Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix reports "services.exe Infected"


  • This topic is locked This topic is locked
21 replies to this topic

#1 4ntim4lw4re

4ntim4lw4re

  • Members
  • 453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 20 August 2012 - 04:04 PM

Hi,
I have ran combofix and it did clear up a lot of issues with computer running sluggish. Things are running very smooth compared to before.... but, combofix still comes up with services.exe infected. I just want to make sure I get all of the malware off of the computer. Here is the DDS log file. Thank you in advance for any help you can give me.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Owner at 16:35:11 on 2012-08-20
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2940.1923 [GMT -4:00]
.
AV: Trend Micro Titanium 2012 *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Titanium 2012 *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files (x86)\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio64.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\hp\kbd\kbd.exe
c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_3_300_265_ActiveX.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files (x86)\hewlett-packard\sdp\ceement\hpcee.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
uInternet Settings,ProxyOverride = *.local
BHO: MRI_DISABLED - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1078\TmIEPlg32.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre1.6.0_01\bin\ssv.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\TmBpIe32.dll
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
uRun: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
uRun: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [KBD] C:\HP\KBD\KbdStub.EXE
mRun: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_01\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - C:\Program Files (x86)\Java\jre1.6.0_01\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
TCP: DhcpNameServer = 168.95.1.1
TCP: Interfaces\{C3FA5F7F-BE5B-4612-AE89-BF8FDB2DB449} : DhcpNameServer = 168.95.1.1
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\module\20002\7.1.1102\7.1.1102\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\module\20004\2.0.1313\6.8.1078\TmIEPlg32.dll
BHO-X64: MRI_DISABLED - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO-X64: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\2.0.1313\6.8.1078\TmIEPlg32.dll
BHO-X64: Trend Micro NSC BHO - No File
BHO-X64: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO-X64: NCO 2.0 IE BHO - No File
BHO-X64: SSVHelper Class: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_01\bin\ssv.dll
BHO-X64: TmBpIeBHO Class: {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\7.1.1102\7.1.1102\TmBpIe32.dll
BHO-X64: TmBpIeBHO - No File
mRun-x64: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun-x64: [KBD] C:\HP\KBD\KbdStub.EXE
mRun-x64: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_01\bin\jusched.exe"
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
.
============= SERVICES / DRIVERS ===============
.
R1 tmevtmgr;tmevtmgr;C:\Windows\system32\DRIVERS\tmevtmgr.sys --> C:\Windows\system32\DRIVERS\tmevtmgr.sys [?]
R2 FontCache;Windows Font Cache Service;C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 CAXHWBS2;CAXHWBS2;C:\Windows\system32\DRIVERS\CAXHWBS2.sys --> C:\Windows\system32\DRIVERS\CAXHWBS2.sys [?]
S2 Amsp;Trend Micro Solution Platform;C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe [2012-1-25 275912]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-3-31 250056]
S3 GamesAppService;GamesAppService;C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
S3 PerfHost;Performance Counter DLL Host;C:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 UsbFltr;WayTech USB Filter Driver;C:\Windows\system32\Drivers\UsbFltr.sys --> C:\Windows\system32\Drivers\UsbFltr.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2012-1-22 89920]
.
=============== File Associations ===============
.
JSEFile=C:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2012-08-17 19:28:03 -------- d-sh--w- C:\$RECYCLE.BIN
2012-08-17 19:27:40 -------- d-s---w- C:\ComboFix
2012-08-06 18:44:33 -------- d-----w- C:\Users\Owner\AppData\Local\temp
2012-08-03 15:33:03 98816 ----a-w- C:\Windows\sed.exe
2012-08-03 15:33:03 518144 ----a-w- C:\Windows\SWREG.exe
2012-08-03 15:33:03 256000 ----a-w- C:\Windows\PEV.exe
2012-08-03 15:33:03 208896 ----a-w- C:\Windows\MBR.exe
.
==================== Find3M ====================
.
2012-08-06 21:30:31 21520 ----a-w- C:\Windows\DCEBoot64.exe
2012-07-13 04:29:57 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-13 04:29:56 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-13 13:58:27 2769408 ----a-w- C:\Windows\System32\win32k.sys
2012-06-05 16:47:28 1401856 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-05 16:47:27 1248768 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-05 16:22:47 1797120 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-05 16:22:46 1869824 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-04 15:29:59 516480 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 22:12:13 88576 ----a-w- C:\Windows\SysWow64\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 19:19:42 171904 ----a-w- C:\Windows\SysWow64\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 19:12:20 33792 ----a-w- C:\Windows\SysWow64\wuapp.exe
2012-06-02 12:12:17 2311680 ----a-w- C:\Windows\System32\jscript9.dll
2012-06-02 12:05:28 1392128 ----a-w- C:\Windows\System32\wininet.dll
2012-06-02 12:04:50 1494528 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-06-02 12:01:40 173056 ----a-w- C:\Windows\System32\ieUnatt.exe
2012-06-02 11:57:08 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-06-02 08:33:25 1800192 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-06-02 08:25:08 1129472 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-06-02 08:25:03 1427968 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-06-02 08:20:33 142848 ----a-w- C:\Windows\SysWow64\ieUnatt.exe
2012-06-02 08:16:52 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-06-02 00:22:56 347136 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 00:22:10 254464 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 00:05:11 77312 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 00:04:25 278528 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 00:03:42 204288 ----a-w- C:\Windows\SysWow64\ncrypt.dll
.
============= FINISH: 16:35:33.21 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:01 AM

Posted 22 August 2012 - 10:31 PM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flash-drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 4ntim4lw4re

4ntim4lw4re
  • Topic Starter

  • Members
  • 453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 23 August 2012 - 07:23 AM

Gringo,

Thanks for your time. Here are the logs.

FRST:

Scan result of Farbar Recovery Scan Tool Version: 22-08-2012 02
Ran by SYSTEM at 23-08-2012 08:10:54
Running from F:\AVirus\Bleepin
Windows Vista ™ Home Premium Service Pack 1 (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup [15851040 2008-05-22] (NVIDIA Corporation)
HKLM\...\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit [82464 2008-05-22] (NVIDIA Corporation)
HKLM\...\Run: [Trend Micro Titanium] "C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" -set Silent "1" SplashURL "" [1304824 2012-07-05] (Trend Micro Inc.)
HKLM\...\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [213824 2012-02-27] (Trend Micro Inc.)
HKLM-x32\...\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe [65536 2007-04-18] (Hewlett-Packard Company)
HKLM-x32\...\Run: [KBD] C:\HP\KBD\KbdStub.EXE [65536 2006-12-08] ()
HKLM-x32\...\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [75008 2008-06-02] (Hewlett-Packard)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_01\bin\jusched.exe" [132760 2007-04-07] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [39792 2008-01-11] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-09] (Hewlett-Packard)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-27] (Apple Inc.)
HKLM-x32\...\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime [421888 2012-04-18] (Apple Inc.)
HKU\Default\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-07-03] (Hewlett-Packard)
HKU\Default User\...\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem [1555968 2009-04-10] (Microsoft Corporation)
HKU\Default User\...\Run: [HPADVISOR] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-07-03] (Hewlett-Packard)
HKU\Owner\...\Run: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN [972080 2008-07-03] (Hewlett-Packard)
HKU\Owner\...\Run: [MobileDocuments] C:\Program Files (x86)\Common Files\Apple\Internet Services\ubd.exe [59240 2012-02-23] (Apple Inc.)
Tcpip\Parameters: [DhcpNameServer] 168.95.1.1

==================== Services (Whitelisted) ======

2 Automatic LiveUpdate Scheduler; "C:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe" [238968 2008-02-09] (Symantec Corporation)
3 LiveUpdate; "C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE" [3220856 2008-02-09] (Symantec Corporation)
2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad [x]

========================== Drivers (Whitelisted) =============

3 HSF_DP; C:\Windows\System32\DRIVERS\CAX_DP.sys [1487872 2008-05-08] (Conexant Systems, Inc.)
3 Ps2; C:\Windows\System32\Drivers\Ps2.sys [21504 2006-09-07] ()
1 tmactmon; C:\Windows\System32\Drivers\tmactmon.sys [91920 2012-01-25] (Trend Micro Inc.)
1 tmcomm; C:\Windows\System32\Drivers\tmcomm.sys [167696 2012-01-25] (Trend Micro Inc.)
1 tmevtmgr; C:\Windows\System32\Drivers\tmevtmgr.sys [70928 2012-01-25] (Trend Micro Inc.)
1 tmtdi; C:\Windows\System32\Drivers\tmtdi.sys [105744 2012-01-25] (Trend Micro Inc.)
1 Beep; [x]
3 catchme; \??\C:\ComboFix\catchme.sys [x]
3 IpInIp; C:\Windows\System32\DRIVERS\ipinip.sys [x]
3 NwlnkFlt; C:\Windows\System32\DRIVERS\nwlnkflt.sys [x]
3 NwlnkFwd; C:\Windows\System32\DRIVERS\nwlnkfwd.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-08-23 08:10 - 2012-08-23 08:10 - 00000000 ____D C:\FRST
2012-08-20 12:36 - 2012-08-20 12:36 - 00012473 ____A C:\Users\Owner\Desktop\DDS.txt
2012-08-20 12:36 - 2012-08-20 12:36 - 00005814 ____A C:\Users\Owner\Desktop\Attach.txt
2012-08-20 12:34 - 2012-08-20 12:34 - 00607260 ____R (Swearware) C:\Users\Owner\Desktop\dds.com
2012-08-20 12:34 - 2012-08-20 12:34 - 00302592 ____A C:\Users\Owner\Desktop\2olyrkbp.exe
2012-08-17 11:27 - 2012-08-17 12:08 - 00000000 ___SD C:\ComboFix
2012-08-06 08:30 - 2012-08-06 08:30 - 00270344 ____A C:\Windows\Minidump\Mini080612-01.dmp
2012-08-03 07:33 - 2011-06-25 22:45 - 00256000 ____A C:\Windows\PEV.exe
2012-08-03 07:33 - 2010-11-07 09:20 - 00208896 ____A C:\Windows\MBR.exe
2012-08-03 07:33 - 2009-04-19 20:56 - 00060416 ____A (NirSoft) C:\Windows\NIRCMD.exe
2012-08-03 07:33 - 2000-08-30 16:00 - 00518144 ____A (SteelWerX) C:\Windows\SWREG.exe
2012-08-03 07:33 - 2000-08-30 16:00 - 00406528 ____A (SteelWerX) C:\Windows\SWSC.exe
2012-08-03 07:33 - 2000-08-30 16:00 - 00098816 ____A C:\Windows\sed.exe
2012-08-03 07:33 - 2000-08-30 16:00 - 00080412 ____A C:\Windows\grep.exe
2012-08-03 07:33 - 2000-08-30 16:00 - 00068096 ____A C:\Windows\zip.exe
2012-08-03 07:29 - 2012-08-03 07:32 - 00001828 ____A C:\Users\Owner\Desktop\Rkill.txt
2012-08-03 07:29 - 2012-08-03 07:29 - 00000000 ____D C:\Users\Owner\Desktop\rkill-backup
2012-08-03 07:28 - 2012-08-03 07:28 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\Owner\Downloads\rkill.exe
2012-08-03 07:28 - 2012-08-03 07:28 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\Owner\Desktop\rkill.exe
2012-08-03 07:24 - 2012-08-17 11:27 - 00000000 ____D C:\Qoobox
2012-08-03 07:24 - 2012-08-06 15:44 - 00000000 ____D C:\Windows\erdnt
2012-08-03 07:24 - 2012-08-03 07:22 - 04729092 ____R (Swearware) C:\Users\Owner\Desktop\ComboFix.exe
2012-08-03 07:20 - 2012-08-03 07:22 - 04729092 ____A (Swearware) C:\Users\Owner\Downloads\ComboFix.exe

