\GAC_32\desktop.ini - copied to quarantine
08:20:26.0604 0944 C:\Windows\assembly\GAC_64\desktop.ini - copied to quarantine
08:20:26.0943 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\@ - copied to quarantine
08:20:27.0297 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\L\00000004.@ - copied to quarantine
08:20:27.0302 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\00000004.@ - copied to quarantine
08:20:27.0388 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\00000008.@ - copied to quarantine
08:20:27.0479 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\000000cb.@ - copied to quarantine
08:20:27.0564 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\80000000.@ - copied to quarantine
08:20:27.0654 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\80000032.@ - copied to quarantine
08:20:27.0908 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\80000064.@ - copied to quarantine
08:24:43.0631 0944 Backup copy found, using it..
08:24:53.0715 0944 C:\Windows\assembly\GAC_32\desktop.ini - will be deleted on reboot
08:24:53.0875 0944 C:\Windows\assembly\GAC_64\desktop.ini - will be deleted on reboot
08:24:55.0560 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\@ - will be deleted on reboot
08:24:55.0767 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\00000004.@ - will be deleted on reboot
08:24:55.0768 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\00000008.@ - will be deleted on reboot
08:24:55.0787 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\000000cb.@ - will be deleted on reboot
08:24:55.0787 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\80000000.@ - will be deleted on reboot
08:24:55.0787 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\80000032.@ - will be deleted on reboot
08:24:55.0787 0944 C:\Windows\installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\80000064.@ - will be deleted on reboot
08:25:01.0079 0944 C:\Windows\system32\services.exe - will be cured on reboot
08:25:01.0079 0944 C:\Windows\system32\services.exe ( Virus.Win64.ZAccess.b ) - User select action: Cure
08:25:14.0172 0944 \Device\Harddisk0\DR0\# - copied to quarantine
08:25:14.0383 0944 \Device\Harddisk0\DR0 - copied to quarantine
08:25:47.0582 0944 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
08:26:01.0454 0944 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
08:26:10.0833 0944 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
08:26:21.0618 0944 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
08:26:37.0043 0944 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
08:26:47.0215 0944 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
08:26:47.0332 0944 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
08:26:47.0362 0944 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
08:26:47.0487 0944 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
08:26:47.0533 0944 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
08:26:47.0921 0944 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
08:26:48.0038 0944 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
08:26:48.0067 0944 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
08:26:48.0111 0944 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
08:26:50.0006 0944 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
08:26:50.0192 0944 \Device\Harddisk0\DR0 - ok
08:26:53.0540 0944 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
08:57:29.0115 0160 Deinitialize success



And here is the aswMBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-18 09:02:41
-----------------------------
09:02:41.912 OS Version: Windows x64 6.1.7601 Service Pack 1
09:02:41.912 Number of processors: 1 586 0x602
09:02:41.912 ComputerName: TONY-PC UserName: Tony
09:02:43.613 Initialize success
09:03:43.634 AVAST engine defs: 12081800
09:04:03.306 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
09:04:03.306 Disk 0 Vendor: WDC_WD5000AAKX-753CA1 19.01H19 Size: 476940MB BusType: 11
09:04:03.337 Disk 0 MBR read successfully
09:04:03.337 Disk 0 MBR scan
09:04:03.992 Disk 0 Windows VISTA default MBR code
09:04:04.008 Disk 0 Partition 1 00 DE Dell Utility DELL 4.1 39 MB offset 63
09:04:04.023 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15166 MB offset 81920
09:04:04.039 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 461733 MB offset 31141888
09:04:04.054 Disk 0 scanning C:\Windows\system32\drivers
09:04:20.824 Service scanning
09:04:58.530 Modules scanning
09:04:58.561 Disk 0 trace - called modules:
09:04:58.577 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
09:04:59.091 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800250b6f0]
09:04:59.091 3 CLASSPNP.SYS[fffff88001b8c43f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80024af060]
09:05:00.074 AVAST engine scan C:\Windows
09:05:14.379 AVAST engine scan C:\Windows\system32
09:13:24.586 AVAST engine scan C:\Windows\system32\drivers
09:13:51.153 AVAST engine scan C:\Users\Tony
09:31:05.137 AVAST engine scan C:\ProgramData
09:48:31.942 Scan finished successfully
09:52:09.775 Disk 0 MBR has been saved successfully to "C:\Users\Tony\Desktop\MBR.dat"
09:52:09.838 The log file has been saved successfully to "C:\Users\Tony\Desktop\aswMBR.txt"