============ 3 Months Modified Files ========================

2012-08-23 04:05 - 2008-01-20 17:53 - 01964766 ____A C:\Windows\WindowsUpdate.log
2012-08-23 04:05 - 2006-11-02 07:42 - 00032522 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-08-23 04:05 - 2006-11-02 07:42 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-08-23 04:05 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
2012-08-23 04:05 - 2006-11-02 07:22 - 00003616 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
2012-08-23 04:03 - 2012-03-31 08:06 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2012-08-20 12:36 - 2012-08-20 12:36 - 00012473 ____A C:\Users\Owner\Desktop\DDS.txt
2012-08-20 12:36 - 2012-08-20 12:36 - 00005814 ____A C:\Users\Owner\Desktop\Attach.txt
2012-08-20 12:34 - 2012-08-20 12:34 - 00607260 ____R (Swearware) C:\Users\Owner\Desktop\dds.com
2012-08-20 12:34 - 2012-08-20 12:34 - 00302592 ____A C:\Users\Owner\Desktop\2olyrkbp.exe
2012-08-20 12:34 - 2012-01-27 11:57 - 00000052 ____A C:\Windows\SysWOW64\DOErrors.log
2012-08-08 05:06 - 2006-11-02 04:34 - 00000215 ____A C:\Windows\system.ini
2012-08-08 05:03 - 2006-11-02 04:46 - 00718798 ____A C:\Windows\System32\PerfStringBackup.INI
2012-08-06 18:06 - 2012-01-22 07:02 - 00000334 ____A C:\Windows\Tasks\HPCeeScheduleForOwner.job
2012-08-06 15:44 - 2012-02-21 10:00 - 00000000 ____A C:\Windows\DCEBOOT.LOG
2012-08-06 15:44 - 2008-01-20 19:26 - 00214714 ____A C:\Windows\PFRO.log
2012-08-06 13:30 - 2012-02-21 09:58 - 00021520 ____A C:\Windows\DCEBoot64.exe
2012-08-06 08:31 - 2006-11-02 07:27 - 00078221 ____A C:\Windows\setupact.log
2012-08-06 08:30 - 2012-08-06 08:30 - 00270344 ____A C:\Windows\Minidump\Mini080612-01.dmp
2012-08-06 08:29 - 2012-04-23 19:48 - 373474275 ____A C:\Windows\MEMORY.DMP
2012-08-03 07:32 - 2012-08-03 07:29 - 00001828 ____A C:\Users\Owner\Desktop\Rkill.txt
2012-08-03 07:28 - 2012-08-03 07:28 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\Owner\Downloads\rkill.exe
2012-08-03 07:28 - 2012-08-03 07:28 - 01051552 ____A (Bleeping Computer, LLC) C:\Users\Owner\Desktop\rkill.exe
2012-08-03 07:22 - 2012-08-03 07:24 - 04729092 ____R (Swearware) C:\Users\Owner\Desktop\ComboFix.exe
2012-08-03 07:22 - 2012-08-03 07:20 - 04729092 ____A (Swearware) C:\Users\Owner\Downloads\ComboFix.exe
2012-07-12 20:45 - 2006-11-02 07:21 - 00309832 ____A C:\Windows\System32\FNTCACHE.DAT
2012-07-12 20:29 - 2012-03-31 08:06 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-12 20:29 - 2012-01-27 12:35 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-12 20:24 - 2006-11-02 04:35 - 59701280 ____A (Microsoft Corporation) C:\Windows\System32\mrt.exe
2012-06-15 16:23 - 2012-06-15 16:23 - 00856180 ____A C:\Users\Owner\Downloads\Attachments_2012_06_15.zip
2012-06-13 05:58 - 2012-07-12 20:21 - 02769408 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2012-06-08 09:59 - 2012-07-11 20:10 - 12899840 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2012-06-08 09:47 - 2012-07-11 20:10 - 11586048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2012-06-05 08:47 - 2012-07-11 20:10 - 01401856 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml6.dll
2012-06-05 08:47 - 2012-07-11 20:10 - 01248768 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll
2012-06-05 08:22 - 2012-07-11 20:10 - 01869824 ____A (Microsoft Corporation) C:\Windows\System32\msxml3.dll
2012-06-05 08:22 - 2012-07-11 20:10 - 01797120 ____A (Microsoft Corporation) C:\Windows\System32\msxml6.dll
2012-06-04 07:29 - 2012-07-11 20:10 - 00516480 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\ksecdd.sys
2012-06-02 14:19 - 2012-06-07 13:11 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-07 13:11 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-07 13:11 - 00577048 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapi.dll
2012-06-02 14:19 - 2012-06-07 13:11 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-07 13:11 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-07 13:11 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-07 13:11 - 00035864 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wups.dll
2012-06-02 14:15 - 2012-06-07 13:11 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-07 13:11 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:12 - 2012-06-07 13:11 - 00088576 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wudriver.dll
2012-06-02 11:19 - 2012-06-07 13:11 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 11:19 - 2012-06-07 13:11 - 00171904 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuwebv.dll
2012-06-02 11:15 - 2012-06-07 13:11 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-06-02 11:12 - 2012-06-07 13:11 - 00033792 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wuapp.exe
2012-06-02 04:49 - 2012-07-12 20:21 - 17807360 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2012-06-02 04:17 - 2012-07-12 20:21 - 10924032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2012-06-02 04:12 - 2012-07-12 20:21 - 02311680 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2012-06-02 04:05 - 2012-07-12 20:21 - 01392128 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2012-06-02 04:05 - 2012-07-12 20:21 - 01346048 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2012-06-02 04:04 - 2012-07-12 20:21 - 01494528 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2012-06-02 04:04 - 2012-07-12 20:21 - 00237056 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2012-06-02 04:03 - 2012-07-12 20:21 - 00085504 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2012-06-02 04:01 - 2012-07-12 20:21 - 00173056 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2012-06-02 04:00 - 2012-07-12 20:21 - 00818688 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2012-06-02 03:59 - 2012-07-12 20:21 - 02144768 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2012-06-02 03:57 - 2012-07-12 20:21 - 02382848 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2012-06-02 03:57 - 2012-07-12 20:21 - 00096768 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2012-06-02 03:54 - 2012-07-12 20:21 - 00248320 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2012-06-02 01:07 - 2012-07-12 20:21 - 12314624 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2012-06-02 00:43 - 2012-07-12 20:21 - 09737728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2012-06-02 00:33 - 2012-07-12 20:21 - 01800192 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2012-06-02 00:26 - 2012-07-12 20:21 - 01103872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2012-06-02 00:25 - 2012-07-12 20:21 - 01427968 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2012-06-02 00:25 - 2012-07-12 20:21 - 01129472 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2012-06-02 00:23 - 2012-07-12 20:21 - 00231936 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2012-06-02 00:21 - 2012-07-12 20:21 - 00065024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2012-06-02 00:20 - 2012-07-12 20:21 - 00142848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2012-06-02 00:19 - 2012-07-12 20:21 - 01793024 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2012-06-02 00:19 - 2012-07-12 20:21 - 00716800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2012-06-02 00:17 - 2012-07-12 20:21 - 00073216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2012-06-02 00:16 - 2012-07-12 20:21 - 02382848 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2012-06-02 00:14 - 2012-07-12 20:21 - 00176640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2012-06-01 16:22 - 2012-07-11 20:10 - 00347136 ____A (Microsoft Corporation) C:\Windows\System32\schannel.dll
2012-06-01 16:22 - 2012-07-11 20:10 - 00254464 ____A (Microsoft Corporation) C:\Windows\System32\ncrypt.dll
2012-06-01 16:05 - 2012-07-11 20:10 - 00077312 ____A (Microsoft Corporation) C:\Windows\SysWOW64\secur32.dll
2012-06-01 16:04 - 2012-07-11 20:10 - 00278528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\schannel.dll
2012-06-01 16:03 - 2012-07-11 20:10 - 00204288 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ncrypt.dll


ZeroAccess:
C:\Windows\Installer\{ef1597ea-b4ac-b00c-a0a4-4aa9061e74df}
C:\Windows\Installer\{ef1597ea-b4ac-b00c-a0a4-4aa9061e74df}\L
C:\Windows\Installer\{ef1597ea-b4ac-b00c-a0a4-4aa9061e74df}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe BC81150939BD52DBC7A08C245F1FB229 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 21%
Total physical RAM: 2940.39 MB
Available physical RAM: 2315.95 MB
Total Pagefile: 2617.02 MB
Available Pagefile: 2288.09 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (HP) (Fixed) (Total:919.41 GB) (Free:731.4 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (FACTORY_IMAGE) (Fixed) (Total:12.1 GB) (Free:1.65 GB) NTFS ==>[System with boot components (obtained from reading drive)]
4 Drive f: () (Removable) (Total:7.44 GB) (Free:0.71 GB) FAT32
9 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 932 GB 0 B
Disk 1 Online 7634 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B
Disk 4 No Media 0 B 0 B
Disk 5 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 919 GB 32 KB
Partition 2 Primary 12 GB 919 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C HP NTFS Partition 919 GB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D FACTORY_IMA NTFS Partition 12 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7633 MB 16 KB

==================================================================================

Disk: 1
Partition 1
Type : 0B
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 F FAT32 Removable 7633 MB Healthy

==================================================================================

Last Boot: 2012-08-08 05:03

======================= End Of Log ==========================








Search:

Farbar Recovery Scan Tool Version: 22-08-2012 02
Ran by SYSTEM at 2012-08-23 08:14:13
Running from F:\AVirus\Bleepin

================== Search: "services.exe" ===================

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe
[2012-01-22 09:31] - [2009-04-10 20:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe
[2008-01-20 18:50] - [2008-01-20 18:50] - 0279040 ____A (Microsoft Corporation) 2B336AB6286D6C81FA02CBAB914E3C6C

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe
[2012-01-22 09:31] - [2009-04-10 21:10] - 0384512 ____A (Microsoft Corporation) 934E0B7D77FF78C18D9F8891221B6DE3

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe
[2008-01-20 18:49] - [2008-01-20 18:49] - 0384512 ____A (Microsoft Corporation) DFAC660F0F139276CC9299812DE42719

C:\Windows\SysWOW64\services.exe
[2012-01-22 09:31] - [2009-04-10 20:28] - 0279552 ____A (Microsoft Corporation) D4E6D91C1349B7BFB3599A6ADA56851B

C:\Windows\System32\services.exe
[2012-01-22 09:31] - [2009-04-10 21:10] - 0384512 ____A (Microsoft Corporation) BC81150939BD52DBC7A08C245F1FB229

====== End Of Search ======

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:01 AM

Posted 23 August 2012 - 08:06 AM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe C:\Windows\System32\services.exe
C:\Windows\Installer\{ef1597ea-b4ac-b00c-a0a4-4aa9061e74df}

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 4ntim4lw4re

4ntim4lw4re
  • Topic Starter

  • Members
  • 453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 23 August 2012 - 02:14 PM

Gingo,

Here is the log file.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 22-08-2012 02
Ran by SYSTEM at 2012-08-23 15:11:27 Run:1
Running from J:\AVirus\Bleepin

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\Installer\{ef1597ea-b4ac-b00c-a0a4-4aa9061e74df} moved successfully.

==== End of Fixlog ====

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:01 AM

Posted 23 August 2012 - 11:58 PM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 4ntim4lw4re

4ntim4lw4re
  • Topic Starter

  • Members
  • 453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 24 August 2012 - 07:18 AM

Gringo,

Here is the Combofix log.

ComboFix 12-08-22.03 - Owner 08/24/2012 8:04.4.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2940.1906 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
AV: Trend Micro Titanium 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Titanium 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\assembly\GAC_32\Desktop.ini
c:\windows\assembly\GAC_64\Desktop.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-07-24 to 2012-08-24 )))))))))))))))))))))))))))))))
.
.
2012-08-24 12:10 . 2012-08-24 12:10 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-23 16:10 . 2012-08-23 16:10 -------- d-----w- C:\FRST
2012-08-06 18:44 . 2012-08-24 12:10 -------- d-----w- c:\users\Owner\AppData\Local\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-06 21:30 . 2012-02-21 17:58 21520 ----a-w- c:\windows\DCEBoot64.exe
2012-07-13 04:29 . 2012-03-31 16:06 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-13 04:29 . 2012-01-27 20:35 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-13 04:24 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-13 13:58 . 2012-07-13 04:21 2769408 ----a-w- c:\windows\system32\win32k.sys
2012-06-08 17:59 . 2012-07-12 04:10 12899840 ----a-w- c:\windows\system32\shell32.dll
2012-06-05 16:47 . 2012-07-12 04:10 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-05 16:47 . 2012-07-12 04:10 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-05 16:22 . 2012-07-12 04:10 1797120 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:22 . 2012-07-12 04:10 1869824 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:29 . 2012-07-12 04:10 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-07 21:11 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-07 21:11 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-07 21:11 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-07 21:11 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-07 21:11 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-07 21:11 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-07 21:11 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-07 21:11 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-07 21:11 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-07 21:11 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 19:19 . 2012-06-07 21:11 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:19 . 2012-06-07 21:11 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 19:15 . 2012-06-07 21:11 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 19:12 . 2012-06-07 21:11 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-02 12:49 . 2012-07-13 04:21 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-06-02 12:17 . 2012-07-13 04:21 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-06-02 12:12 . 2012-07-13 04:21 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 12:05 . 2012-07-13 04:21 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-02 12:05 . 2012-07-13 04:21 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 12:04 . 2012-07-13 04:21 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 12:04 . 2012-07-13 04:21 237056 ----a-w- c:\windows\system32\url.dll
2012-06-02 12:03 . 2012-07-13 04:21 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-02 12:01 . 2012-07-13 04:21 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 12:00 . 2012-07-13 04:21 818688 ----a-w- c:\windows\system32\jscript.dll
2012-06-02 11:59 . 2012-07-13 04:21 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-02 11:57 . 2012-07-13 04:21 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-02 11:57 . 2012-07-13 04:21 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 11:54 . 2012-07-13 04:21 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-02 08:33 . 2012-07-13 04:21 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-02 08:25 . 2012-07-13 04:21 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-02 08:25 . 2012-07-13 04:21 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20 . 2012-07-13 04:21 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16 . 2012-07-13 04:21 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-02 00:22 . 2012-07-12 04:10 347136 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:22 . 2012-07-12 04:10 254464 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 00:05 . 2012-07-12 04:10 77312 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 00:04 . 2012-07-12 04:10 278528 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 00:03 . 2012-07-12 04:10 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-06_23.44.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-23 01:50 . 2012-08-23 13:46 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-07-23 01:50 . 2012-08-03 15:25 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 02:23 . 2012-08-24 11:54 43028 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-08-24 11:54 73362 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2012-01-22 15:18 . 2012-08-23 19:08 21480 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-01-29 04:42 . 2012-08-08 12:56 2984 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2012-01-22 14:58 . 2012-08-24 11:54 9826 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-839740710-2640123701-1280113604-1000_UserData.bin
+ 2012-08-24 11:52 . 2012-08-24 11:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-06 23:44 . 2012-08-06 23:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-24 11:52 . 2012-08-24 11:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-06 23:44 . 2012-08-06 23:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-22 18:46 . 2012-08-23 19:06 276418 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2012-01-22 17:31 . 2008-01-21 02:49 384512 c:\windows\system32\services.exe
- 2012-01-22 17:31 . 2009-04-11 05:10 384512 c:\windows\system32\services.exe
- 2006-11-02 12:46 . 2012-08-06 21:35 615676 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-08-24 11:57 615676 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-08-24 11:57 107716 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-08-06 21:35 107716 c:\windows\system32\perfc009.dat
- 2012-01-22 20:36 . 2012-08-06 23:43 288472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-22 20:36 . 2012-08-23 19:08 288472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2008-01-21 03:20 . 2012-08-23 13:46 2736128 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-08-03 15:25 2736128 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-08-03 15:25 7962624 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2012-08-23 13:46 7962624 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-22 20:36 . 2012-07-23 06:39 1945660 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-839740710-2640123701-1280113604-1000-8192.dat
+ 2012-01-22 20:36 . 2012-08-23 12:05 1945660 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-839740710-2640123701-1280113604-1000-8192.dat
+ 2012-01-26 00:17 . 2012-08-23 12:05 25544176 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-839740710-2640123701-1280113604-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-07-03 972080]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-13 250056]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-23 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 04:29]
.
2012-08-07 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2012-01-22 04:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 15851040]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 82464]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-07-06 1304824]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 213824]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 168.95.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-24 08:12:51
ComboFix-quarantined-files.txt 2012-08-24 12:12
ComboFix2.txt 2012-08-08 13:16
ComboFix3.txt 2012-08-06 23:50
ComboFix4.txt 2012-08-06 18:44
.
Pre-Run: 785,387,663,360 bytes free
Post-Run: 785,355,132,928 bytes free
.
- - End Of File - - D1838185F008BB359E7E71F915C5C05E



The computer is running much better. It is moving at normal speeds and I haven't detected any signs of malware.

Thanks,
4ntim4lw4are

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:01 AM

Posted 24 August 2012 - 07:36 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 4ntim4lw4re

4ntim4lw4re
  • Topic Starter

  • Members
  • 453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 24 August 2012 - 07:53 AM

Gringo,

Here is the TDSSKiller log file:

08:45:19.0792 2636 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
08:45:20.0119 2636 ============================================================
08:45:20.0119 2636 Current date / time: 2012/08/24 08:45:20.0119
08:45:20.0119 2636 SystemInfo:
08:45:20.0119 2636
08:45:20.0119 2636 OS Version: 6.0.6002 ServicePack: 2.0
08:45:20.0119 2636 Product type: Workstation
08:45:20.0119 2636 ComputerName: OWNER-PC
08:45:20.0119 2636 UserName: Owner
08:45:20.0119 2636 Windows directory: C:\Windows
08:45:20.0119 2636 System windows directory: C:\Windows
08:45:20.0119 2636 Running under WOW64
08:45:20.0119 2636 Processor architecture: Intel x64
08:45:20.0119 2636 Number of processors: 2
08:45:20.0119 2636 Page size: 0x1000
08:45:20.0119 2636 Boot type: Normal boot
08:45:20.0119 2636 ============================================================
08:45:20.0946 2636 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1F8B1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
08:45:20.0962 2636 ============================================================
08:45:20.0962 2636 \Device\Harddisk0\DR0:
08:45:20.0962 2636 MBR partitions:
08:45:20.0962 2636 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x72ED32F1
08:45:20.0962 2636 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x72ED3330, BlocksNum 0x18322E0
08:45:20.0962 2636 ============================================================
08:45:20.0977 2636 C: <-> \Device\Harddisk0\DR0\Partition1
08:45:21.0008 2636 D: <-> \Device\Harddisk0\DR0\Partition2
08:45:21.0008 2636 ============================================================
08:45:21.0008 2636 Initialize success
08:45:21.0008 2636 ============================================================
08:45:25.0688 4896 ============================================================
08:45:25.0688 4896 Scan started
08:45:25.0688 4896 Mode: Manual;
08:45:25.0688 4896 ============================================================
08:45:27.0623 4896 ================ Scan system memory ========================
08:45:27.0623 4896 System memory - ok
08:45:27.0623 4896 ================ Scan services =============================
08:45:27.0763 4896 [ 1965AAFFAB07E3FB03C77F81BEBA3547 ] ACPI C:\Windows\system32\drivers\acpi.sys
08:45:27.0763 4896 ACPI - ok
08:45:27.0857 4896 [ 5E1A953C6472E7BB644892A4D0DF5E72 ] AdobeFlashPlayerUpdateSvc C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
08:45:27.0857 4896 AdobeFlashPlayerUpdateSvc - ok
08:45:27.0904 4896 [ F14215E37CF124104575073F782111D2 ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
08:45:27.0904 4896 adp94xx - ok
08:45:27.0935 4896 [ 7D05A75E3066861A6610F7EE04FF085C ] adpahci C:\Windows\system32\drivers\adpahci.sys
08:45:27.0950 4896 adpahci - ok
08:45:27.0966 4896 [ 820A201FE08A0C345B3BEDBC30E1A77C ] adpu160m C:\Windows\system32\drivers\adpu160m.sys
08:45:27.0966 4896 adpu160m - ok
08:45:27.0997 4896 [ 9B4AB6854559DC168FBB4C24FC52E794 ] adpu320 C:\Windows\system32\drivers\adpu320.sys
08:45:27.0997 4896 adpu320 - ok
08:45:28.0028 4896 [ 0F421175574BFE0BF2F4D8E910A253BB ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
08:45:28.0028 4896 AeLookupSvc - ok
08:45:28.0075 4896 [ C4F6CE6087760AD70960C9EB130E7943 ] AFD C:\Windows\system32\drivers\afd.sys
08:45:28.0075 4896 AFD - ok
08:45:28.0091 4896 [ F6F6793B7F17B550ECFDBD3B229173F7 ] agp440 C:\Windows\system32\drivers\agp440.sys
08:45:28.0091 4896 agp440 - ok
08:45:28.0106 4896 [ 222CB641B4B8A1D1126F8033F9FD6A00 ] aic78xx C:\Windows\system32\drivers\djsvs.sys
08:45:28.0106 4896 aic78xx - ok
08:45:28.0122 4896 [ 5922F4F59B7868F3D74BBBBEB7B825A3 ] ALG C:\Windows\System32\alg.exe
08:45:28.0122 4896 ALG - ok
08:45:28.0138 4896 [ 157D0898D4B73F075CE9FA26B482DF98 ] aliide C:\Windows\system32\drivers\aliide.sys
08:45:28.0138 4896 aliide - ok
08:45:28.0153 4896 [ 970FA5059E61E30D25307B99903E991E ] amdide C:\Windows\system32\drivers\amdide.sys
08:45:28.0153 4896 amdide - ok
08:45:28.0169 4896 [ CDC3632A3A5EA4DBB83E46076A3165A1 ] AmdK8 C:\Windows\system32\drivers\amdk8.sys
08:45:28.0184 4896 AmdK8 - ok
08:45:28.0231 4896 [ 1B7D1F0A0DFADBC797C16364792A7AA5 ] Amsp C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
08:45:28.0231 4896 Amsp - ok
08:45:28.0247 4896 [ 9C37B3FD5615477CB9A0CD116CF43F5C ] Appinfo C:\Windows\System32\appinfo.dll
08:45:28.0247 4896 Appinfo - ok
08:45:28.0309 4896 [ 7EF47644B74EBE721CC32211D3C35E76 ] Apple Mobile Device C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
08:45:28.0309 4896 Apple Mobile Device - ok
08:45:28.0325 4896 [ BA8417D4765F3988FF921F30F630E303 ] arc C:\Windows\system32\drivers\arc.sys
08:45:28.0325 4896 arc - ok
08:45:28.0356 4896 [ 9D41C435619733B34CC16A511E644B11 ] arcsas C:\Windows\system32\drivers\arcsas.sys
08:45:28.0356 4896 arcsas - ok
08:45:28.0372 4896 [ 22D13FF3DAFEC2A80634752B1EAA2DE6 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
08:45:28.0372 4896 AsyncMac - ok
08:45:28.0403 4896 [ E68D9B3A3905619732F7FE039466A623 ] atapi C:\Windows\system32\drivers\atapi.sys
08:45:28.0403 4896 atapi - ok
08:45:28.0434 4896 [ 79318C744693EC983D20E9337A2F8196 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
08:45:28.0450 4896 AudioEndpointBuilder - ok
08:45:28.0450 4896 [ 79318C744693EC983D20E9337A2F8196 ] AudioSrv C:\Windows\System32\Audiosrv.dll
08:45:28.0465 4896 AudioSrv - ok
08:45:28.0512 4896 [ 2843669C89A00950195F51DBB5DB0B8E ] Automatic LiveUpdate Scheduler c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
08:45:28.0512 4896 Automatic LiveUpdate Scheduler - ok
08:45:28.0512 4896 Beep - ok
08:45:28.0543 4896 [ FFB96C2589FFA60473EAD78B39FBDE29 ] BFE C:\Windows\System32\bfe.dll
08:45:28.0543 4896 BFE - ok
08:45:28.0559 4896 [ 79FEEB40056683F8F61398D81DDA65D2 ] blbdrive C:\Windows\system32\drivers\blbdrive.sys
08:45:28.0559 4896 blbdrive - ok
08:45:28.0590 4896 [ EBBCD5DFBB1DE70E8F4AF8FA59E401FD ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
08:45:28.0606 4896 Bonjour Service - ok
08:45:28.0652 4896 [ 2348447A80920B2493A9B582A23E81E1 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
08:45:28.0668 4896 bowser - ok
08:45:28.0684 4896 [ F09EEE9EDC320B5E1501F749FDE686C8 ] BrFiltLo C:\Windows\system32\drivers\brfiltlo.sys
08:45:28.0699 4896 BrFiltLo - ok
08:45:28.0730 4896 [ B114D3098E9BDB8BEA8B053685831BE6 ] BrFiltUp C:\Windows\system32\drivers\brfiltup.sys
08:45:28.0730 4896 BrFiltUp - ok
08:45:28.0762 4896 [ A1B39DE453433B115B4EA69EE0343816 ] Browser C:\Windows\System32\browser.dll
08:45:28.0777 4896 Browser - ok
08:45:28.0808 4896 [ F0F0BA4D815BE446AA6A4583CA3BCA9B ] Brserid C:\Windows\system32\drivers\brserid.sys
08:45:28.0824 4896 Brserid - ok
08:45:28.0871 4896 [ A6ECA2151B08A09CACECA35C07F05B42 ] BrSerWdm C:\Windows\system32\drivers\brserwdm.sys
08:45:28.0871 4896 BrSerWdm - ok
08:45:28.0902 4896 [ B79968002C277E869CF38BD22CD61524 ] BrUsbMdm C:\Windows\system32\drivers\brusbmdm.sys
08:45:28.0918 4896 BrUsbMdm - ok
08:45:28.0949 4896 [ A87528880231C54E75EA7A44943B38BF ] BrUsbSer C:\Windows\system32\drivers\brusbser.sys
08:45:28.0964 4896 BrUsbSer - ok
08:45:28.0996 4896 [ E0777B34E05F8A82A21856EFC900C29F ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
08:45:28.0996 4896 BTHMODEM - ok
08:45:29.0011 4896 catchme - ok
08:45:29.0074 4896 [ 6C2DD66A3DB32450D661BA89B18B1941 ] CAXHWBS2 C:\Windows\system32\DRIVERS\CAXHWBS2.sys
08:45:29.0074 4896 CAXHWBS2 - ok
08:45:29.0089 4896 [ B4D787DB8D30793A4D4DF9FEED18F136 ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
08:45:29.0089 4896 cdfs - ok
08:45:29.0136 4896 [ C025AA69BE3D0D25C7A2E746EF6F94FC ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
08:45:29.0136 4896 cdrom - ok
08:45:29.0167 4896 [ 5A268127633C7EE2A7FB87F39D748D56 ] CertPropSvc C:\Windows\System32\certprop.dll
08:45:29.0167 4896 CertPropSvc - ok
08:45:29.0183 4896 [ 02EA568D498BBDD4BA55BF3FCE34D456 ] circlass C:\Windows\system32\drivers\circlass.sys
08:45:29.0183 4896 circlass - ok
08:45:29.0214 4896 [ 3DCA9A18B204939CFB24BEA53E31EB48 ] CLFS C:\Windows\system32\CLFS.sys
08:45:29.0214 4896 CLFS - ok
08:45:29.0276 4896 [ 8EE772032E2FE80A924F3B8DD5082194 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
08:45:29.0292 4896 clr_optimization_v2.0.50727_32 - ok
08:45:29.0323 4896 [ CE07A466201096F021CD09D631B21540 ] clr_optimization_v2.0.50727_64 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
08:45:29.0323 4896 clr_optimization_v2.0.50727_64 - ok
08:45:29.0370 4896 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
08:45:29.0386 4896 clr_optimization_v4.0.30319_32 - ok
08:45:29.0401 4896 [ C6F9AF94DCD58122A4D7E89DB6BED29D ] clr_optimization_v4.0.30319_64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
08:45:29.0401 4896 clr_optimization_v4.0.30319_64 - ok
08:45:29.0417 4896 [ E5D5499A1C50A54B5161296B6AFE6192 ] cmdide C:\Windows\system32\drivers\cmdide.sys
08:45:29.0417 4896 cmdide - ok
08:45:29.0432 4896 [ 7FB8AD01DB0EABE60C8A861531A8F431 ] Compbatt C:\Windows\system32\drivers\compbatt.sys
08:45:29.0432 4896 Compbatt - ok
08:45:29.0448 4896 COMSysApp - ok
08:45:29.0464 4896 [ A8585B6412253803CE8EFCBD6D6DC15C ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
08:45:29.0464 4896 crcdisk - ok
08:45:29.0495 4896 [ 62740B9D2A137E8CED41A9E4239A7A31 ] CryptSvc C:\Windows\system32\cryptsvc.dll
08:45:29.0495 4896 CryptSvc - ok
08:45:29.0542 4896 [ CF8B9A3A5E7DC57724A89D0C3E8CF9EF ] DcomLaunch C:\Windows\system32\rpcss.dll
08:45:29.0557 4896 DcomLaunch - ok
08:45:29.0588 4896 [ 8B722BA35205C71E7951CDC4CDBADE19 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
08:45:29.0588 4896 DfsC - ok
08:45:29.0666 4896 [ C647F468F7DE343DF8C143655C5557D4 ] DFSR C:\Windows\system32\DFSR.exe
08:45:29.0744 4896 DFSR - ok
08:45:29.0760 4896 [ 3ED0321127CE70ACDAABBF77E157C2A7 ] Dhcp C:\Windows\System32\dhcpcsvc.dll
08:45:29.0760 4896 Dhcp - ok
08:45:29.0776 4896 [ B0107E40ECDB5FA692EBF832F295D905 ] disk C:\Windows\system32\drivers\disk.sys
08:45:29.0791 4896 disk - ok
08:45:29.0807 4896 [ 06230F1B721494A6DF8D47FD395BB1B0 ] Dnscache C:\Windows\System32\dnsrslvr.dll
08:45:29.0807 4896 Dnscache - ok
08:45:29.0822 4896 [ 1A7156DD1E850E9914E5E991E3225B94 ] dot3svc C:\Windows\System32\dot3svc.dll
08:45:29.0822 4896 dot3svc - ok
08:45:29.0854 4896 [ 74C02B1717740C3B8039539E23E4B53F ] Dot4 C:\Windows\system32\DRIVERS\Dot4.sys
08:45:29.0854 4896 Dot4 - ok
08:45:29.0885 4896 [ 08321D1860235BF42CF2854234337AEA ] Dot4Print C:\Windows\system32\DRIVERS\Dot4Prt.sys
08:45:29.0885 4896 Dot4Print - ok
08:45:29.0900 4896 [ 4ADCCF0124F2B6911D3786A5D0E779E5 ] dot4usb C:\Windows\system32\DRIVERS\dot4usb.sys
08:45:29.0900 4896 dot4usb - ok
08:45:29.0932 4896 [ 1583B39790DB3EAEC7EDB0CB0140C708 ] DPS C:\Windows\system32\dps.dll
08:45:29.0932 4896 DPS - ok
08:45:29.0947 4896 [ F1A78A98CFC2EE02144C6BEC945447E6 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
08:45:29.0947 4896 drmkaud - ok
08:45:29.0994 4896 [ B8E554E502D5123BC111F99D6A2181B4 ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
08:45:30.0010 4896 DXGKrnl - ok
08:45:30.0025 4896 [ 264CEE7B031A9D6C827F3D0CB031F2FE ] E1G60 C:\Windows\system32\DRIVERS\E1G6032E.sys
08:45:30.0025 4896 E1G60 - ok
08:45:30.0056 4896 [ C2303883FD9BE49DC36A6400643002EA ] EapHost C:\Windows\System32\eapsvc.dll
08:45:30.0056 4896 EapHost - ok
08:45:30.0072 4896 [ 5F94962BE5A62DB6E447FF6470C4F48A ] Ecache C:\Windows\system32\drivers\ecache.sys
08:45:30.0072 4896 Ecache - ok
08:45:30.0119 4896 [ 14CE384D2E27B64C256BDA4DC39C312D ] ehRecvr C:\Windows\ehome\ehRecvr.exe
08:45:30.0119 4896 ehRecvr - ok
08:45:30.0134 4896 [ B93159C1313D66FDFBBE876F5189CD52 ] ehSched C:\Windows\ehome\ehsched.exe
08:45:30.0134 4896 ehSched - ok
08:45:30.0150 4896 [ F5EE2527D74449868E3C3227A59BCD28 ] ehstart C:\Windows\ehome\ehstart.dll
08:45:30.0150 4896 ehstart - ok
08:45:30.0166 4896 [ C4636D6E10469404AB5308D9FD45ED07 ] elxstor C:\Windows\system32\drivers\elxstor.sys
08:45:30.0181 4896 elxstor - ok
08:45:30.0212 4896 [ A9B18B63A4FD6BAAB83326706D857FAB ] EMDMgmt C:\Windows\system32\emdmgmt.dll
08:45:30.0212 4896 EMDMgmt - ok
08:45:30.0228 4896 [ BC3A58E938BB277E46BF4B3003B01ABD ] ErrDev C:\Windows\system32\drivers\errdev.sys
08:45:30.0228 4896 ErrDev - ok
08:45:30.0259 4896 [ E12F22B73F153DECE721CD45EC05B4AF ] EventSystem C:\Windows\system32\es.dll
08:45:30.0275 4896 EventSystem - ok
08:45:30.0290 4896 [ 486844F47B6636044A42454614ED4523 ] exfat C:\Windows\system32\drivers\exfat.sys
08:45:30.0290 4896 exfat - ok
08:45:30.0322 4896 [ 1A4BEE34277784619DDAF0422C0C6E23 ] fastfat C:\Windows\system32\drivers\fastfat.sys
08:45:30.0322 4896 fastfat - ok
08:45:30.0337 4896 [ 81B79B6DF71FA1D2C6D688D830616E39 ] fdc C:\Windows\system32\DRIVERS\fdc.sys
08:45:30.0337 4896 fdc - ok
08:45:30.0337 4896 [ BB9267ACACD8B7533DD936C34A0CBA5E ] fdPHost C:\Windows\system32\fdPHost.dll
08:45:30.0337 4896 fdPHost - ok
08:45:30.0353 4896 [ 300C80931EABBE1DB7591C516EFE8D0F ] FDResPub C:\Windows\system32\fdrespub.dll
08:45:30.0353 4896 FDResPub - ok