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:18 AM

Posted 18 August 2012 - 11:59 AM

Hello TKTheKid

I Want you to run combofix next and let me know how the computer is doing when you are finished running it.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 TKTheKid

TKTheKid
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 August 2012 - 02:39 PM

This time ComboFix ran smoothly. There were no problems. The log is below:

ComboFix 12-08-18.03 - Tony 08/18/2012 15:20:18.2.1 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1791.955 [GMT -4:00]
Running from: c:\users\Tony\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\svchost.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
.
.
2012-08-18 19:28 . 2012-08-18 19:28 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-09 01:22 . 2012-08-09 01:27 -------- d-----w- c:\users\Tony\AppData\Local\Microsoft Games
2012-08-08 23:25 . 2012-08-08 23:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-08 23:22 . 2012-08-08 23:22 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-29 17:25 . 2012-07-29 17:25 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-07-29 17:21 . 2012-07-29 17:21 15712 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\8eab04671cd6dae02\MeshBetaRemover.exe
2012-07-29 17:21 . 2012-07-29 17:21 537432 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\8cf75a961cd6dae01\DXSETUP.exe
2012-07-29 17:21 . 2012-07-29 17:21 89944 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\8cf75a961cd6dae01\DSETUP.dll
2012-07-29 17:21 . 2012-07-29 17:21 1801048 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\8cf75a961cd6dae01\dsetup32.dll
2012-07-29 17:16 . 2012-07-29 18:26 -------- d-----w- c:\users\Tony\AppData\Local\Windows Live
2012-07-28 17:59 . 2012-08-07 18:54 -------- d-----w- c:\programdata\Tarma Installer
2012-07-28 17:16 . 2012-07-28 21:14 -------- d-----w- c:\users\Tony\AppData\Roaming\Audacity
2012-07-28 17:15 . 2012-07-28 17:16 -------- d-----w- c:\program files (x86)\Audacity
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-18 13:00 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
2012-08-08 23:25 . 2011-11-02 17:13 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 05:30 . 2011-11-25 19:06 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-03 17:46 . 2011-11-25 01:53 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-12 03:08 . 2012-07-11 05:32 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:43 . 2012-07-10 21:57 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-10 21:58 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-10 21:58 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-10 21:57 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-10 21:58 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-10 21:58 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-10 21:57 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-27 01:40 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-27 01:40 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-27 01:41 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-27 01:41 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-27 01:40 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-27 01:40 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-27 01:40 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-27 01:40 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-27 01:40 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 12:49 . 2012-07-11 05:29 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-06-02 12:17 . 2012-07-11 05:29 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-06-02 12:12 . 2012-07-11 05:29 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 12:05 . 2012-07-11 05:29 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-02 12:05 . 2012-07-11 05:29 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 12:04 . 2012-07-11 05:29 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 12:04 . 2012-07-11 05:29 237056 ----a-w- c:\windows\system32\url.dll
2012-06-02 12:03 . 2012-07-11 05:29 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-02 12:01 . 2012-07-11 05:29 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 12:00 . 2012-07-11 05:29 818688 ----a-w- c:\windows\system32\jscript.dll
2012-06-02 11:59 . 2012-07-11 05:29 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-02 11:57 . 2012-07-11 05:29 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-02 11:57 . 2012-07-11 05:29 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 11:54 . 2012-07-11 05:29 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-02 08:33 . 2012-07-11 05:29 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-02 08:25 . 2012-07-11 05:29 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-02 08:25 . 2012-07-11 05:29 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 05:29 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 05:29 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-02 05:50 . 2012-07-10 21:57 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-10 21:57 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:48 . 2012-07-10 21:57 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:45 . 2012-07-10 21:57 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-10 21:57 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-10 21:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-10 21:57 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-10 21:57 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-10 21:57 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-12_22.38.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-18 04:20 . 2012-08-18 11:45 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081820120819\index.dat
+ 2012-08-17 21:13 . 2012-08-18 02:37 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081720120818\index.dat
+ 2012-08-16 22:47 . 2012-08-16 22:47 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081620120817\index.dat
+ 2012-08-16 01:42 . 2012-08-16 00:45 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081520120816\index.dat