08:45:30.0368 4896 [ 457B7D1D533E4BD62A99AED9C7BB4C59 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
08:45:30.0368 4896 FileInfo - ok
08:45:30.0384 4896 [ D421327FD6EFCCAF884A54C58E1B0D7F ] Filetrace C:\Windows\system32\drivers\filetrace.sys
08:45:30.0384 4896 Filetrace - ok
08:45:30.0400 4896 [ 230923EA2B80F79B0F88D90F87B87EBD ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
08:45:30.0400 4896 flpydisk - ok
08:45:30.0415 4896 [ E3041BC26D6930D61F42AEDB79C91720 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
08:45:30.0415 4896 FltMgr - ok
08:45:30.0462 4896 [ BE1C5BD1CA7ED015BC6FA1AE67E592C8 ] FontCache C:\Windows\system32\FntCache.dll
08:45:30.0493 4896 FontCache - ok
08:45:30.0509 4896 [ BC5B0BE5AF3510B0FD8C140EE42C6D3E ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
08:45:30.0509 4896 FontCache3.0.0.0 - ok
08:45:30.0556 4896 [ 5779B86CD8B32519FBECB136394D946A ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
08:45:30.0556 4896 Fs_Rec - ok
08:45:30.0571 4896 [ C8E416668D3DC2BE3D4FE4C79224997F ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
08:45:30.0571 4896 gagp30kx - ok
08:45:30.0618 4896 [ C403C5DB49A0F9AAF4F2128EDC0106D8 ] GamesAppService C:\Program Files (x86)\WildTangent Games\App\GamesAppService.exe
08:45:30.0618 4896 GamesAppService - ok
08:45:30.0634 4896 [ E403AACF8C7BB11375122D2464560311 ] GEARAspiWDM C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
08:45:30.0634 4896 GEARAspiWDM - ok
08:45:30.0680 4896 [ A0E1B575BA8F504968CD40C0FAEB2384 ] gpsvc C:\Windows\System32\gpsvc.dll
08:45:30.0696 4896 gpsvc - ok
08:45:30.0743 4896 [ F942C5820205F2FB453243EDFEC82A3D ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
08:45:30.0758 4896 HDAudBus - ok
08:45:30.0774 4896 [ B4881C84A180E75B8C25DC1D726C375F ] HidBth C:\Windows\system32\drivers\hidbth.sys
08:45:30.0774 4896 HidBth - ok
08:45:30.0790 4896 [ 4E77A77E2C986E8F88F996BB3E1AD829 ] HidIr C:\Windows\system32\drivers\hidir.sys
08:45:30.0790 4896 HidIr - ok
08:45:30.0805 4896 [ 59361D38A297755D46A540E450202B2A ] hidserv C:\Windows\System32\hidserv.dll
08:45:30.0805 4896 hidserv - ok
08:45:30.0821 4896 [ 443BDD2D30BB4F00795C797E2CF99EDF ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
08:45:30.0821 4896 HidUsb - ok
08:45:30.0836 4896 [ B12F367EA39C0795FD57E31242CE1A5A ] hkmsvc C:\Windows\system32\kmsvc.dll
08:45:30.0836 4896 hkmsvc - ok
08:45:30.0899 4896 [ A3A30438C48D2D71556E120C9C7BA7A0 ] HP Health Check Service c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
08:45:30.0930 4896 HP Health Check Service - ok
08:45:30.0992 4896 [ D7109A1E6BD2DFDBCBA72A6BC626A13B ] HpCISSs C:\Windows\system32\drivers\hpcisss.sys
08:45:31.0024 4896 HpCISSs - ok
08:45:31.0070 4896 [ 3A9291D4047935F776DB8AF831AB9BA6 ] HSF_DP C:\Windows\system32\DRIVERS\CAX_DP.sys
08:45:31.0102 4896 HSF_DP - ok
08:45:31.0133 4896 [ 098F1E4E5C9CB5B0063A959063631610 ] HTTP C:\Windows\system32\drivers\HTTP.sys
08:45:31.0148 4896 HTTP - ok
08:45:31.0164 4896 [ DA94C854CEA5FAC549D4E1F6E88349E8 ] i2omp C:\Windows\system32\drivers\i2omp.sys
08:45:31.0164 4896 i2omp - ok
08:45:31.0180 4896 [ CBB597659A2713CE0C9CC20C88C7591F ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
08:45:31.0180 4896 i8042prt - ok
08:45:31.0195 4896 [ 3E3BF3627D886736D0B4E90054F929F6 ] iaStorV C:\Windows\system32\drivers\iastorv.sys
08:45:31.0211 4896 iaStorV - ok
08:45:31.0242 4896 [ 749F5F8CEDCA70F2A512945325FC489D ] idsvc C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
08:45:31.0258 4896 idsvc - ok
08:45:31.0273 4896 [ 8C3951AD2FE886EF76C7B5027C3125D3 ] iirsp C:\Windows\system32\drivers\iirsp.sys
08:45:31.0273 4896 iirsp - ok
08:45:31.0304 4896 [ 0C9EA6E654E7B0471741E343A6C671AF ] IKEEXT C:\Windows\System32\ikeext.dll
08:45:31.0304 4896 IKEEXT - ok
08:45:31.0367 4896 [ 1EDAB7F9B9DE4424BECCDEF950CE2FF0 ] IntcAzAudAddService C:\Windows\system32\drivers\RTKVHD64.sys
08:45:31.0398 4896 IntcAzAudAddService - ok
08:45:31.0414 4896 [ DF797A12176F11B2D301C5B234BB200E ] intelide C:\Windows\system32\drivers\intelide.sys
08:45:31.0414 4896 intelide - ok
08:45:31.0429 4896 [ BFD84AF32FA1BAD6231C4585CB469630 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
08:45:31.0429 4896 intelppm - ok
08:45:31.0429 4896 [ 5624BC1BC5EEB49C0AB76A8114F05EA3 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
08:45:31.0445 4896 IPBusEnum - ok
08:45:31.0460 4896 [ D8AABC341311E4780D6FCE8C73C0AD81 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
08:45:31.0460 4896 IpFilterDriver - ok
08:45:31.0507 4896 [ BF0DBFA9792C5C14FA00F61C75116C1B ] iphlpsvc C:\Windows\System32\iphlpsvc.dll
08:45:31.0507 4896 iphlpsvc - ok
08:45:31.0507 4896 IpInIp - ok
08:45:31.0538 4896 [ 9C2EE2E6E5A7203BFAE15C299475EC67 ] IPMIDRV C:\Windows\system32\drivers\ipmidrv.sys
08:45:31.0538 4896 IPMIDRV - ok
08:45:31.0554 4896 [ B7E6212F581EA5F6AB0C3A6CEEEB89BE ] IPNAT C:\Windows\system32\DRIVERS\ipnat.sys
08:45:31.0554 4896 IPNAT - ok
08:45:31.0601 4896 [ 50D6CCC6FF5561F9F56946B3E6164FB8 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
08:45:31.0601 4896 iPod Service - ok
08:45:31.0632 4896 [ 8C42CA155343A2F11D29FECA67FAA88D ] IRENUM C:\Windows\system32\drivers\irenum.sys
08:45:31.0632 4896 IRENUM - ok
08:45:31.0648 4896 [ 0672BFCEDC6FC468A2B0500D81437F4F ] isapnp C:\Windows\system32\drivers\isapnp.sys
08:45:31.0648 4896 isapnp - ok
08:45:31.0679 4896 [ E4FDF99599F27EC25D2CF6D754243520 ] iScsiPrt C:\Windows\system32\DRIVERS\msiscsi.sys
08:45:31.0679 4896 iScsiPrt - ok
08:45:31.0694 4896 [ 63C766CDC609FF8206CB447A65ABBA4A ] iteatapi C:\Windows\system32\drivers\iteatapi.sys
08:45:31.0694 4896 iteatapi - ok
08:45:31.0710 4896 [ 1281FE73B17664631D12F643CBEA3F59 ] iteraid C:\Windows\system32\drivers\iteraid.sys
08:45:31.0710 4896 iteraid - ok
08:45:31.0726 4896 [ 423696F3BA6472DD17699209B933BC26 ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
08:45:31.0726 4896 kbdclass - ok
08:45:31.0741 4896 [ DBDF75D51464FBC47D0104EC3D572C05 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
08:45:31.0741 4896 kbdhid - ok
08:45:31.0772 4896 [ 260BF9C43EE12C6898A9F5AAB0FB0E5D ] KeyIso C:\Windows\system32\lsass.exe
08:45:31.0772 4896 KeyIso - ok
08:45:31.0819 4896 [ 88956AD9FA510848AD176777A6C6C1F5 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
08:45:31.0819 4896 KSecDD - ok
08:45:31.0835 4896 [ 1D419CF43DB29396ECD7113D129D94EB ] ksthunk C:\Windows\system32\drivers\ksthunk.sys
08:45:31.0835 4896 ksthunk - ok
08:45:31.0850 4896 [ 1FAF6926F3416D3DA05C5B265491BDAE ] KtmRm C:\Windows\system32\msdtckrm.dll
08:45:31.0866 4896 KtmRm - ok
08:45:31.0882 4896 [ 50C7A3CB427E9BB5ED0708A669956AB5 ] LanmanServer C:\Windows\System32\srvsvc.dll
08:45:31.0897 4896 LanmanServer - ok
08:45:31.0913 4896 [ CAF86FC1388BE1E470F1A7B43E348ADB ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
08:45:31.0913 4896 LanmanWorkstation - ok
08:45:31.0960 4896 [ ABF90FC5A127F481219B873C1B8DFC1C ] LightScribeService c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
08:45:31.0960 4896 LightScribeService - ok
08:45:32.0053 4896 [ EBB4CDB0B50D220604F0693B6588AC40 ] LiveUpdate c:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE
08:45:32.0100 4896 LiveUpdate - ok
08:45:32.0116 4896 [ 96ECE2659B6654C10A0C310AE3A6D02C ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
08:45:32.0116 4896 lltdio - ok
08:45:32.0131 4896 [ 961CCBD0B1CCB5675D64976FAE37D092 ] lltdsvc C:\Windows\System32\lltdsvc.dll
08:45:32.0131 4896 lltdsvc - ok
08:45:32.0147 4896 [ A47F8080CACC23C91FE823AD19AA5612 ] lmhosts C:\Windows\System32\lmhsvc.dll
08:45:32.0147 4896 lmhosts - ok
08:45:32.0178 4896 [ ACBE1AF32D3123E330A07BFBC5EC4A9B ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
08:45:32.0178 4896 LSI_FC - ok
08:45:32.0194 4896 [ 799FFB2FC4729FA46D2157C0065B3525 ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
08:45:32.0194 4896 LSI_SAS - ok
08:45:32.0225 4896 [ F445FF1DAAD8A226366BFAF42551226B ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
08:45:32.0225 4896 LSI_SCSI - ok
08:45:32.0240 4896 [ 52F87B9CC8932C2A7375C3B2A9BE5E3E ] luafv C:\Windows\system32\drivers\luafv.sys
08:45:32.0256 4896 luafv - ok
08:45:32.0256 4896 [ 76A58DF02BD4EA29F189B82D0BEF17F8 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
08:45:32.0256 4896 Mcx2Svc - ok
08:45:32.0272 4896 [ E4F44EC214B3E381E1FC844A02926666 ] mdmxsdk C:\Windows\system32\DRIVERS\mdmxsdk.sys
08:45:32.0272 4896 mdmxsdk - ok
08:45:32.0287 4896 [ 5C5CD6AACED32FB26C3FB34B3DCF972F ] megasas C:\Windows\system32\drivers\megasas.sys
08:45:32.0287 4896 megasas - ok
08:45:32.0318 4896 [ 859BC2436B076C77C159ED694ACFE8F8 ] MegaSR C:\Windows\system32\drivers\megasr.sys
08:45:32.0318 4896 MegaSR - ok
08:45:32.0334 4896 [ 3CBE4995E80E13CCFBC42E5DCF3AC81A ] MMCSS C:\Windows\system32\mmcss.dll
08:45:32.0334 4896 MMCSS - ok
08:45:32.0350 4896 [ 59848D5CC74606F0EE7557983BB73C2E ] Modem C:\Windows\system32\drivers\modem.sys
08:45:32.0350 4896 Modem - ok
08:45:32.0381 4896 [ C247CC2A57E0A0C8C6DCCF7807B3E9E5 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
08:45:32.0396 4896 monitor - ok
08:45:32.0412 4896 [ 9367304E5E412B120CF5F4EA14E4E4F1 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
08:45:32.0412 4896 mouclass - ok
08:45:32.0412 4896 [ C2C2BD5C5CE5AAF786DDD74B75D2AC69 ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
08:45:32.0412 4896 mouhid - ok
08:45:32.0428 4896 [ 11BC9B1E8801B01F7F6ADB9EAD30019B ] MountMgr C:\Windows\system32\drivers\mountmgr.sys
08:45:32.0428 4896 MountMgr - ok
08:45:32.0443 4896 [ F8276EB8698142884498A528DFEA8478 ] mpio C:\Windows\system32\drivers\mpio.sys
08:45:32.0443 4896 mpio - ok
08:45:32.0474 4896 [ C92B9ABDB65A5991E00C28F13491DBA2 ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
08:45:32.0474 4896 mpsdrv - ok
08:45:32.0521 4896 [ 897E3BAF68BA406A61682AE39C83900C ] MpsSvc C:\Windows\system32\mpssvc.dll
08:45:32.0537 4896 MpsSvc - ok
08:45:32.0552 4896 [ 3C200630A89EF2C0864D515B7A75802E ] Mraid35x C:\Windows\system32\drivers\mraid35x.sys
08:45:32.0552 4896 Mraid35x - ok
08:45:32.0568 4896 [ 7C1DE4AA96DC0C071611F9E7DE02A68D ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
08:45:32.0568 4896 MRxDAV - ok
08:45:32.0599 4896 [ 1485811B320FF8C7EDAD1CAEBB1C6C2B ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
08:45:32.0599 4896 mrxsmb - ok
08:45:32.0615 4896 [ 3B929A60C833FC615FD97FBA82BC7632 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
08:45:32.0630 4896 mrxsmb10 - ok
08:45:32.0646 4896 [ C64AB3E1F53B4F5B5BB6D796B2D7BEC3 ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
08:45:32.0662 4896 mrxsmb20 - ok
08:45:32.0662 4896 [ 1AC860612B85D8E85EE257D372E39F4D ] msahci C:\Windows\system32\drivers\msahci.sys
08:45:32.0662 4896 msahci - ok
08:45:32.0693 4896 [ 264BBB4AAF312A485F0E44B65A6B7202 ] msdsm C:\Windows\system32\drivers\msdsm.sys
08:45:32.0693 4896 msdsm - ok
08:45:32.0724 4896 [ 7EC02CE772F068ED0BEAFA3DA341A9BC ] MSDTC C:\Windows\System32\msdtc.exe
08:45:32.0724 4896 MSDTC - ok
08:45:32.0740 4896 [ 704F59BFC4512D2BB0146AEC31B10A7C ] Msfs C:\Windows\system32\drivers\Msfs.sys
08:45:32.0740 4896 Msfs - ok
08:45:32.0755 4896 [ 00EBC952961664780D43DCA157E79B27 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
08:45:32.0755 4896 msisadrv - ok
08:45:32.0771 4896 [ 366B0C1F4478B519C181E37D43DCDA32 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
08:45:32.0771 4896 MSiSCSI - ok
08:45:32.0786 4896 msiserver - ok
08:45:32.0802 4896 [ 0EA73E498F53B96D83DBFCA074AD4CF8 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
08:45:32.0802 4896 MSKSSRV - ok
08:45:32.0818 4896 [ 52E59B7E992A58E740AA63F57EDBAE8B ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
08:45:32.0818 4896 MSPCLOCK - ok
08:45:32.0833 4896 [ 49084A75BAE043AE02D5B44D02991BB2 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
08:45:32.0833 4896 MSPQM - ok
08:45:32.0864 4896 [ DC6CCF440CDEDE4293DB41C37A5060A5 ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
08:45:32.0864 4896 MsRPC - ok
08:45:32.0880 4896 [ 855796E59DF77EA93AF46F20155BF55B ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
08:45:32.0896 4896 mssmbios - ok
08:45:32.0911 4896 [ 86D632D75D05D5B7C7C043FA3564AE86 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
08:45:32.0911 4896 MSTEE - ok
08:45:32.0927 4896 [ 0CC49F78D8ACA0877D885F149084E543 ] Mup C:\Windows\system32\Drivers\mup.sys
08:45:32.0927 4896 Mup - ok
08:45:32.0942 4896 [ A5B10C845E7538C60C0F5D87A57CB3F5 ] napagent C:\Windows\system32\qagentRT.dll
08:45:32.0958 4896 napagent - ok
08:45:32.0989 4896 [ 2007B826C4ACD94AE32232B41F0842B9 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
08:45:32.0989 4896 NativeWifiP - ok
08:45:33.0020 4896 [ 65950E07329FCEE8E6516B17C8D0ABB6 ] NDIS C:\Windows\system32\drivers\ndis.sys
08:45:33.0036 4896 NDIS - ok
08:45:33.0036 4896 [ 64DF698A425478E321981431AC171334 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
08:45:33.0036 4896 NdisTapi - ok
08:45:33.0052 4896 [ 8BAA43196D7B5BB972C9A6B2BBF61A19 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
08:45:33.0052 4896 Ndisuio - ok
08:45:33.0083 4896 [ F8158771905260982CE724076419EF19 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
08:45:33.0083 4896 NdisWan - ok
08:45:33.0098 4896 [ 9CB77ED7CB72850253E973A2D6AFDF49 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
08:45:33.0098 4896 NDProxy - ok
08:45:33.0130 4896 [ 458A00528BF213A31F51896EC37B91F4 ] Net Driver HPZ12 C:\Windows\system32\HPZinw12.dll
08:45:33.0130 4896 Net Driver HPZ12 - ok
08:45:33.0145 4896 [ A499294F5029A7862ADC115BDA7371CE ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
08:45:33.0145 4896 NetBIOS - ok
08:45:33.0161 4896 [ FC2C792EBDDC8E28DF939D6A92C83D61 ] netbt C:\Windows\system32\DRIVERS\netbt.sys
08:45:33.0161 4896 netbt - ok
08:45:33.0176 4896 [ 260BF9C43EE12C6898A9F5AAB0FB0E5D ] Netlogon C:\Windows\system32\lsass.exe
08:45:33.0176 4896 Netlogon - ok
08:45:33.0192 4896 [ 9B63B29DEFC0F3115A559D2597BF5D75 ] Netman C:\Windows\System32\netman.dll
08:45:33.0192 4896 Netman - ok
08:45:33.0208 4896 [ 7846D0136CC2B264926A73047BA7688A ] netprofm C:\Windows\System32\netprofm.dll
08:45:33.0223 4896 netprofm - ok
08:45:33.0239 4896 [ 74751DDA198165947FD7454D83F49825 ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
08:45:33.0239 4896 NetTcpPortSharing - ok
08:45:33.0270 4896 [ 4AC08BD6AF2DF42E0C3196D826C8AEA7 ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
08:45:33.0270 4896 nfrd960 - ok
08:45:33.0317 4896 [ F145BF4C4668E7E312069F81EF847CFC ] NlaSvc C:\Windows\System32\nlasvc.dll
08:45:33.0332 4896 NlaSvc - ok
08:45:33.0332 4896 [ B298874F8E0EA93F06EC40AA8D146478 ] Npfs C:\Windows\system32\drivers\Npfs.sys
08:45:33.0332 4896 Npfs - ok
08:45:33.0348 4896 [ ACB62BAA1C319B17752553DF3026EEEB ] nsi C:\Windows\system32\nsisvc.dll
08:45:33.0348 4896 nsi - ok
08:45:33.0364 4896 [ 1523AF19EE8B030BA682F7A53537EAEB ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
08:45:33.0364 4896 nsiproxy - ok
08:45:33.0410 4896 [ BAC869DFB98E499BA4D9BB1FB43270E1 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
08:45:33.0426 4896 Ntfs - ok
08:45:33.0442 4896 [ DD5D684975352B85B52E3FD5347C20CB ] Null C:\Windows\system32\drivers\Null.sys
08:45:33.0442 4896 Null - ok
08:45:33.0488 4896 [ 98350606682594521D56ECCB5D01ECF7 ] NVENETFD C:\Windows\system32\DRIVERS\nvmfdx64.sys
08:45:33.0520 4896 NVENETFD - ok
08:45:34.0440 4896 [ 155B6747E190342B20F9F0B4C34E96D2 ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys
08:45:34.0814 4896 nvlddmkm - ok
08:45:34.0846 4896 [ 2C040B7ADA5B06F6FACADAC8514AA034 ] nvraid C:\Windows\system32\drivers\nvraid.sys
08:45:34.0846 4896 nvraid - ok
08:45:34.0892 4896 [ 16D36074B84DA72D160233C8D132DC89 ] nvsmu C:\Windows\system32\drivers\nvsmu.sys
08:45:34.0892 4896 nvsmu - ok
08:45:34.0924 4896 [ F7EA0FE82842D05EDA3EFDD376DBFDBA ] nvstor C:\Windows\system32\drivers\nvstor.sys
08:45:34.0939 4896 nvstor - ok
08:45:34.0970 4896 [ BD286596934ECEA5E3DA19CF98A89D1D ] nvsvc C:\Windows\system32\nvvsvc.exe
08:45:34.0970 4896 nvsvc - ok
08:45:35.0002 4896 [ 19067CA93075EF4823E3938A686F532F ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
08:45:35.0002 4896 nv_agp - ok
08:45:35.0017 4896 NwlnkFlt - ok
08:45:35.0048 4896 NwlnkFwd - ok
08:45:35.0095 4896 [ B5B1CE65AC15BBD11C0619E3EF7CFC28 ] ohci1394 C:\Windows\system32\DRIVERS\ohci1394.sys
08:45:35.0095 4896 ohci1394 - ok
08:45:35.0126 4896 [ 9AE31D2E1D15C10D91318E0EC149CEAC ] p2pimsvc C:\Windows\system32\p2psvc.dll
08:45:35.0142 4896 p2pimsvc - ok
08:45:35.0189 4896 [ 9AE31D2E1D15C10D91318E0EC149CEAC ] p2psvc C:\Windows\system32\p2psvc.dll
08:45:35.0204 4896 p2psvc - ok
08:45:35.0204 4896 [ AECD57F94C887F58919F307C35498EA0 ] Parport C:\Windows\system32\drivers\parport.sys
08:45:35.0220 4896 Parport - ok
08:45:35.0251 4896 [ B43751085E2ABE389DA466BC62A4B987 ] partmgr C:\Windows\system32\drivers\partmgr.sys
08:45:35.0251 4896 partmgr - ok
08:45:35.0282 4896 [ 9AB157B374192FF276C1628FBDBA2B0E ] PcaSvc C:\Windows\System32\pcasvc.dll
08:45:35.0282 4896 PcaSvc - ok
08:45:35.0298 4896 [ 47AB1E0FC9D0E12BB53BA246E3A0906D ] pci C:\Windows\system32\drivers\pci.sys
08:45:35.0298 4896 pci - ok
08:45:35.0314 4896 [ 2657F6C0B78C36D95034BE109336E382 ] pciide C:\Windows\system32\drivers\pciide.sys
08:45:35.0314 4896 pciide - ok
08:45:35.0345 4896 [ 037661F3D7C507C9993B7010CEEE6288 ] pcmcia C:\Windows\system32\drivers\pcmcia.sys
08:45:35.0345 4896 pcmcia - ok
08:45:35.0376 4896 [ 58865916F53592A61549B04941BFD80D ] PEAUTH C:\Windows\system32\drivers\peauth.sys
08:45:35.0376 4896 PEAUTH - ok
08:45:35.0438 4896 [ 0ED8727EA0172860F47258456C06CAEA ] PerfHost C:\Windows\SysWow64\perfhost.exe
08:45:35.0438 4896 PerfHost - ok
08:45:35.0485 4896 [ E9E68C1A0F25CF4A7AC966EEA74EE89E ] pla C:\Windows\system32\pla.dll
08:45:35.0501 4896 pla - ok
08:45:35.0532 4896 [ FE6B0F59215C9FD9F9D26539C58C8B82 ] PlugPlay C:\Windows\system32\umpnpmgr.dll
08:45:35.0548 4896 PlugPlay - ok
08:45:35.0563 4896 [ BB3BF7B26DAADCBAB3BA90C4BCF9E73C ] Pml Driver HPZ12 C:\Windows\system32\HPZipm12.dll
08:45:35.0563 4896 Pml Driver HPZ12 - ok
08:45:35.0579 4896 [ 9AE31D2E1D15C10D91318E0EC149CEAC ] PNRPAutoReg C:\Windows\system32\p2psvc.dll
08:45:35.0594 4896 PNRPAutoReg - ok
08:45:35.0610 4896 [ 9AE31D2E1D15C10D91318E0EC149CEAC ] PNRPsvc C:\Windows\system32\p2psvc.dll
08:45:35.0626 4896 PNRPsvc - ok
08:45:35.0657 4896 [ 89A5560671C2D8B4A4B51F3E1AA069D8 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
08:45:35.0672 4896 PolicyAgent - ok
08:45:35.0719 4896 [ 23386E9952025F5F21C368971E2E7301 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
08:45:35.0719 4896 PptpMiniport - ok
08:45:35.0735 4896 [ 5080E59ECEE0BC923F14018803AA7A01 ] Processor C:\Windows\system32\drivers\processr.sys
08:45:35.0735 4896 Processor - ok
08:45:35.0750 4896 [ E058CE4FC2449D8BFA14739C83B7FF2A ] ProfSvc C:\Windows\system32\profsvc.dll
08:45:35.0750 4896 ProfSvc - ok
08:45:35.0766 4896 [ 260BF9C43EE12C6898A9F5AAB0FB0E5D ] ProtectedStorage C:\Windows\system32\lsass.exe
08:45:35.0782 4896 ProtectedStorage - ok
08:45:35.0797 4896 [ 1D0A3F565397D08707F3D75B88586645 ] Ps2 C:\Windows\system32\DRIVERS\PS2.sys
08:45:35.0797 4896 Ps2 - ok
08:45:35.0828 4896 [ C5AB7F0809392D0DA027F4A2A81BFA31 ] PSched C:\Windows\system32\DRIVERS\pacer.sys
08:45:35.0828 4896 PSched - ok
08:45:35.0875 4896 [ 0B83F4E681062F3839BE2EC1D98FD94A ] ql2300 C:\Windows\system32\drivers\ql2300.sys
08:45:35.0891 4896 ql2300 - ok
08:45:35.0922 4896 [ E1C80F8D4D1E39EF9595809C1369BF2A ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
08:45:35.0922 4896 ql40xx - ok
08:45:35.0938 4896 [ 90574842C3DA781E279061A3EFF91F07 ] QWAVE C:\Windows\system32\qwave.dll
08:45:35.0953 4896 QWAVE - ok
08:45:35.0953 4896 [ E8D76EDAB77EC9C634C27B8EAC33ADC5 ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
08:45:35.0953 4896 QWAVEdrv - ok
08:45:35.0969 4896 [ 1013B3B663A56D3DDD784F581C1BD005 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
08:45:35.0969 4896 RasAcd - ok
08:45:35.0984 4896 [ B2AE18F847D07F0044404DDF7CB04497 ] RasAuto C:\Windows\System32\rasauto.dll
08:45:35.0984 4896 RasAuto - ok
08:45:36.0000 4896 [ AC7BC4D42A7E558718DFDEC599BBFC2C ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
08:45:36.0000 4896 Rasl2tp - ok
08:45:36.0016 4896 [ 3AD83E4046C43BE510DE681588ACB8AF ] RasMan C:\Windows\System32\rasmans.dll
08:45:36.0031 4896 RasMan - ok
08:45:36.0047 4896 [ 4517FBF8B42524AFE4EDE1DE102AAE3E ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
08:45:36.0047 4896 RasPppoe - ok
08:45:36.0078 4896 [ C6A593B51F34C33E5474539544072527 ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
08:45:36.0078 4896 RasSstp - ok
08:45:36.0094 4896 [ 322DB5C6B55E8D8EE8D6F358B2AAABB1 ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
08:45:36.0094 4896 rdbss - ok
08:45:36.0125 4896 [ 603900CC05F6BE65CCBF373800AF3716 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
08:45:36.0125 4896 RDPCDD - ok
08:45:36.0156 4896 [ C045D1FB111C28DF0D1BE8D4BDA22C06 ] rdpdr C:\Windows\system32\drivers\rdpdr.sys
08:45:36.0156 4896 rdpdr - ok
08:45:36.0156 4896 [ CAB9421DAF3D97B33D0D055858E2C3AB ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
08:45:36.0172 4896 RDPENCDD - ok
08:45:36.0203 4896 [ AE4BD9E1C33D351D8E607FC81F15160C ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
08:45:36.0203 4896 RDPWD - ok
08:45:36.0218 4896 [ C612B9557DA73F70D41F8A6FBC8E5344 ] RemoteAccess C:\Windows\System32\mprdim.dll
08:45:36.0234 4896 RemoteAccess - ok
08:45:36.0250 4896 [ 44B9D8EC2F3EF3A0EFB00857AF70D861 ] RemoteRegistry C:\Windows\system32\regsvc.dll
08:45:36.0250 4896 RemoteRegistry - ok
08:45:36.0265 4896 [ F46C457840D4B7A4DAAFEE739CE04102 ] RpcLocator C:\Windows\system32\locator.exe
08:45:36.0265 4896 RpcLocator - ok
08:45:36.0296 4896 [ CF8B9A3A5E7DC57724A89D0C3E8CF9EF ] RpcSs C:\Windows\system32\rpcss.dll
08:45:36.0296 4896 RpcSs - ok
08:45:36.0312 4896 [ 22A9CB08B1A6707C1550C6BF099AAE73 ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
08:45:36.0312 4896 rspndr - ok
08:45:36.0328 4896 [ 260BF9C43EE12C6898A9F5AAB0FB0E5D ] SamSs C:\Windows\system32\lsass.exe
08:45:36.0328 4896 SamSs - ok
08:45:36.0343 4896 [ CD9C693589C60AD59BBBCFB0E524E01B ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
08:45:36.0343 4896 sbp2port - ok
08:45:36.0374 4896 [ FD1CDCF108D5EF3366F00D18B70FB89B ] SCardSvr C:\Windows\System32\SCardSvr.dll
08:45:36.0374 4896 SCardSvr - ok
08:45:36.0406 4896 [ 0F838C811AD295D2A4489B9993096C63 ] Schedule C:\Windows\system32\schedsvc.dll
08:45:36.0421 4896 Schedule - ok
08:45:36.0437 4896 [ 5A268127633C7EE2A7FB87F39D748D56 ] SCPolicySvc C:\Windows\System32\certprop.dll
08:45:36.0437 4896 SCPolicySvc - ok
08:45:36.0452 4896 [ 4FF71B076A7760FE75EA5AE2D0EE0018 ] SDRSVC C:\Windows\System32\SDRSVC.dll
08:45:36.0452 4896 SDRSVC - ok
08:45:36.0468 4896 [ 3EA8A16169C26AFBEB544E0E48421186 ] secdrv C:\Windows\system32\drivers\secdrv.sys
08:45:36.0468 4896 secdrv - ok
08:45:36.0468 4896 [ 5ACDCBC67FCF894A1815B9F96D704490 ] seclogon C:\Windows\system32\seclogon.dll
08:45:36.0484 4896 seclogon - ok
08:45:36.0484 4896 [ 90973A64B96CD647FF81C79443618EED ] SENS C:\Windows\system32\sens.dll
08:45:36.0499 4896 SENS - ok
08:45:36.0499 4896 [ F71BFE7AC6C52273B7C82CBF1BB2A222 ] Serenum C:\Windows\system32\drivers\serenum.sys
08:45:36.0499 4896 Serenum - ok
08:45:36.0530 4896 [ E62FAC91EE288DB29A9696A9D279929C ] Serial C:\Windows\system32\drivers\serial.sys
08:45:36.0530 4896 Serial - ok
08:45:36.0546 4896 [ A842F04833684BCEEA7336211BE478DF ] sermouse C:\Windows\system32\drivers\sermouse.sys
08:45:36.0546 4896 sermouse - ok
08:45:36.0562 4896 [ A8E4A4407A09F35DCCC3771AF590B0C4 ] SessionEnv C:\Windows\system32\sessenv.dll
08:45:36.0562 4896 SessionEnv - ok
08:45:36.0577 4896 [ 14D4B4465193A87C127933978E8C4106 ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
08:45:36.0577 4896 sffdisk - ok
08:45:36.0593 4896 [ 7073AEE3F82F3D598E3825962AA98AB2 ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
08:45:36.0593 4896 sffp_mmc - ok
08:45:36.0593 4896 [ 35E59EBE4A01A0532ED67975161C7B82 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
08:45:36.0608 4896 sffp_sd - ok
08:45:36.0608 4896 [ 6B7838C94135768BD455CBDC23E39E5F ] sfloppy C:\Windows\system32\drivers\sfloppy.sys
08:45:36.0608 4896 sfloppy - ok
08:45:36.0640 4896 [ 4C5AEE179DA7E1EE9A9CCB9DA289AF34 ] SharedAccess C:\Windows\System32\ipnathlp.dll
08:45:36.0655 4896 SharedAccess - ok
08:45:36.0671 4896 [ 56793271ECDEDD350C5ADD305603E963 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
08:45:36.0671 4896 ShellHWDetection - ok
08:45:36.0686 4896 [ 7A5DE502AEB719D4594C6471060A78B3 ] SiSRaid2 C:\Windows\system32\drivers\sisraid2.sys
08:45:36.0686 4896 SiSRaid2 - ok
08:45:36.0702 4896 [ 3A2F769FAB9582BC720E11EA1DFB184D ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
08:45:36.0702 4896 SiSRaid4 - ok
08:45:36.0764 4896 [ A9A27A8E257B45A604FDAD4F26FE7241 ] slsvc C:\Windows\system32\SLsvc.exe
08:45:36.0811 4896 slsvc - ok
08:45:36.0842 4896 [ FD74B4B7C2088E390A30C85A896FC3AF ] SLUINotify C:\Windows\system32\SLUINotify.dll
08:45:36.0842 4896 SLUINotify - ok
08:45:36.0858 4896 [ 290B6F6A0EC4FCDFC90F5CB6D7020473 ] Smb C:\Windows\system32\DRIVERS\smb.sys
08:45:36.0858 4896 Smb - ok
08:45:36.0874 4896 [ F8F47F38909823B1AF28D60B96340CFF ] SNMPTRAP C:\Windows\System32\snmptrap.exe
08:45:36.0889 4896 SNMPTRAP - ok
08:45:36.0905 4896 [ 386C3C63F00A7040C7EC5E384217E89D ] spldr C:\Windows\system32\drivers\spldr.sys
08:45:36.0905 4896 spldr - ok
08:45:36.0936 4896 [ F66FF751E7EFC816D266977939EF5DC3 ] Spooler C:\Windows\System32\spoolsv.exe
08:45:36.0936 4896 Spooler - ok
08:45:36.0967 4896 [ 880A57FCCB571EBD063D4DD50E93E46D ] srv C:\Windows\system32\DRIVERS\srv.sys
08:45:36.0983 4896 srv - ok
08:45:36.0983 4896 [ A1AD14A6D7A37891FFFECA35EBBB0730 ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
08:45:36.0983 4896 srv2 - ok
08:45:36.0998 4896 [ 4BED62F4FA4D8300973F1151F4C4D8A7 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
08:45:36.0998 4896 srvnet - ok
08:45:37.0030 4896 [ 192C74646EC5725AEF3F80D19FF75F6A ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
08:45:37.0030 4896 SSDPSRV - ok
08:45:37.0061 4896 [ 2EE3FA0308E6185BA64A9A7F2E74332B ] SstpSvc C:\Windows\system32\sstpsvc.dll
08:45:37.0061 4896 SstpSvc - ok
08:45:37.0076 4896 [ 15825C1FBFB8779992CB65087F316AF5 ] stisvc C:\Windows\System32\wiaservc.dll
08:45:37.0092 4896 stisvc - ok
08:45:37.0108 4896 [ 8A851CA908B8B974F89C50D2E18D4F0C ] swenum C:\Windows\system32\DRIVERS\swenum.sys
08:45:37.0108 4896 swenum - ok
08:45:37.0139 4896 [ 6DE37F4DE19D4EFD9C48C43ADDBC949A ] swprv C:\Windows\System32\swprv.dll