+ 2012-08-14 22:35 . 2012-08-14 22:34 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081420120815\index.dat
+ 2012-08-13 12:24 . 2012-08-13 12:16 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081320120814\index.dat
+ 2012-08-13 12:24 . 2012-08-13 12:16 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012080620120813\index.dat
+ 2012-08-17 03:30 . 2012-08-17 03:31 24576 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EFB0D94B-E81B-11E1-BEFD-00038A000015}.dat
+ 2012-08-16 22:47 . 2012-08-16 22:47 14336 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4D1B91E5-E7F4-11E1-BEFD-00038A000015}.dat
+ 2012-08-18 01:36 . 2012-08-18 01:36 27648 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1BCB4FE7-E8D5-11E1-91A9-00038A000015}.dat
+ 2012-08-07 18:58 . 2012-08-18 11:45 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
+ 2012-08-08 23:22 . 2012-08-18 12:43 16384 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
- 2012-08-08 23:22 . 2012-08-12 21:54 16384 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2012-08-08 23:30 . 2012-08-18 05:32 32768 c:\windows\SysWOW64\%APPDATA%\Microsoft\Internet Explorer\UserData\index.dat
- 2012-08-08 23:30 . 2012-08-12 21:04 32768 c:\windows\SysWOW64\%APPDATA%\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-08-16 22:47 . 2012-08-17 03:30 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D1B91E4-E7F4-11E1-BEFD-00038A000015}.dat
+ 2012-08-18 01:36 . 2012-08-18 01:36 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F7D4299-E8D5-11E1-91A9-00038A000015}.dat
+ 2012-08-18 19:29 . 2012-08-18 19:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-12 22:35 . 2012-08-12 22:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-12 22:35 . 2012-08-12 22:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-18 19:29 . 2012-08-18 19:29 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 04:46 . 2012-08-18 12:23 102352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2011-11-25 05:58 . 2012-08-10 22:26 393008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-11-25 05:58 . 2012-08-18 19:15 393008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-07-14 05:01 . 2012-08-12 22:35 268268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-08-18 19:28 268268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-11-25 05:58 . 2012-08-18 19:14 530088 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1993072558-3099979866-3506296825-1001-12288.dat
- 2011-11-25 05:58 . 2012-02-28 06:02 530088 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1993072558-3099979866-3506296825-1001-12288.dat
+ 2009-07-14 04:54 . 2012-08-18 12:59 3686400 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-12 22:36 3686400 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-11-25 05:58 . 2012-08-18 19:28 3141172 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1993072558-3099979866-3506296825-1001-8192.dat
- 2011-11-25 05:58 . 2012-08-11 17:03 2964508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1993072558-3099979866-3506296825-1001-4096.dat
+ 2011-11-25 05:58 . 2012-08-17 05:26 2964508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1993072558-3099979866-3506296825-1001-4096.dat
+ 2012-08-07 13:14 . 2012-08-18 12:59 2954864 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
+ 2009-07-14 04:54 . 2012-08-18 12:59 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-12 22:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
c:\progra~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{28387537-e3f9-4ed7-860c-11e69af4a8a0}"= "c:\progra~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-15 98304]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"HostManager"="c:\program files (x86)\Common Files\AOL\1322232433\ee\AOLSoftware.exe" [2010-03-08 41800]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\Tony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
firefox - Shortcut.lnk - c:\program files (x86)\Mozilla Firefox\firefox.exe [2011-11-24 913888]
rkill.com [2010-9-12 363520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 0011921345317134mcinstcleanup;McAfee Application Installer Cleanup (0011921345317134);c:\users\Tony\AppData\Local\Temp\001192~1.EXE [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-19 113120]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2012-04-10 25072]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-25 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 203776]
S2 BingDesktopUpdate;Bing Desktop Update service;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [2012-03-30 151656]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-07-08 1692480]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 9319936]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 306176]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-08-06 320040]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-25 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-08-18 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-10 8321568]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.logmein.com/
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\kjiek4va.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&btnI=745&q=
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
SafeBoot-51390648.sys
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{28387537-E3F9-4ED7-860C-11E69AF4A8A0}"=hex:51,66,7a,6c,4c,1d,38,12,59,76,2b,
2c,cb,ad,b9,0b,f9,1a,52,a6,9f,aa,ec,b4
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"=hex:51,66,7a,6c,4c,1d,38,12,ce,d6,a1,
79,73,3c,17,0b,c9,9b,20,49,f5,42,16,25
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:5b,f8,fb,94,d8,74,cd,01
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
.
**************************************************************************
.
Completion time: 2012-08-18 15:35:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-18 19:35
ComboFix2.txt 2012-08-12 22:55
.
Pre-Run: 313,239,531,520 bytes free
Post-Run: 313,892,057,088 bytes free
.
- - End Of File - - 6A7D8FF01B7C8AEC8B2C8B88EF634D78

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:18 AM

Posted 18 August 2012 - 02:52 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\progra~2\IMESHA~1

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 TKTheKid

TKTheKid
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 August 2012 - 03:13 PM

There were no problems with the scan at all and the computer does seem to be running as normal like before any of these problems popped up. I say that with my fingers crossed though as you would know more definitively by looking at the report:

ComboFix 12-08-18.03 - Tony 08/18/2012 15:57:25.3.1 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.1791.1028 [GMT -4:00]
Running from: c:\users\Tony\Desktop\ComboFix.exe
Command switches used :: c:\users\Tony\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\progra~2\IMESHA~1
.
.
((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
.
.
2012-08-18 20:02 . 2012-08-18 20:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-18 12:20 . 2012-08-18 12:20 -------- d-----w- C:\TDSSKiller_Quarantine
2012-08-15 02:54 . 2010-09-12 14:47 363520 ----a-w- c:\users\Tony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rkill.com
2012-08-09 01:22 . 2012-08-09 01:27 -------- d-----w- c:\users\Tony\AppData\Local\Microsoft Games
2012-08-08 23:25 . 2012-08-08 23:25 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-08-08 23:22 . 2012-08-08 23:22 -------- d-sh--w- c:\windows\SysWow64\%APPDATA%
2012-07-29 17:25 . 2012-07-29 17:25 19720 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-07-29 17:21 . 2012-07-29 17:21 15712 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\8eab04671cd6dae02\MeshBetaRemover.exe
2012-07-29 17:21 . 2012-07-29 17:21 537432 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\8cf75a961cd6dae01\DXSETUP.exe
2012-07-29 17:21 . 2012-07-29 17:21 89944 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\8cf75a961cd6dae01\DSETUP.dll
2012-07-29 17:21 . 2012-07-29 17:21 1801048 ----a-w- c:\program files (x86)\Common Files\Windows Live\.cache\8cf75a961cd6dae01\dsetup32.dll
2012-07-29 17:16 . 2012-07-29 18:26 -------- d-----w- c:\users\Tony\AppData\Local\Windows Live
2012-07-28 17:59 . 2012-08-07 18:54 -------- d-----w- c:\programdata\Tarma Installer
2012-07-28 17:16 . 2012-07-28 21:14 -------- d-----w- c:\users\Tony\AppData\Roaming\Audacity
2012-07-28 17:15 . 2012-07-28 17:16 -------- d-----w- c:\program files (x86)\Audacity
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-18 13:00 . 2009-07-13 23:19 328704 ----a-w- c:\windows\system32\services.exe
2012-08-08 23:25 . 2011-11-02 17:13 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-11 05:30 . 2011-11-25 19:06 59701280 ----a-w- c:\windows\system32\MRT.exe
2012-07-03 17:46 . 2011-11-25 01:53 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-12 03:08 . 2012-07-11 05:32 3148800 ----a-w- c:\windows\system32\win32k.sys
2012-06-09 05:43 . 2012-07-10 21:57 14172672 ----a-w- c:\windows\system32\shell32.dll
2012-06-06 06:06 . 2012-07-10 21:58 2004480 ----a-w- c:\windows\system32\msxml6.dll
2012-06-06 06:06 . 2012-07-10 21:58 1881600 ----a-w- c:\windows\system32\msxml3.dll
2012-06-06 06:02 . 2012-07-10 21:57 1133568 ----a-w- c:\windows\system32\cdosys.dll
2012-06-06 05:05 . 2012-07-10 21:58 1390080 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-06 05:05 . 2012-07-10 21:58 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-06 05:03 . 2012-07-10 21:57 805376 ----a-w- c:\windows\SysWow64\cdosys.dll
2012-06-02 22:19 . 2012-06-27 01:40 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-27 01:40 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-27 01:41 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-27 01:41 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-27 01:40 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:15 . 2012-06-27 01:40 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-27 01:40 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 19:19 . 2012-06-27 01:40 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:15 . 2012-06-27 01:40 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 12:49 . 2012-07-11 05:29 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-06-02 12:17 . 2012-07-11 05:29 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-06-02 12:12 . 2012-07-11 05:29 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 12:05 . 2012-07-11 05:29 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-02 12:05 . 2012-07-11 05:29 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 12:04 . 2012-07-11 05:29 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 12:04 . 2012-07-11 05:29 237056 ----a-w- c:\windows\system32\url.dll