08:45:37.0154 4896 swprv - ok
08:45:37.0170 4896 [ 2F26A2C6FC96B29BEFF5D8ED74E6625B ] Symc8xx C:\Windows\system32\drivers\symc8xx.sys
08:45:37.0170 4896 Symc8xx - ok
08:45:37.0186 4896 [ A909667976D3BCCD1DF813FED517D837 ] Sym_hi C:\Windows\system32\drivers\sym_hi.sys
08:45:37.0186 4896 Sym_hi - ok
08:45:37.0201 4896 [ 36887B56EC2D98B9C362F6AE4DE5B7B0 ] Sym_u3 C:\Windows\system32\drivers\sym_u3.sys
08:45:37.0201 4896 Sym_u3 - ok
08:45:37.0232 4896 [ 92D7A8B0F87B036F17D25885937897A6 ] SysMain C:\Windows\system32\sysmain.dll
08:45:37.0248 4896 SysMain - ok
08:45:37.0264 4896 [ 005CE42567F9113A3BCCB3B20073B029 ] TabletInputService C:\Windows\System32\TabSvc.dll
08:45:37.0264 4896 TabletInputService - ok
08:45:37.0279 4896 [ CC2562B4D55E0B6A4758C65407F63B79 ] TapiSrv C:\Windows\System32\tapisrv.dll
08:45:37.0295 4896 TapiSrv - ok
08:45:37.0310 4896 [ CDBE8D7C1E201B911CDC346D06617FB5 ] TBS C:\Windows\System32\tbssvc.dll
08:45:37.0310 4896 TBS - ok
08:45:37.0357 4896 [ 46D448E9117464E4D3BBF36D7E3FA48E ] Tcpip C:\Windows\system32\drivers\tcpip.sys
08:45:37.0388 4896 Tcpip - ok
08:45:37.0420 4896 [ 46D448E9117464E4D3BBF36D7E3FA48E ] Tcpip6 C:\Windows\system32\DRIVERS\tcpip.sys
08:45:37.0420 4896 Tcpip6 - ok
08:45:37.0435 4896 [ C7E72A4071EE0200E3C075DACFB2B334 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
08:45:37.0435 4896 tcpipreg - ok
08:45:37.0451 4896 [ 1D8BF4AAA5FB7A2761475781DC1195BC ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
08:45:37.0451 4896 TDPIPE - ok
08:45:37.0466 4896 [ 7F7E00CDF609DF657F4CDA02DD1C9BB1 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
08:45:37.0466 4896 TDTCP - ok
08:45:37.0482 4896 [ 458919C8C42E398DC4802178D5FFEE27 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
08:45:37.0482 4896 tdx - ok
08:45:37.0498 4896 [ 8C19678D22649EC002EF2282EAE92F98 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
08:45:37.0498 4896 TermDD - ok
08:45:37.0529 4896 [ 5CDD30BC217082DAC71A9878D9BFD566 ] TermService C:\Windows\System32\termsrv.dll
08:45:37.0529 4896 TermService - ok
08:45:37.0560 4896 [ 56793271ECDEDD350C5ADD305603E963 ] Themes C:\Windows\system32\shsvcs.dll
08:45:37.0560 4896 Themes - ok
08:45:37.0576 4896 [ 3CBE4995E80E13CCFBC42E5DCF3AC81A ] THREADORDER C:\Windows\system32\mmcss.dll
08:45:37.0576 4896 THREADORDER - ok
08:45:37.0607 4896 [ E386DD8EC68C67CA3E2A3ABDC1DF5C56 ] tmactmon C:\Windows\system32\DRIVERS\tmactmon.sys
08:45:37.0607 4896 tmactmon - ok
08:45:37.0622 4896 [ AB011C569487FD65C8944DDF8CBB2572 ] tmcomm C:\Windows\system32\DRIVERS\tmcomm.sys
08:45:37.0622 4896 tmcomm - ok
08:45:37.0638 4896 [ 8870A3D7305455B47ADCCD226F8E51BC ] tmevtmgr C:\Windows\system32\DRIVERS\tmevtmgr.sys
08:45:37.0638 4896 tmevtmgr - ok
08:45:37.0654 4896 [ 065CB7D9278D778FB9EF62CEAD01433F ] tmtdi C:\Windows\system32\DRIVERS\tmtdi.sys
08:45:37.0654 4896 tmtdi - ok
08:45:37.0669 4896 [ F4689F05AF472A651A7B1B7B02D200E7 ] TrkWks C:\Windows\System32\trkwks.dll
08:45:37.0685 4896 TrkWks - ok
08:45:37.0700 4896 [ 66328B08EF5A9305D8EDE36B93930369 ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
08:45:37.0700 4896 TrustedInstaller - ok
08:45:37.0732 4896 [ 9E5409CD17C8BEF193AAD498F3BC2CB8 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
08:45:37.0732 4896 tssecsrv - ok
08:45:37.0747 4896 [ 89EC74A9E602D16A75A4170511029B3C ] tunmp C:\Windows\system32\DRIVERS\tunmp.sys
08:45:37.0747 4896 tunmp - ok
08:45:37.0763 4896 [ 30A9B3F45AD081BFFC3BCAA9C812B609 ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
08:45:37.0763 4896 tunnel - ok
08:45:37.0794 4896 [ FEC266EF401966311744BD0F359F7F56 ] uagp35 C:\Windows\system32\drivers\uagp35.sys
08:45:37.0794 4896 uagp35 - ok
08:45:37.0825 4896 [ FAF2640A2A76ED03D449E443194C4C34 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
08:45:37.0825 4896 udfs - ok
08:45:37.0841 4896 [ 060507C4113391394478F6953A79EEDC ] UI0Detect C:\Windows\system32\UI0Detect.exe
08:45:37.0856 4896 UI0Detect - ok
08:45:37.0872 4896 [ 4EC9447AC3AB462647F60E547208CA00 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
08:45:37.0872 4896 uliagpkx - ok
08:45:37.0903 4896 [ 697F0446134CDC8F99E69306184FBBB4 ] uliahci C:\Windows\system32\drivers\uliahci.sys
08:45:37.0903 4896 uliahci - ok
08:45:37.0934 4896 [ 31707F09846056651EA2C37858F5DDB0 ] UlSata C:\Windows\system32\drivers\ulsata.sys
08:45:37.0934 4896 UlSata - ok
08:45:37.0950 4896 [ 85E5E43ED5B48C8376281BAB519271B7 ] ulsata2 C:\Windows\system32\drivers\ulsata2.sys
08:45:37.0966 4896 ulsata2 - ok
08:45:37.0966 4896 [ 46E9A994C4FED537DD951F60B86AD3F4 ] umbus C:\Windows\system32\DRIVERS\umbus.sys
08:45:37.0966 4896 umbus - ok
08:45:37.0981 4896 [ 7093799FF80E9DECA0680D2E3535BE60 ] upnphost C:\Windows\System32\upnphost.dll
08:45:37.0997 4896 upnphost - ok
08:45:38.0012 4896 [ FB251567F41BC61988B26731DEC19E4B ] USBAAPL64 C:\Windows\system32\Drivers\usbaapl64.sys
08:45:38.0012 4896 USBAAPL64 - ok
08:45:38.0028 4896 [ 07E3498FC60834219D2356293DA0FECC ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
08:45:38.0028 4896 usbccgp - ok
08:45:38.0044 4896 [ 9247F7E0B65852C1F6631480984D6ED2 ] usbcir C:\Windows\system32\drivers\usbcir.sys
08:45:38.0044 4896 usbcir - ok
08:45:38.0075 4896 [ 827E44DE934A736EA31E91D353EB126F ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
08:45:38.0075 4896 usbehci - ok
08:45:38.0106 4896 [ 68BAD03835873D4BBBDE95CBB135A395 ] UsbFltr C:\Windows\system32\Drivers\UsbFltr.sys
08:45:38.0106 4896 UsbFltr - ok
08:45:38.0122 4896 [ BB35CD80A2ECECFADC73569B3D70C7D1 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
08:45:38.0122 4896 usbhub - ok
08:45:38.0137 4896 [ E406B003A354776D317762694956B0FC ] usbohci C:\Windows\system32\DRIVERS\usbohci.sys
08:45:38.0137 4896 usbohci - ok
08:45:38.0153 4896 [ 28B693B6D31E7B9332C1BDCEFEF228C1 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
08:45:38.0153 4896 usbprint - ok
08:45:38.0184 4896 [ EA0BF666868964FBE8CB10E50C97B9F1 ] usbscan C:\Windows\system32\DRIVERS\usbscan.sys
08:45:38.0184 4896 usbscan - ok
08:45:38.0200 4896 [ B854C1558FCA0C269A38663E8B59B581 ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
08:45:38.0200 4896 USBSTOR - ok
08:45:38.0215 4896 [ B2872CBF9F47316ABD0E0C74A1ABA507 ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
08:45:38.0215 4896 usbuhci - ok
08:45:38.0231 4896 [ D76E231E4850BB3F88A3D9A78DF191E3 ] UxSms C:\Windows\System32\uxsms.dll
08:45:38.0231 4896 UxSms - ok
08:45:38.0262 4896 [ 294945381DFA7CE58CECF0A9896AF327 ] vds C:\Windows\System32\vds.exe
08:45:38.0262 4896 vds - ok
08:45:38.0278 4896 [ 916B94BCF1E09873FFF2D5FB11767BBC ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
08:45:38.0278 4896 vga - ok
08:45:38.0293 4896 [ B83AB16B51FEDA65DD81B8C59D114D63 ] VgaSave C:\Windows\System32\drivers\vga.sys
08:45:38.0293 4896 VgaSave - ok
08:45:38.0309 4896 [ 8294B6C3FDB6C33F24E150DE647ECDAA ] viaide C:\Windows\system32\drivers\viaide.sys
08:45:38.0324 4896 viaide - ok
08:45:38.0356 4896 [ 2B7E885ED951519A12C450D24535DFCA ] volmgr C:\Windows\system32\drivers\volmgr.sys
08:45:38.0356 4896 volmgr - ok
08:45:38.0371 4896 [ CEC5AC15277D75D9E5DEC2E1C6EAF877 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
08:45:38.0371 4896 volmgrx - ok
08:45:38.0387 4896 [ 5280AADA24AB36B01A84A6424C475C8D ] volsnap C:\Windows\system32\drivers\volsnap.sys
08:45:38.0387 4896 volsnap - ok
08:45:38.0402 4896 [ A68F455ED2673835209318DD61BFBB0E ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
08:45:38.0402 4896 vsmraid - ok
08:45:38.0449 4896 [ B75232DAD33BFD95BF6F0A3E6BFF51E1 ] VSS C:\Windows\system32\vssvc.exe
08:45:38.0480 4896 VSS - ok
08:45:38.0496 4896 [ F14A7DE2EA41883E250892E1E5230A9A ] W32Time C:\Windows\system32\w32time.dll
08:45:38.0512 4896 W32Time - ok
08:45:38.0527 4896 [ FEF8FE5923FEAD2CEE4DFABFCE3393A7 ] WacomPen C:\Windows\system32\drivers\wacompen.sys
08:45:38.0527 4896 WacomPen - ok
08:45:38.0543 4896 [ B8E7049622300D20BA6D8BE0C47C0CFD ] Wanarp C:\Windows\system32\DRIVERS\wanarp.sys
08:45:38.0543 4896 Wanarp - ok
08:45:38.0558 4896 [ B8E7049622300D20BA6D8BE0C47C0CFD ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
08:45:38.0558 4896 Wanarpv6 - ok
08:45:38.0590 4896 [ B4E4C37D0AA6100090A53213EE2BF1C1 ] wcncsvc C:\Windows\System32\wcncsvc.dll
08:45:38.0605 4896 wcncsvc - ok
08:45:38.0621 4896 [ EA4B369560E986F19D93F45A881484AC ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
08:45:38.0621 4896 WcsPlugInService - ok
08:45:38.0636 4896 [ 0C17A0816F65B89E362E682AD5E7266E ] Wd C:\Windows\system32\drivers\wd.sys
08:45:38.0636 4896 Wd - ok
08:45:38.0668 4896 [ D02E7E4567DA1E7582FBF6A91144B0DF ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
08:45:38.0683 4896 Wdf01000 - ok
08:45:38.0730 4896 [ C5EFDA73EBFCA8B02A094898DE0A9276 ] WdiServiceHost C:\Windows\system32\wdi.dll
08:45:38.0730 4896 WdiServiceHost - ok
08:45:38.0746 4896 [ C5EFDA73EBFCA8B02A094898DE0A9276 ] WdiSystemHost C:\Windows\system32\wdi.dll
08:45:38.0746 4896 WdiSystemHost - ok
08:45:38.0761 4896 [ 3E6D05381CF35F75EBB055544A8ED9AC ] WebClient C:\Windows\System32\webclnt.dll
08:45:38.0761 4896 WebClient - ok
08:45:38.0792 4896 [ 8D40BC587993F876658BF9FB0F7D3462 ] Wecsvc C:\Windows\system32\wecsvc.dll
08:45:38.0808 4896 Wecsvc - ok
08:45:38.0824 4896 [ 9C980351D7E96288EA0C23AE232BD065 ] wercplsupport C:\Windows\System32\wercplsupport.dll
08:45:38.0824 4896 wercplsupport - ok
08:45:38.0839 4896 [ 66B9ECEBC46683F47EDC06333C075FEF ] WerSvc C:\Windows\System32\WerSvc.dll
08:45:38.0839 4896 WerSvc - ok
08:45:38.0870 4896 [ A53CDE6BEEA165FE9B430476EEDE3C54 ] winachsf C:\Windows\system32\DRIVERS\CAX_CNXT.sys
08:45:38.0886 4896 winachsf - ok
08:45:38.0902 4896 WinDefend - ok
08:45:38.0902 4896 WinHttpAutoProxySvc - ok
08:45:38.0948 4896 [ D2E7296ED1BD26D8DB2799770C077A02 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
08:45:38.0948 4896 Winmgmt - ok
08:45:39.0026 4896 [ 6CBB0C68F13B9C2EC1B16F5FA5E7C869 ] WinRM C:\Windows\system32\WsmSvc.dll
08:45:39.0058 4896 WinRM - ok
08:45:39.0104 4896 [ EC339C8115E91BAED835957E9A677F16 ] Wlansvc C:\Windows\System32\wlansvc.dll
08:45:39.0104 4896 Wlansvc - ok
08:45:39.0120 4896 [ E18AEBAAA5A773FE11AA2C70F65320F5 ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys
08:45:39.0120 4896 WmiAcpi - ok
08:45:39.0136 4896 [ 21FA389E65A852698B6A1341F36EE02D ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
08:45:39.0136 4896 wmiApSrv - ok
08:45:39.0151 4896 WMPNetworkSvc - ok
08:45:39.0167 4896 [ CBC156C913F099E6680D1DF9307DB7A8 ] WPCSvc C:\Windows\System32\wpcsvc.dll
08:45:39.0182 4896 WPCSvc - ok
08:45:39.0198 4896 [ 490A18B4E4D53DC10879DEAA8E8B70D9 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
08:45:39.0198 4896 WPDBusEnum - ok
08:45:39.0229 4896 [ 5E2401B3FC1089C90E081291357371A9 ] WpdUsb C:\Windows\system32\DRIVERS\wpdusb.sys
08:45:39.0229 4896 WpdUsb - ok
08:45:39.0260 4896 [ 991E2C2CF3BC204C2BB2EE1476149E4E ] WPFFontCache_v0400 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe
08:45:39.0276 4896 WPFFontCache_v0400 - ok
08:45:39.0292 4896 [ 8A900348370E359B6BFF6A550E4649E1 ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
08:45:39.0292 4896 ws2ifsl - ok
08:45:39.0307 4896 [ 9EA3E6D0EF7A5C2B9181961052A4B01A ] wscsvc C:\Windows\system32\wscsvc.dll
08:45:39.0307 4896 wscsvc - ok
08:45:39.0307 4896 WSearch - ok
08:45:39.0385 4896 [ D9EF901DCA379CFE914E9FA13B73B4C4 ] wuauserv C:\Windows\system32\wuaueng.dll
08:45:39.0432 4896 wuauserv - ok
08:45:39.0448 4896 [ 501A65252617B495C0F1832F908D54D8 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
08:45:39.0448 4896 WUDFRd - ok
08:45:39.0463 4896 [ 6CBD51FF913C851D56ED9DC7F2A27DDE ] wudfsvc C:\Windows\System32\WUDFSvc.dll
08:45:39.0463 4896 wudfsvc - ok
08:45:39.0479 4896 [ F22E443518BC599D12888DAF292A56D8 ] XAudio C:\Windows\system32\DRIVERS\xaudio64.sys
08:45:39.0479 4896 XAudio - ok
08:45:39.0510 4896 [ 963C27034BBA4AC52A13F7A3C657C708 ] XAudioService C:\Windows\system32\DRIVERS\xaudio64.exe
08:45:39.0510 4896 XAudioService - ok
08:45:39.0526 4896 ================ Scan global ===============================
08:45:39.0541 4896 [ 060DC3A7A9A2626031EB23D90151428D ] C:\Windows\system32\basesrv.dll
08:45:39.0572 4896 [ AA137104CDFC81818A309CDE32ABB74A ] C:\Windows\system32\winsrv.dll
08:45:39.0588 4896 [ AA137104CDFC81818A309CDE32ABB74A ] C:\Windows\system32\winsrv.dll
08:45:39.0604 4896 [ DFAC660F0F139276CC9299812DE42719 ] C:\Windows\system32\services.exe
08:45:39.0619 4896 [Global] - ok
08:45:39.0619 4896 ================ Scan MBR ==================================
08:45:39.0635 4896 [ 81CD5EC01DB0CE57EDD853F82462EF27 ] \Device\Harddisk0\DR0
08:45:39.0775 4896 \Device\Harddisk0\DR0 - ok
08:45:39.0775 4896 ================ Scan VBR ==================================
08:45:39.0775 4896 [ C418216FDE2E15E6F18396F2C839F0E8 ] \Device\Harddisk0\DR0\Partition1
08:45:39.0775 4896 \Device\Harddisk0\DR0\Partition1 - ok
08:45:39.0791 4896 [ 1FA1DA1069785276993769A20CB9AB44 ] \Device\Harddisk0\DR0\Partition2
08:45:39.0791 4896 \Device\Harddisk0\DR0\Partition2 - ok
08:45:39.0791 4896 ============================================================
08:45:39.0791 4896 Scan finished
08:45:39.0791 4896 ============================================================
08:45:39.0806 4888 Detected object count: 0
08:45:39.0806 4888 Actual detected object count: 0