2012-06-02 12:03 . 2012-07-11 05:29 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-02 12:01 . 2012-07-11 05:29 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 12:00 . 2012-07-11 05:29 818688 ----a-w- c:\windows\system32\jscript.dll
2012-06-02 11:59 . 2012-07-11 05:29 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-02 11:57 . 2012-07-11 05:29 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-02 11:57 . 2012-07-11 05:29 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 11:54 . 2012-07-11 05:29 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-02 08:33 . 2012-07-11 05:29 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-02 08:25 . 2012-07-11 05:29 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-02 08:25 . 2012-07-11 05:29 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20 . 2012-07-11 05:29 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16 . 2012-07-11 05:29 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-02 05:50 . 2012-07-10 21:57 458704 ----a-w- c:\windows\system32\drivers\cng.sys
2012-06-02 05:48 . 2012-07-10 21:57 95600 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 05:48 . 2012-07-10 21:57 151920 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2012-06-02 05:45 . 2012-07-10 21:57 340992 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 05:44 . 2012-07-10 21:57 307200 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 04:40 . 2012-07-10 21:57 22016 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 04:40 . 2012-07-10 21:57 225280 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 04:39 . 2012-07-10 21:57 219136 ----a-w- c:\windows\SysWow64\ncrypt.dll
2012-06-02 04:34 . 2012-07-10 21:57 96768 ----a-w- c:\windows\SysWow64\sspicli.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-12_22.38.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-18 20:03 . 2012-08-18 20:03 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-08-12 05:25 . 2012-08-12 05:25 13306 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
+ 2012-08-07 20:05 . 2012-08-18 11:45 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
- 2012-08-07 20:05 . 2012-08-12 16:23 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-08-18 04:20 . 2012-08-18 11:45 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081820120819\index.dat
+ 2012-08-17 21:13 . 2012-08-18 02:37 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081720120818\index.dat
+ 2012-08-16 22:47 . 2012-08-16 22:47 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081620120817\index.dat
+ 2012-08-16 01:42 . 2012-08-16 00:45 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081520120816\index.dat
+ 2012-08-14 22:35 . 2012-08-14 22:34 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081420120815\index.dat
+ 2012-08-13 12:24 . 2012-08-13 12:16 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012081320120814\index.dat
+ 2012-08-13 12:24 . 2012-08-13 12:16 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012012080620120813\index.dat
+ 2012-08-17 03:30 . 2012-08-17 03:31 24576 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EFB0D94B-E81B-11E1-BEFD-00038A000015}.dat
+ 2012-08-16 22:47 . 2012-08-16 22:47 14336 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4D1B91E5-E7F4-11E1-BEFD-00038A000015}.dat
+ 2012-08-18 01:36 . 2012-08-18 01:36 27648 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1BCB4FE7-E8D5-11E1-91A9-00038A000015}.dat
+ 2012-08-07 18:58 . 2012-08-18 11:45 65536 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat
- 2012-08-08 23:22 . 2012-08-12 21:54 16384 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
+ 2012-08-08 23:22 . 2012-08-18 12:43 16384 c:\windows\SysWOW64\%APPDATA%\Microsoft\Windows\IETldCache\index.dat
- 2012-08-08 23:30 . 2012-08-12 21:04 32768 c:\windows\SysWOW64\%APPDATA%\Microsoft\Internet Explorer\UserData\index.dat
+ 2012-08-08 23:30 . 2012-08-18 05:32 32768 c:\windows\SysWOW64\%APPDATA%\Microsoft\Internet Explorer\UserData\index.dat
+ 2010-11-21 03:09 . 2012-08-18 19:40 51366 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-08-18 19:40 45454 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2011-11-25 06:56 . 2012-08-18 19:40 14914 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1993072558-3099979866-3506296825-1001_UserData.bin
+ 2009-07-14 05:30 . 2012-08-18 19:13 86016 c:\windows\system32\DriverStore\infpub.dat
- 2009-07-14 05:30 . 2012-07-28 17:23 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2011-11-25 01:25 . 2012-08-18 19:09 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-11-25 01:25 . 2012-08-12 22:08 32768 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2011-11-25 01:24 . 2012-08-12 22:08 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-11-25 01:24 . 2012-08-18 19:09 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-12 22:08 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-18 19:09 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-08-16 22:47 . 2012-08-17 03:30 5632 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4D1B91E4-E7F4-11E1-BEFD-00038A000015}.dat
+ 2012-08-18 01:36 . 2012-08-18 01:36 4608 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0F7D4299-E8D5-11E1-91A9-00038A000015}.dat
- 2011-12-06 06:16 . 2012-08-12 05:25 3780 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-12-06 06:16 . 2012-08-18 12:59 3780 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2012-08-18 20:03 . 2012-08-18 20:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-12 22:35 . 2012-08-12 22:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-12 22:35 . 2012-08-12 22:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-08-18 20:03 . 2012-08-18 20:03 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-07 18:58 . 2012-08-12 16:23 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-08-07 18:58 . 2012-08-18 11:45 262144 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2012-08-07 20:09 . 2012-08-18 01:36 360448 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\index.dat
- 2012-08-07 20:09 . 2012-08-07 20:07 360448 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\index.dat
+ 2009-07-14 04:54 . 2012-08-18 12:59 294912 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-08-12 22:36 294912 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 02:36 . 2012-08-17 12:13 660520 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-08-08 12:16 660520 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-08-17 12:13 121190 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-08-08 12:16 121190 c:\windows\system32\perfc009.dat
- 2009-07-14 05:30 . 2012-07-28 17:23 143360 c:\windows\system32\DriverStore\infstrng.dat
+ 2009-07-14 05:30 . 2012-08-18 19:13 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-07-12 04:06 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 05:30 . 2012-08-18 19:13 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 04:46 . 2012-08-18 12:23 102352 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-11-25 05:58 . 2012-08-18 19:15 393008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2011-11-25 05:58 . 2012-08-10 22:26 393008 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-07-14 05:01 . 2012-08-18 20:03 268268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-08-12 22:35 268268 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-11-25 05:58 . 2012-02-28 06:02 530088 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1993072558-3099979866-3506296825-1001-12288.dat
+ 2011-11-25 05:58 . 2012-08-18 19:14 530088 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1993072558-3099979866-3506296825-1001-12288.dat
+ 2009-07-14 04:54 . 2012-08-18 12:59 3686400 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-08-12 22:36 3686400 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-11-25 05:58 . 2012-08-18 20:03 3141172 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1993072558-3099979866-3506296825-1001-8192.dat
+ 2011-11-25 05:58 . 2012-08-17 05:26 2964508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1993072558-3099979866-3506296825-1001-4096.dat
- 2011-11-25 05:58 . 2012-08-11 17:03 2964508 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1993072558-3099979866-3506296825-1001-4096.dat
+ 2012-08-07 13:14 . 2012-08-18 12:59 2954864 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-18-16384.dat
- 2009-07-14 04:54 . 2012-08-12 22:36 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-08-18 12:59 16187392 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