Here is the aswMBR Log file:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-24 08:47:04
-----------------------------
08:47:04.228 OS Version: Windows x64 6.0.6002 Service Pack 2
08:47:04.228 Number of processors: 2 586 0xF0D
08:47:04.228 ComputerName: OWNER-PC UserName: Owner
08:47:06.334 Initialize success
08:48:37.286 AVAST engine defs: 12082401
08:48:43.495 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3
08:48:43.495 Disk 0 Vendor: WDC_WD1002FAEX-00Y9A0 05.01D05 Size: 953869MB BusType: 3
08:48:43.511 Disk 0 MBR read successfully
08:48:43.511 Disk 0 MBR scan
08:48:43.511 Disk 0 unknown MBR code
08:48:43.526 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 941478 MB offset 63
08:48:43.542 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 12388 MB offset 1928147760
08:48:43.589 Disk 0 scanning C:\Windows\system32\drivers
08:48:50.734 Service scanning
08:49:05.039 Modules scanning
08:49:05.039 Disk 0 trace - called modules:
08:49:05.070 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
08:49:05.070 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800353f600]
08:49:05.086 3 CLASSPNP.SYS[fffffa6000dcfc33] -> nt!IofCallDriver -> [0xfffffa800337d520]
08:49:05.086 5 acpi.sys[fffffa60008fdfde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-3[0xfffffa8003371940]
08:49:07.410 AVAST engine scan C:\Windows
08:49:16.676 AVAST engine scan C:\Windows\system32
08:51:54.938 AVAST engine scan C:\Windows\system32\drivers
08:52:25.436 AVAST engine scan C:\Users\Owner
08:52:58.945 Disk 0 MBR has been saved successfully to "C:\Users\Owner\Desktop\MBR.dat"
08:52:58.945 The log file has been saved successfully to "C:\Users\Owner\Desktop\aswMBR.txt"