c:\progra~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{28387537-e3f9-4ed7-860c-11e69af4a8a0}"= "c:\progra~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll" [BU]
.
[HKEY_CLASSES_ROOT\clsid\{28387537-e3f9-4ed7-860c-11e69af4a8a0}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-15 98304]
"Dell DataSafe Online"="c:\program files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe" [2010-08-26 1117528]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2012-04-04 35736]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"RoxWatchTray"="c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe" [2010-11-25 240112]
"Desktop Disc Tool"="c:\program files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe" [2010-11-17 514544]
"HostManager"="c:\program files (x86)\Common Files\AOL\1322232433\ee\AOLSoftware.exe" [2010-03-08 41800]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-11-13 421736]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\users\Tony\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
firefox - Shortcut.lnk - c:\program files (x86)\Mozilla Firefox\firefox.exe [2011-11-24 913888]
rkill.com [2010-9-12 363520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 0011921345317134mcinstcleanup;McAfee Application Installer Cleanup (0011921345317134);c:\users\Tony\AppData\Local\Temp\001192~1.EXE [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [x]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-19 113120]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0;PCDSRVC{1E208CE0-FB7451FF-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc_x64.pkms [2012-04-10 25072]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-21 59392]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-21 31232]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-08-02 51712]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-11-25 1255736]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2011-04-20 203776]
S2 BingDesktopUpdate;Bing Desktop Update service;c:\program files (x86)\Microsoft\BingDesktop\BingDesktopUpdater.exe [2012-03-30 151656]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 NOBU;Dell DataSafe Online;c:\program files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe SERVICE [x]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-07-08 1692480]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2011-04-20 9319936]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2011-04-20 306176]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-08-06 320040]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 764264]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 268648]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-25 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
2012-08-18 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\uaclauncher.exe [2012-04-13 06:11]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-11-10 8321568]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.logmein.com/
mStart Page = hxxp://www.google.com
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Tony\AppData\Roaming\Mozilla\Firefox\Profiles\kjiek4va.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&btnI=745&q=
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-10 - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{1E208CE0-FB7451FF-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{28387537-E3F9-4ED7-860C-11E69AF4A8A0}"=hex:51,66,7a,6c,4c,1d,38,12,59,76,2b,
2c,cb,ad,b9,0b,f9,1a,52,a6,9f,aa,ec,b4
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"=hex:51,66,7a,6c,4c,1d,38,12,d5,94,07,
72,c2,98,42,03,c9,fd,97,9a,f4,87,69,57
"{7DB2D5A0-7241-4E79-B68D-6309F01C5231}"=hex:51,66,7a,6c,4c,1d,38,12,ce,d6,a1,
79,73,3c,17,0b,c9,9b,20,49,f5,42,16,25
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"=hex:51,66,7a,6c,4c,1d,38,12,0a,d7,23,
94,30,02,d1,0f,f1,da,12,24,73,56,27,d2
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:5b,f8,fb,94,d8,74,cd,01
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
.
**************************************************************************
.
Completion time: 2012-08-18 16:09:53 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-18 20:09
ComboFix2.txt 2012-08-18 19:35
ComboFix3.txt 2012-08-12 22:55
.
Pre-Run: 314,146,095,104 bytes free
Post-Run: 314,056,298,496 bytes free
.
- - End Of File - - 58A68398799C4A0882CAF508B8DBA00B

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:18 AM

Posted 18 August 2012 - 03:27 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Java™ 6 Update 31 [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 TKTheKid

TKTheKid
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 August 2012 - 04:10 PM

I had no problems with doing any of these latest steps, and also I don't have anything to report right now thankfully. Malwarebytes actually found nothing. Here is the log:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.18.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tony :: TONY-PC [administrator]

8/18/2012 4:56:58 PM
mbam-log-2012-08-18 (16-56-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 197478
Time elapsed: 7 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



And here is the log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:07:29 PM, on 8/18/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Common Files\AOL\1322232433\ee\aolsoftware.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Tony\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.logmein.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Wincore Mediabar - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: Wincore Mediabar - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll (file missing)
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Dell DataSafe Online] C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuClient.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files (x86)\Common Files\AOL\1322232433\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - Startup: firefox - Shortcut.lnk = C:\Program Files (x86)\Mozilla Firefox\firefox.exe
O4 - Startup: rkill.com
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com//activex/ractrl.cab?lmi=928
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: McAfee Application Installer Cleanup (0011921345317134) (0011921345317134mcinstcleanup) - Unknown owner - C:\Users\Tony\AppData\Local\Temp\001192~1.EXE (file missing)
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files (x86)\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - Unknown owner - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - Unknown owner - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Dell DataSafe Online (NOBU) - Dell, Inc. - C:\Program Files (x86)\Dell\Dell Datasafe Online\NOBuAgent.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9939 bytes

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:18 AM

Posted 18 August 2012 - 04:47 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
      O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
      O4 - Startup: firefox - Shortcut.lnk = C:\Program Files (x86)\Mozilla Firefox\firefox.exe
      O4 - Startup: rkill.com
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 TKTheKid

TKTheKid
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:02:18 AM

Posted 18 August 2012 - 06:52 PM

Unfortunately, the ESET scan found quite a few problems! Please see below:

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\UpdateWorkingDirectory\DSL\hstart.exe a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\UpdateWorkingDirectory\DSL\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
C:\ProgramData\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Qoobox\Quarantine\C\Windows\Installer\{0061fc47-3411-b13e-500b-5f585284f979}\U\80000000.@.vir Win64/Sirefef.AP trojan
C:\Qoobox\Quarantine\C\Windows\System32\services.exe.vir Win64/Patched.B.Gen trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\mbr0000\tdlfs0000\tsk0000.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\mbr0000\tdlfs0000\tsk0001.dta Win64/Olmarik.AL trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\mbr0000\tdlfs0000\tsk0006.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\mbr0000\tdlfs0000\tsk0007.dta Win64/Olmarik.AK trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\zasubsys0000\file0000\tsk0000.dta Win64/Patched.B.Gen trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\zasubsys0000\zafs0000\tsk0000.dta Win32/Sirefef.EZ trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\zasubsys0000\zafs0000\tsk0001.dta Win64/Sirefef.AD trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\zasubsys0000\zafs0000\tsk0005.dta Win64/Agent.BA trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\zasubsys0000\zafs0000\tsk0006.dta Win64/Conedex.B trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\zasubsys0000\zafs0000\tsk0007.dta Win64/Sirefef.AP trojan
C:\TDSSKiller_Quarantine\18.08.2012_08.16.28\zasubsys0000\zafs0000\tsk0008.dta a variant of Win32/Sirefef.FD trojan
C:\Users\All Users\Tarma Installer\{C049526F-B3EB-4151-9B11-B11F00F53A96}\_Setupx.dll a variant of Win32/Adware.Yontoo.B application
C:\Users\Tony\Downloads\cnet_FolderSizeSetup_zip.exe a variant of Win32/InstallCore.D application
C:\Users\Tony\Downloads\media.player.codec.pack.v3.9.0.setup.exe Win32/Toolbar.Widgi application




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users