Thank You,
4ntim4lw4re

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:01 AM

Posted 24 August 2012 - 12:49 PM

Greetings 4ntim4lw4re

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 4ntim4lw4re

4ntim4lw4re
  • Topic Starter

  • Members
  • 453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 24 August 2012 - 01:16 PM

Gringo,

Here is the latest Combofix log file:

ComboFix 12-08-24.01 - Owner 08/24/2012 13:56:48.5.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2940.2033 [GMT -4:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
AV: Trend Micro Titanium 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Titanium 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-07-24 to 2012-08-24 )))))))))))))))))))))))))))))))
.
.
2012-08-24 18:02 . 2012-08-24 18:02 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-23 16:10 . 2012-08-23 16:10 -------- d-----w- C:\FRST
2012-08-06 18:44 . 2012-08-24 18:02 -------- d-----w- c:\users\Owner\AppData\Local\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-06 21:30 . 2012-02-21 17:58 21520 ----a-w- c:\windows\DCEBoot64.exe
2012-07-13 04:29 . 2012-03-31 16:06 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-07-13 04:29 . 2012-01-27 20:35 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-13 04:24 . 2006-11-02 12:35 59701280 ----a-w- c:\windows\system32\mrt.exe
2012-06-13 13:58 . 2012-07-13 04:21 2769408 ----a-w- c:\windows\system32\win32k.sys
2012-06-08 17:59 . 2012-07-12 04:10 12899840 ----a-w- c:\windows\system32\shell32.dll
2012-06-05 16:47 . 2012-07-12 04:10 1401856 ----a-w- c:\windows\SysWow64\msxml6.dll
2012-06-05 16:47 . 2012-07-12 04:10 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
2012-06-05 16:22 . 2012-07-12 04:10 1797120 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 16:22 . 2012-07-12 04:10 1869824 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 15:29 . 2012-07-12 04:10 516480 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-06-02 22:19 . 2012-06-07 21:11 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-07 21:11 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:19 . 2012-06-07 21:11 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-07 21:11 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-07 21:11 35864 ----a-w- c:\windows\SysWow64\wups.dll
2012-06-02 22:19 . 2012-06-07 21:11 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-07 21:11 577048 ----a-w- c:\windows\SysWow64\wuapi.dll
2012-06-02 22:15 . 2012-06-07 21:11 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:15 . 2012-06-07 21:11 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 22:12 . 2012-06-07 21:11 88576 ----a-w- c:\windows\SysWow64\wudriver.dll
2012-06-02 19:19 . 2012-06-07 21:11 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 19:19 . 2012-06-07 21:11 171904 ----a-w- c:\windows\SysWow64\wuwebv.dll
2012-06-02 19:15 . 2012-06-07 21:11 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 19:12 . 2012-06-07 21:11 33792 ----a-w- c:\windows\SysWow64\wuapp.exe
2012-06-02 12:49 . 2012-07-13 04:21 17807360 ----a-w- c:\windows\system32\mshtml.dll
2012-06-02 12:17 . 2012-07-13 04:21 10924032 ----a-w- c:\windows\system32\ieframe.dll
2012-06-02 12:12 . 2012-07-13 04:21 2311680 ----a-w- c:\windows\system32\jscript9.dll
2012-06-02 12:05 . 2012-07-13 04:21 1346048 ----a-w- c:\windows\system32\urlmon.dll
2012-06-02 12:05 . 2012-07-13 04:21 1392128 ----a-w- c:\windows\system32\wininet.dll
2012-06-02 12:04 . 2012-07-13 04:21 1494528 ----a-w- c:\windows\system32\inetcpl.cpl
2012-06-02 12:04 . 2012-07-13 04:21 237056 ----a-w- c:\windows\system32\url.dll
2012-06-02 12:03 . 2012-07-13 04:21 85504 ----a-w- c:\windows\system32\jsproxy.dll
2012-06-02 12:01 . 2012-07-13 04:21 173056 ----a-w- c:\windows\system32\ieUnatt.exe
2012-06-02 12:00 . 2012-07-13 04:21 818688 ----a-w- c:\windows\system32\jscript.dll
2012-06-02 11:59 . 2012-07-13 04:21 2144768 ----a-w- c:\windows\system32\iertutil.dll
2012-06-02 11:57 . 2012-07-13 04:21 96768 ----a-w- c:\windows\system32\mshtmled.dll
2012-06-02 11:57 . 2012-07-13 04:21 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-06-02 11:54 . 2012-07-13 04:21 248320 ----a-w- c:\windows\system32\ieui.dll
2012-06-02 08:33 . 2012-07-13 04:21 1800192 ----a-w- c:\windows\SysWow64\jscript9.dll
2012-06-02 08:25 . 2012-07-13 04:21 1129472 ----a-w- c:\windows\SysWow64\wininet.dll
2012-06-02 08:25 . 2012-07-13 04:21 1427968 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2012-06-02 08:20 . 2012-07-13 04:21 142848 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2012-06-02 08:16 . 2012-07-13 04:21 2382848 ----a-w- c:\windows\SysWow64\mshtml.tlb
2012-06-02 00:22 . 2012-07-12 04:10 347136 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 00:22 . 2012-07-12 04:10 254464 ----a-w- c:\windows\system32\ncrypt.dll
2012-06-02 00:05 . 2012-07-12 04:10 77312 ----a-w- c:\windows\SysWow64\secur32.dll
2012-06-02 00:04 . 2012-07-12 04:10 278528 ----a-w- c:\windows\SysWow64\schannel.dll
2012-06-02 00:03 . 2012-07-12 04:10 204288 ----a-w- c:\windows\SysWow64\ncrypt.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-06_23.44.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-23 01:50 . 2012-08-24 12:14 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-07-23 01:50 . 2012-08-03 15:25 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-21 02:23 . 2012-08-24 11:54 43028 c:\windows\system32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 15:45 . 2012-08-24 11:54 73362 c:\windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2012-01-22 15:18 . 2012-08-23 19:08 21480 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2012-01-29 04:42 . 2012-08-08 12:56 2984 c:\windows\system32\WDI\ERCQueuedResolutions.dat
+ 2012-01-22 14:58 . 2012-08-24 11:54 9826 c:\windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-839740710-2640123701-1280113604-1000_UserData.bin
+ 2012-08-24 11:52 . 2012-08-24 11:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-08-06 23:44 . 2012-08-06 23:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-08-24 11:52 . 2012-08-24 11:52 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-08-06 23:44 . 2012-08-06 23:44 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-01-22 18:46 . 2012-08-24 17:52 277732 c:\windows\system32\WDI\SuspendPerformanceDiagnostics_SystemData_FastS4.bin
+ 2012-01-22 17:31 . 2008-01-21 02:49 384512 c:\windows\system32\services.exe
- 2012-01-22 17:31 . 2009-04-11 05:10 384512 c:\windows\system32\services.exe
- 2006-11-02 12:46 . 2012-08-06 21:35 615676 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-08-24 11:57 615676 c:\windows\system32\perfh009.dat
+ 2006-11-02 12:46 . 2012-08-24 11:57 107716 c:\windows\system32\perfc009.dat
- 2006-11-02 12:46 . 2012-08-06 21:35 107716 c:\windows\system32\perfc009.dat
- 2012-01-22 20:36 . 2012-08-06 23:43 288472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-01-22 20:36 . 2012-08-23 19:08 288472 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2008-01-21 03:20 . 2012-08-24 12:14 2736128 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-08-03 15:25 2736128 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-21 03:20 . 2012-08-03 15:25 7962624 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-21 03:20 . 2012-08-24 12:14 7962624 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-01-22 20:36 . 2012-07-23 06:39 1945660 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-839740710-2640123701-1280113604-1000-8192.dat
+ 2012-01-22 20:36 . 2012-08-23 12:05 1945660 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-839740710-2640123701-1280113604-1000-8192.dat
+ 2012-01-26 00:17 . 2012-08-23 12:05 25544176 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-839740710-2640123701-1280113604-1000-4096.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-07-03 972080]
"MobileDocuments"="c:\program files (x86)\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-06-02 75008]
"SunJavaUpdateSched"="c:\program files (x86)\Java\jre1.6.0_01\bin\jusched.exe" [2007-04-07 132760]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2012-04-19 421888]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-07-13 250056]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 35279297
*NewlyCreated* - ASWMBR
*Deregistered* - 35279297
*Deregistered* - aswMBR
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 04:29]
.
2012-08-07 c:\windows\Tasks\HPCeeScheduleForOwner.job
- c:\program files (x86)\hewlett-packard\sdp\ceement\HPCEE.exe [2012-01-22 04:03]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 15851040]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 82464]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2012-07-06 1304824]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2012-02-27 213824]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=84&bd=Pavilion&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 168.95.1.1
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_265_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_265.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-08-24 14:03:46
ComboFix-quarantined-files.txt 2012-08-24 18:03
ComboFix2.txt 2012-08-24 12:12
ComboFix3.txt 2012-08-08 13:16
ComboFix4.txt 2012-08-06 23:50
ComboFix5.txt 2012-08-24 17:55
.
Pre-Run: 784,252,211,200 bytes free
Post-Run: 784,282,968,064 bytes free
.
- - End Of File - - 4E254FA1EEEF6F3C7629E32628109574


Everything is running normal at this point. I am not experiencing anything unusual or out of the ordinary.

Thank You,
4ntim4lw4re

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:01 AM

Posted 24 August 2012 - 04:25 PM

Hello

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 4ntim4lw4re

4ntim4lw4re
  • Topic Starter

  • Members
  • 453 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:01 AM

Posted 24 August 2012 - 05:21 PM

Gringo,

Here is the log file:

ActiveCheck component for HP Active Support Library
Adobe Flash Player 11 ActiveX
Adobe Reader 8.1.2
Apple Application Support
Apple Software Update
Cards_Calendar_OrderGift_DoMorePlugout
Compatibility Pack for the 2007 Office system
CyberLink DVD Suite Deluxe
DJ_AIO_03_F4200_Software_Min
Enhanced Multimedia Keyboard Solution
Hardware Diagnostic Tools
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Customer Experience Enhancements
HP Customer Feedback
HP Games
HP Photosmart Essential 2.5
HP Picasso Media Center Add-In
HP Recovery Manager RSS
HP Total Care Advisor
HP Update
HPAsset component for HP Active Support Library
HPPhotoSmartPhotobookWebPack1
HPTCSSetup
Java™ SE Runtime Environment 6 Update 1
LabelPrint
LightScribe System Software 1.14.17.1
LightScribeTemplateLabeler
LiveUpdate (Symantec Corporation)
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.1
Polar Golfer Pineapple Cup
Power2Go
PowerDirector
PSSWCORE
Python 2.5.2
QuickTime
Realtek High Definition Audio Driver
Safari
Scan
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
SPORE Creature Creator Trial Edition
Toolbox
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update Installer for WildTangent Games App
VideoToolkit01
WildTangent Games App (HP Games)
Wizard101
Yahoo! Toolbar


Thanks,
4ntim4lw4re

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:01 AM

Posted 24 August 2012 - 05:26 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Adobe Reader 8.1.2
Java™ SE Runtime Environment 6 Update 1
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:10:01 AM

Posted 26 August 2012 - 11:47 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users